28 Jan 2022

techUK responds to Parliamentary Call for Evidence on The Right to Privacy: Digital Data

techUK’s response focuses on the importance of privacy for a trusted and innovative approach to data governance.

Read techUK's full response to this call for evidence here.

techUK has welcomed this call for evidence, which enters an already lively debate about how to best leverage the National Data Strategy (NDS) to enable the UK to become a global digital leader and maintain its reputation as a hub for research and development (R&D). The call for evidence is also timely, coinciding with Data Privacy Day 2022.

For the UK to get it’s approach to data governance right, we need to strike the right balance between delivering a pro-innovation environment for Government, the public sector and private sector, while ensuring the systems governing the responsible use of data remain trusted by citizens, organisations, and major international partners, including the European Union (EU).

This includes personal data, and the Select Committee has rightly identified the need to examine the DCMS consultation, Data: a new direction, and the NHSX’s draft data strategy, both of which set out ambitions plans to harness the potential of personal data. However, for these proposals to be successful, they must be underpinned by high standards of privacy and ethical foresight, guided by the expertise of organisations such as the Centre for Data, Ethics and Innovation (CDEI) and enforced by an independent regulator.

Here we set out the key points from our response:

Not all data is personal, and there is a big role for other types of data (including operational, analytical, networks) and datasets (including structured, unstructured industrial, non-personal data, meta data) to be shared in ways that can benefit citizens and the economy.
Trust in the data protection regime is essential to maintain citizens’ confidence in using digital products and services and to ensure their privacy is respected. Reform to the data protection regime should not dilute individuals’ ability to seek redress e.g., preserving Article 22 of the GDPR, and ensuring the nominal fee for subject access requests is not reintroduced.

A high standard of data protection with effective avenues for redress, and supported by an independent regulator will be key in ensuring reforms do not challenge the EU’s positive adequacy decision, which could cost UK businesses up to £1.6bn if lost.
Ethical considerations must underpin the use of all personal data. This includes ensuring the purpose of collecting, using, and sharing data always remains clear, and is used to support fair and ethical outcomes.

The CDEI has a role to play in providing useful guidance to industry and the public sector, and delivering cross-sector projects. However, the CDEI’s role should not be conflated with one of governance, and it is important to distinguish between the different mechanisms in place – from regulation and governance to guidance and consulting – to achieve the best outcomes from data use and sharing.

In the context of the data protection regime, the regulator should continue to provide UK businesses with pragmatic and proportionate guidance for implementing the UK GDPR. An effective regulator is one that is independent, and reform to the data protection framework should not blur the responsibilities between Government and the regulator, such as by allowing the Secretary of State to approve codes of practice or complex and novel guidance.
The system should enable responsible research and innovation to ensure the UK remains a top global destination for innovation. Many of the regulatory barriers our members experience when pursuing R&D projects could be addressed by reform to the UK GDPR, which would not undermine the privacy already afforded to individuals in the regulation.

This includes improving the legal clarity and certainty on definitions and legal bases for data processing activities related to research and removing limitations on the re-use of data. These provisions could offer UK businesses responsible access to more data, which could be a step-change for organisations developing and deploying AI systems.

Any reform must be supported by clear and suitable safeguards to protect individuals from the potential misuse or unlawful use of their personal data, along with clear guidance from the regulator.
The NHSX’s data strategy should be thorough and comprehensive. In addition to the considerations set out above, the strategy also needs to address cultural and technical barriers in the health and care sector. This includes fostering knowledge sharing communities, and putting a greater emphasis on improving data quality, as outlined in techUK’s Ten Point Plan for Healthtech.

Delivering this strategy will require a greater focus on solving high impact problems at pace, and members welcome further clarity on how the ambitions of the strategy will be prioritised.
Government needs to facilitate greater data sharing to deliver on Mission 1 and 3 of the NDS. This means tackling shared data challenges such as lack of data standards and interoperability between systems, and providing organisations including public services, the right tools, and skills to share and use data more effectively.

techUK's full response to this Call for Evidence, The right to privacy: Digital data can be found here.

techUK’s full response to the DCMS, Data: a new direction consultation here, and the NHSX’s draft strategy: Data saves lives: reshaping health and social care with data here.

This blog is part of a series exploring the UK's upcoming reform to its data protection regime. Learn more here.