Profiling and automated decision making under GDPR
In preparation for the General Data Protection Regulation coming into force on 25 May 2018 the ICO is assessing the GDPR’s key themes to help organisations understand the new legal framework. Profiling is one area in the GDPR the ICO has prioritised for guidance.
PHG Foundation has submitted a response on profiling and automated decision-making provisions in the General Data Protection Regulation (GDPR) to the Information Commissioner’s Office (ICO).
In our response, we contrast two scenarios in which automated processing could have important health applications: in risk-stratification for screening for disease or infectious disease surveillance and the use of patient/citizen held devices which are used to monitor or improve the health of an individual. Although we recognise that a requirement for individual consent is appropriate in many situations to safeguard individual rights, this requirement could result in some groups being systematically excluded from screening and lead to inequitable access to the health benefits that risk-stratification offers, especially in some public health applications, such as tackling infectious diseases.
In contrast, we accept that the use of automated decision-making in patient or citizen held devices, which are used to monitor or improve the health of an individual, should usually require the consent of the data subject to be obtained. In our response we outline recommendations for how these consent processes should be approached.
The responses obtained by the ICO on the new profiling provisions will help inform the shape and extent of UK legislation and guidance to support the GDPR.