UK Data Reform: Simplified Rules for Responsible Data Sharing

U.K. Data Protection Reform: A Consultation on Divergence

The United Kingdom government has initiated a consultation regarding revisions to its national data protection framework. This move comes as the nation assesses its regulatory path post-Brexit, considering how to deviate from established European Union regulations.

A Year Since the National Data Strategy

This announcement arrives one year following the publication of the U.K.’s national data strategy. That strategy articulated a desire for data sharing practices mirroring those observed during the pandemic to become standard practice across Britain.

Reform of the Information Commissioner’s Office

The Department for Digital, Culture, Media and Sport (DCMS) has previewed an upcoming reform of the Information Commissioner’s Office (ICO). The intention is to expand the ICO’s responsibilities to actively support sectors and businesses that utilize personal data in innovative and responsible ways, ultimately benefiting individuals.

Simplified regulations are also proposed to encourage data utilization for research endeavors that contribute to improvements in people’s lives, particularly within healthcare.

Governance Structure Changes

A new organizational structure for the regulator is also under consideration. This includes establishing an independent board and appointing a chief executive for the ICO. This proposed structure mirrors the governance models of other regulatory bodies like the Competition and Markets Authority, the Financial Conduct Authority, and Ofcom.

Addressing Algorithmic Bias

The data reform consultation will also explore methods to mitigate the risks associated with algorithmic bias. This issue is already being addressed by the EU, which has proposed a risk-based framework for regulating applications of artificial intelligence.

Failure to comprehensively address AI’s impact could leave the U.K. lagging behind in regulatory development, focusing narrowly on bias mitigation rather than the broader implications of AI on citizens’ lives.

Beneficial Data Sharing Examples

DCMS highlighted a partnership between Moorfields Eye Hospital and the University College London Institute of Ophthalmology as an example of the beneficial data sharing they aim to foster. Researchers reported that their AI system demonstrated greater accuracy in predicting the onset of wet age-related macular degeneration compared to clinicians.

Past Data Sharing Controversies

The partnership also involved DeepMind (owned by Google) and subsequently Google Health. However, the government’s public relations materials omit any mention of the tech giant’s participation. This is noteworthy considering DeepMind’s involvement in a previous U.K. patient data-sharing scandal.

In 2017, the Royal Free NHS Trust was sanctioned by the ICO for improperly sharing patient data with the Google-owned company during the development of a clinical support application, which Google is now discontinuing.

Concerns About Commercial Access to Medical Records

DCMS may be deliberately avoiding highlighting that its data reform goals – namely, removing obstacles to responsible data use – could potentially facilitate easier access to U.K. citizens’ medical records by commercial entities like Google.

Public Reaction to Data Access Attempts

The significant public opposition to the government’s recent attempt to access NHS users’ medical records for vaguely defined “research” purposes (the “General Practice Data for Planning and Research” scheme) suggests that a government-sanctioned free flow of health data may not resonate well with the U.K. electorate.

Framing Health Data Sharing

DCMS characterizes the data reforms as providing “clarity around the rules for the use of personal data for research purposes,” laying the foundation for further scientific and medical advancements. This framing attempts to address sensitive concerns surrounding health data sharing.

Balancing Security, Innovation, and Privacy

The government also emphasizes reinforcing the responsibility of businesses to safeguard personal information, while simultaneously empowering them to grow and innovate. This suggests a commitment to data security, but raises questions about individual privacy and control over personal data.

The government indicates that these considerations will be weighed against economic interests, particularly the U.K.’s ability to engage in data-driven research and secure trade agreements with countries that may not adhere to the U.K.’s current high data protection standards.

Populist Messaging and Nuisance Communications

The discussion also includes populist elements, with DCMS advocating for a data regime “based on common sense, not box ticking.” Plans to strengthen penalties for nuisance calls and text messages are also highlighted, appealing to a common frustration among citizens.

However, focusing on spam messages and nuisance calls appears relatively minor in the context of the broader concerns surrounding apps and data-driven mass surveillance, issues previously raised by the outgoing information commissioner.

Attacking Consent Requirements

Similar populist messaging has been used by ministers to criticize the need for obtaining internet users’ consent for tracking cookies. Digital Minister Oliver Dowden has suggested a desire to eliminate consent requirements for all but “high risk” purposes.

Reframing Data Rights

The government appears to be re-framing the concept of individual data rights – the ability to control how personal information is used – as irresponsible or even unpatriotic. DCMS promotes the idea that such rights hinder economic or generalized “social” goals.

No evidence has been presented to support this claim, nor has it been demonstrated that the U.K.’s current data protection regime impeded data sharing during the COVID-19 pandemic.

A Familiar Approach to Reform

The government is employing its characteristic “cake and eat it” approach, asserting that the reforms will both “protect” people’s data while simultaneously making it easier for citizens’ information to be shared with those who request it, provided they claim to be pursuing “innovation.” This is accompanied by pre-prepared quotes describing the plan as “bold” and “ambitious.”

Maintaining Standards or Building Upon Them?

While DCMS claims the reform will “maintain” the U.K.’s current world-leading data protection standards, it clarifies that the new regime will only “build on” a few broad “key elements” of the existing rules, including principles related to data processing, individual data rights, and enforcement mechanisms.

The Devil in the Details

The specific proposals are scheduled for publication tomorrow morning. (Update: The consultation document is now available on DCMS’ website and the consultation period runs until November 19.) Further analysis will be required to assess the accuracy of the government’s claims.

A Shift to Flexible Compliance

DCMS intends to move away from a “one-size-fits-all” approach to data protection compliance, allowing organizations to demonstrate compliance in ways that are more appropriate to their specific circumstances, while still maintaining a high standard of protection for citizens’ personal data.

Potential for Lowered Standards

This suggests that smaller data-mining operations – DCMS’s PR uses the example of a hairdresser, but many startups have fewer employees than a typical barber shop – may be granted leniency and allowed to disregard those ‘high standards’ in the future.

This raises concerns that the U.K.’s “high standards” may, under Dowden’s leadership, become increasingly compromised, resembling a Swiss Cheese.

Data protection: A framework for enablement, not restriction

John Edwards, the prospective U.K. Information Commissioner, currently serving as New Zealand’s privacy commissioner, recently addressed a parliamentary committee regarding his potential appointment.

Should his appointment be confirmed, Edwards will oversee the implementation of any revised data protection regulations established by the government.

During the questioning, he contested the idea that the existing U.K. data protection framework hinders data sharing, asserting that legislation such as GDPR should be viewed as a guide and a facilitator for innovation.

He explained to the committee chair that policymakers and organizations do not necessarily face a trade-off between data sharing and upholding data protection principles. Data protection regulations are essential precisely because information sharing is necessary; they represent complementary aspects of a single concept.

“The UK DPA and UK GDPR function as a ‘how to’ guide – not a ‘don’t do’ list,” Edwards stated. He highlighted the lessons learned during the COVID-19 pandemic, where rapid and seamless access to high-quality information across organizations was crucial. He acknowledged that data protection laws can sometimes create obstacles, but emphasized that solutions can be found when needed.

Edwards also indicated that modest adjustments to the current regulations could yield substantial economic benefits for the U.K., rather than requiring a complete overhaul. However, he clarified that defining the new regulations will not be his responsibility; his role will be to enforce the chosen framework.

“Even within the current legal structure, which closely resembles the UK GDPR, there’s potential to positively influence the U.K. economy by billions of pounds and create thousands of jobs,” he conveyed to the MPs. “We don’t need to discard the existing legislation entirely; there’s ample room for improvement.”

TechCrunch consulted Lilian Edwards, a professor of law, innovation, and society at Newcastle University, regarding the government’s proposed direction, as indicated by DCMS’ pre-publication communications. She voiced comparable concerns about the rationale behind the government’s desire to revise existing standards.

“The core principle of data protection is to strike a balance between fundamental rights and the free flow of data,” she explained. “Economic considerations have always been taken into account, and the current framework, in place since 1998, has achieved a reasonable equilibrium. The successful data practices during COVID-19 were fully compliant with existing rules, so this isn’t a justification for change.”

She also criticized the plan to restructure the ICO into an organization primarily focused on “driving economic growth,” noting the absence of any mention of privacy or fundamental rights in DCMS’ public statements. She argued that establishing a new regulator is unlikely to address the declining public trust.

Furthermore, she suggested the government is underestimating the potential economic repercussions if the EU deems the U.K.’s “reformed” standards no longer equivalent to its own. “[It’s] difficult to foresee much consideration for adequacy here, which will undoubtedly be reviewed to our disadvantage—potentially jeopardizing 43% of our trade for a few minor trade agreements and speculative sales of NHS data (again, likely to severely damage trust, as seen with the GDPR scandal).”

While acknowledging the importance of regulating algorithmic bias, she cautioned that the U.K. risks falling behind other jurisdictions that are adopting a more comprehensive approach to regulating artificial intelligence.

According to DCMS’ press release, the government intends to leverage the Centre for Data Ethics and Innovation (CDEI) in its policymaking efforts, with the body concentrating on “enabling trustworthy data and AI applications in real-world scenarios”. However, a new CDEI chair to succeed Roger Taylor has yet to be appointed, with only an interim appointment and new advisors announced recently.

“The global landscape of AI regulation has evolved since the CDEI’s initial work,” Edwards argued. “We now recognize that addressing the harmful effects of AI requires a holistic approach, encompassing various regulatory tools beyond data protection. The proposed EU AI Regulation, while not perfect, goes further in mandating higher-quality training data and more transparent system design. If the U.K. is serious about regulation, it must consider global models, but currently, its focus appears narrow, short-sighted, and populist.”

MedConfidential, a patient data privacy advocacy group that has frequently challenged the government’s data protection policies, also questioned DCMS’ continued reliance on the CDEI for shaping policy in this critical area, citing the biased algorithm exam grading scandal that occurred under Taylor’s leadership.

(Note: Taylor also served as the Ofqual chair, and his resignation from that position in December referenced a “difficult summer,” coinciding with his departure from the CDEI, which creates a notable void…)

“The leadership and culture of the CDEI resulted in the A-Levels algorithm debacle; why should the government have any confidence in their future pronouncements?” questioned Sam Smith of MedConfidential.