The UK’s new Data Legislation – what does it mean for the life science sector?

The Data (Use and Access) Act became law last week – but what does it mean for the life science sector? Fredericka Argent, Paul Maynard, and Tom Griffiths from Covington and Burling’s technology regulatory team explain all in this blog.

What are the UK’s plans to reform data protection law?

After an extended period of legislative back and forth, the Data (Use and Access) Bill has now received Royal Assent, becoming the Data (Use and Access) Act (we will therefore refer to it as the “Act” in this blog). The Act addresses various matters related to the use of data, and will, to an extent, distinguish the UK’s approach to data protection from that set out in the EU’s General Data Protection Regulation (“GDPR”). The European Commission will, therefore, assess whether these changes warrant stripping the UK of its adequacy status for data transfers, with a decision due by 27 December 2025. While the Commission is unlikely to withdraw its finding of adequacy, it is possible that a challenge to this finding could be brought before the Court of Justice of the EU, which could reach a different conclusion.

In summary, the Act is not a complete overhaul of data protection law in the UK; instead, it is more a package of targeted amendments. Of the changes most relevant to biotechs, the most significant is the more permissive regime for the use of personal data for scientific research, although companies must still meet a number of requirements to fall within scope. More significant changes may take place in the future, as key parts of the Act enable the UK Government to pass secondary legislation in areas that may be relevant to biotechs.

A more permissive approach to “scientific research”

The Act defines “scientific research” as “any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity” (s. 67(2)). It also expressly states that processing of personal data for scientific research encompasses “processing for the purposes of technological development or demonstration, fundamental research or applied research, so far as those activities can reasonably be described as scientific,” while noting that “processing for the purposes of a study in the area of public health that can reasonably be described as scientific” will only fall within the scope of “scientific research” where “the study is conducted in the public interest” (s. 67(3)).

This definition broadly tracks the language of Recital 159 UK GDPR, but gives it the force of law (rather than being interpretative guidance in a recital) and explicitly states that scientific research can be “carried out as a commercial or non-commercial activity”. This language represents a divergence from the EU regime, which the European Data Protection Supervisor (“EDPS”) has indicated only covers research that “is carried out with the aim of growing society’s collective knowledge and wellbeing, as opposed to serving primarily one or several private interests.”¹

In addition, the Act:

• Allows data controllers to obtain valid consent for the processing of personal data for a broad area of “scientific research” even if, at the time the personal data is collected, it is not possible to identify the specific purposes for which the personal data will later be processed (s. 68). Reliance on such a consent must also be “consistent with generally recognised ethical standards relevant to the area of research.” This puts the existing language in Recital 33 UK GDPR on a statutory footing.
• Establishes, consistent with Article 89 of the UK GDPR, the circumstances in which there will be “appropriate safeguards” in place for the processing of personal data for scientific research purposes (s. 86). Among other things, this requires that data used for scientific research is pseudonymized unless the purpose of the research could not be achieved without identifiable data. It requires that data is not used to make decisions about an individual except in the context of approved medical research. It also grants the UK Government the power to make regulations specifying when the requirement for “appropriate safeguards” will be met.
• States that processing that falls within scope of section 86 (described above) will—for the purposes of Article 6(4) UK GDPR—be “compatible” with any purposes for which data was originally collected (s. 71). In other words, processing for scientific research purposes that is subject to appropriate safeguards under the Act will be presumed to be lawful. In addition, in this case, controllers will not be required to proactively provide transparency information to data subjects provided certain conditions are met (s. 77). This may reduce the regulatory burden on companies carrying out this sort of research.

Potential future impacts on the use of NHS data

The Act also creates a framework for the Secretary of State or NHS England to publish standards applicable to IT services used (or intended for use) in the provision of health care (including adult social care) in England (s. 121 and Schedule 15). These standards could include requirements on interoperability, functionality, and data access and storage. The purpose of this framework is to standardise information storage in the NHS in England. This is a welcome change for the sector, who often have to grapple with unstandardised health data.

What is the new data access regime?

The Act creates a further framework that allows the Secretary of State or the Treasury to pass secondary legislation that requires “data holders” (i.e., traders or any person who processes “customer data” or “business data”) to:

• provide customers (or third-party recipients appointed by those customers) with access to “customer data” on their request; and
• publish “business data” and to provide “business data” to customers or to third party recipients.

It remains to be seen what form any new data access regime will take, and whether (or how) this will be relevant to the biotech industry—the Government’s focus appears to be on the financial services sector at present.

In summary, there are some welcome clarifications in the Act which should make conducting research with personal data more straightforward. In addition, if implemented well, a standards framework for NHS data could improve the use of NHS data in the sector.

Find out more about the BIA’s data access policy. More content from the Covington team is available through its Inside Privacy and Inside Global Tech blogs.

_{1. EDPS, A Preliminary Opinion on data protection and scientific research (6 January 2020), p. 12.}