Data protection: key recent developments – what do life sciences organisations need to know?
By: Andrew Gallie, data protection solicitor with law firm VWV
Data protection law has been in a state of flux for a number of years now, with the relentless pace of technological development, new ways of working, and external factors such as Brexit, all informing changes in the law and regulatory guidance. Another theme that the life sciences sector has felt, is regulatory divergence – such as in the fields of clinical trials and falsified medicines.
Things are set to change again, with a raft of recent developments including the announcement of new data protection laws in the Queen’s Speech, which could see the UK moving further away from the EU.
Here, we look at some of these recent developments and some of the practical issues that organisations should be considering as part of their data protection compliance.
International data transfers
The good news for the movement of personal data between the EU and UK (and vice versa), is that the EU recognises the UK (currently) as having adequate data protection laws. Likewise, EU member states, plus a handful of other countries, have the benefit of a UK adequacy finding, meaning that personal data can be transferred to these countries from the UK without additional steps for compliance.
For other countries, such as the USA, China and Australia, you will usually need to find a safeguard to make the transfer from the UK lawful. The applicable safeguard in many cases will be to use the International Data Transfer Agreement (IDTA) prepared by the ICO (the UK’s data protection regulator). The IDTA came into force in March this year and will replace the old standard contractual clauses (SCCs) – which are derived from the EU’s position on international data transfers.
The IDTA and the SCCs can both be used until 21 September 2022. After this date, the SCCs cannot be used in new contracts, but will remain valid for contracts already signed until 21 March 2024.
Organisations should therefore think about using the IDTA now for new international transfers of personal data. The IDTA can be used as a standalone document or, perhaps more likely, as a schedule to a wider agreement.
In many respects, the IDTA is an improvement on the SCCs; for example, there is far greater use of ‘plain English’ and it contains a number of prompts, which will help organisations think about practical points such as information security. However, the IDTA is potentially more onerous, in that it arguably places a higher compliance burden on the parties, compared to the SCCs. In addition, if the ICO updates the model IDTA, then the changes will become binding on any IDTA that has already been signed.
In light of these concerns, some organisations have decided to continue using the old SCCs for new transfers up until the last possible moment (ie 21 September). Whether to switch to the ITDA now, or continue using the SCCs for the time being, will require careful judgement.
The IDTA is only half the story. Organisations must also risk assess the transfer and, if needed, put in place additional safeguards. The sorts of factors that should be fed into the risk assessment include whether the IDTA (or SCCs) are likely to be enforceable in the other country, the sensitivity of the personal data transferred and the risks of third party (particularly foreign government) access to the data. The additional safeguards might include further contractual provisions on top of what is already in the IDTA / SCCs, encrypting the data or requiring the recipient party to provide training to staff.
The ICO published draft guidance on the risk assessment last year. However, things have moved on a lot since then and the final version, which is due to be published imminently, will likely be quite different. In light of the direction of travel as evidenced by the consultation (see below), l anticipate that the guidance will take a proportionate and risk-based approach to data transfers and the ICO are unlikely to want to be seen to be unnecessarily inhibiting international data flows. Nevertheless, the risk assessment is an important part of the process and organisations need to evidence that they have carried out the assessment and that they have implemented any required additional safeguards before the transfer takes place.
New data protection laws
The announcement of new data protection laws in the Queen’s Speech follows on from the Government’s consultation last year on reforming the UK GDPR and the Data Protection Act 2018, which together make up the bulk of UK data protection law.
It is clear from the consultation that the government is aiming for a more ‘light touch’ regime. The consultation document emphasises the importance of using personal data as a driver for growth and innovation. There is, of course, a risk that a leaner regime might not have all of the safeguards and protections for individuals that are currently in place.
The reforms mooted in relation to automated decision-making are a case in point. Automated decision-making essentially means using a computer to make a decision about an individual, for example whether to include a particular patient on a managed access or clinical trial programme. If an individual is subject to a solely automated decision, and it relates to something that significantly affects them, then they are usually entitled to a human review of the decision. The government is considering removing this right, so accusations around the use of ‘rogue algorithms’ may well become even more common in future. On the other hand, the government makes the point that the other safeguards in the UK GDPR may be sufficient without the need for the human review safeguard.
There is also a move to reduce ‘red tape’, for example in some cases by reducing data protection documentation and accountability obligations and doing away with the requirement to appoint a data protection officer.
We are seeing an increasing number of cyber-attacks and data breaches. Data protection laws require organisations to take ‘appropriate’ measures to safeguard personal data. The vast majority of data protection fines have resulted from information security breaches. As such, information security is arguably the most important area of data protection compliance to get right.
The government’s National Cyber Security Centre website contains a significant number of resources to help organisations address cyber risks. These include extensive technical guidance for organisations on how to secure their systems, as well as some clever tools to help identify threats. For example, the NCSC’s Early Warning service is a free tool that will apparently warn you if your network is being attacked.
Whilst we have seen a number of clients fall victim to sophisticated cyber-attacks, in our experience, most data protection breaches happen as a result of human error, whether that is a member of staff clicking on a suspicious link, emailing a confidential document to the wrong recipient, or leaving papers on the train. It is vital to make sure your staff have been given training on data protection compliance. This training should be backed up with appropriate written policies, containing practical guidance on the everyday ‘dos and don’ts’. Not only will these steps reduce the risk of something going wrong, but will count significantly in mitigation, should the worst happen.
Things are not staying unchanged for long. It is worth keeping an eye on developments, including the content of the new data protection laws, as well as the ICO’s risk assessment guidance.
Find out more
If you would like further information, please contact Andrew Gallie in VWV’s data protection team on 07467 220 831.