There is only one UK law that relates to personal and sensitive data and that is GDPR (General Data protection Regulation). This replaced the Data Protection Acts of all 28 EU countries in early spring 2016, shortly before the Brexit vote.
GDPR and how it works
GDPR clarified any ambiguities about consent to data. Because of the grave consequences of personal data being “out there”, one rule was that no-one under sixteen can give consent. However, part of the reason GDPR took four years to agree (they started in 2012!) was that various countries disagreed with various aspects, and the UK got an opt-out with the age of consent lowered to 13 specifically for them. Why this didn’t make national headlines I just don’t know!
According to EU data protection principles dating back to the European Convention on Human Rights, personal data is the property of the citizen (known as the data subject). The organisation looking after for them is the data custodian. The custodian should inform the subject of any proposed change of use of the data, and give them a chance to opt out, if they wish. This was written ambiguously, and the ambiguity was greatly abused! In particular, sales and marketing companies would present a tick box on a web page, and if the data subject didn’t tick it, it was assumed that they consented.
Under GDPR, the rules are much stricter. The custodian must inform the subject of any change of purpose, in such a way that doing nothing retains the status quo, or face a heavy fine. That means they must be informed of any proposed change in such a way that they have to give explicit consent to the change (the opt in principle was there even with the previous act, but many companies construed it wrongly). The UK agreed with this; indeed it fits well with the NHS principle of informed consent.
The UK has not yet changed GDPR, as a result of Brexit! UK GDPR, 2021 became official on 1 January and is almost entirely the same law as GDPR in each EU country. The government may wish to go for non-alignment in future, and indeed Liz Truss hinted at aligning with US laws when discussing her trade deal with Japan, but such a change has not even been discussed in Parliament, as yet.
A centralised database
Currently, the DHE (Department of Health) has project roll out involving 55 million patient records in England. This involves the transfer from GP storage where they can be used in anonymised form for research purposes, to a centralised NHS Digital Database with access to selected third parties. This is clearly a change of use, but the principle being used is “opt out”, and that is stated many times in the online information. The original opt out deadline of 23 June 2021 has been put back to 1 September, however it seems to be at odds with GDPR which requires “opt in”. A date change makes no difference to that GDPR principle.
Perhaps it should also be mentioned that it is US convention to use “opt out” regarding medical data. This was clearly stated by Alexander Nix, CEO of Cambridge Analytica, in an interview in early 2018, just before the two year GDPR acclimatisation period was over.
I hope this is clear. The concepts are challenging, but they are also very important. Indeed, they date back to the formation of the Council of Europe, and the consequent “Right to Privacy”, established in 1950.
How to opt out
As reported in Yorkshire Bylines:
“There are two kinds of data: GP data and non-GP data. And two different ways to opt-out. For GP data you have to send a form to your GP surgery for every member of your household. For non-GP data it depends whether you have children under 13 – if you do, you have to print off another form and post it to NHS, but if you and any children are 13 or over, you can complete the opt out online.”