The decision to roll-out Care.data and the proposal to launch 'Accredited safe Havens' across the UK, gives compelling reasons to support the EU's strengthening of the data protection regime.
Following the announcement that Care.data will be rolled-out across England, a further, even more significant development is the proposal to launch ‘accredited safe havens’ (Ash). As a defining moment in the governance of personal information, ‘accredited safe havens’ will render obsolete the need to seek approval from the Secretary of State for Health and, in the case of medical research, by a research ethics committee or the Health Research Authority. This will make personal identifiable information easily accessible without a person’s consent and for purposes ‘other than direct care’.
Circumventing the legal instruments that have been germane to information governance hitherto, such as the Human Rights Act (1998) and the Common Law Duty of Confidentiality, ‘Safe Havens’ make an already permissive information governance regime even more congenial to Government and private sector interests. An example of an ‘Ash’ is the Health and Social Care Information Centre (HSCIC), through which Care.data will be shared. Although the Department of Health (DoH) has claimed that (Ash) is only intended to provide access to records that have been stripped of personal details, elsewhere the DoH affirm that ‘safe havens’ will provide access to information from personal care records which ‘could be used to identify an individual.’
This further weakening of privacy law is discordant with reforms to the EU data protection regime that are currently underway. In effect, the proposed EU regulation will replace the existing Data Protection Directive (1995), and will be directly applicable in member states without the need for implementing legislation. Following a European Parliament vote earlier this year, substantive amendments to EU privacy law are now irreversible. And, as for the direction of travel, it is clear that the rights of data subjects will be strengthened. Article 7 of the proposed regulation is of particular salience: it stipulates that for consent to be valid the data subject must give explicit consent.
Clearly, there are deep tensions between the expected fortification of EU privacy law and the UK’s agenda, the main focus of which is economic growth. The latter, given the controversies surrounding Care.data, affirms the need for a renewed discussion about the kind of considerations that should hold sway in the domain of information governance. Indeed, the EU is approaching the matter in the right way by attempting to answer this question through democratic means.
As the EU’s ‘hostile reforms’ require that any disclosure of identifiable information secures a person’s “specific, informed and explicit consent”, its impact would be felt on the well-documented sharing of personal, identifiable medical data. With Bupa, a private insurer, and, once established, the regional ‘accredited safe havens’, the Government has been doing its best to undermine these changes. However, EU data protection reform would also have substantial consequences for Care.data and the 100,000 Genome Project. Indeed, the Secretary of State for Health recently confirmed that Care.data will be linked with the 100,000 whole-sequenced genomes. This fits with the Government's apparent plans to make the UK into a world leader in the biosciences, and, ultimately, integrate personalised medicine into mainstream healthcare.
A Freedom of Information disclosure by the DoH to EthicsandGenetics reveals that, when the 100,000 Genome Project “concludes in 2017, there will be sufficiently robust genomics infrastructure in place to ensure that genomic medicine will be carried out routinely in the NHS.” So the spectre of personalised medicine looks to come sooner. And so too, will the commercialisation of whole-sequenced genomes, connected to Care.data, and their storage on ‘accredited safe havens’. Indeed, as Genomics England will own the 100,000 whole sequenced genomes, and when this data is stored in safe-havens, the public will have little control over the purposes for which such data are used.
The body tasked with providing ethical guidelines in the 100,000 Genome Project, the Ethics Advisory Group, stated that it has the “potential to bring real benefits to individual patients and their families, to the NHS more broadly, and to the UK economy.” Further, NHS England has claimed that the “research opportunities and mainstream use of genomic medicine across the NHS also has a major contribution to make to wealth creation and economic growth in this country.” It seems that, if even the Ethics Advisory Group has the economic benefits of commercialising genetic data as a central concern, we can expect a tug-of-war regarding what kind of considerations should have primacy in the governance of highly sensitive, personal information between the UK and the EU.
As we know, Government, ‘big pharma’ and the higher echelons of the private sector have deeply interwoven interests. And with Google looking to become a player in personalised medicine, and 23andMe, the Google-backed and much-maligned DNA analysis company intent on selling its products in new markets, maybe there is good reason to support, rather than undermine, the EU’s data protection reforms.