Department updates privacy guidelines to provide for the use of automated tools in decisions and ‘profiling’, as well as removing pledge that patients will have ‘considerable say’ over data use
The Department for Health and Social Care has amended its policy on the use of citizens’ data to provide for the implementation of automated profiling and decision-making processes.
The updates, made earlier this month, also remove references that were previously included promising individuals that they would have “considerable say” in how their information is used, and that consent would always be sought before it was shared for use by commercial entities.
The most visible of the updates is the addition of an entirely new section – headed “Automated decision-making or profiling” – the terms of which provide for the use of automated tools in how the department processes and uses personal data.
- Government plans to expand departments’ powers to share personal data to support One Login
- ICO examines use of personal data in government anti-disinformation work
- UK and US close to agreement for ‘free flow of personal data’ across Atlantic
“We may use automated decision-making or profiling in certain circumstances as required or permitted by law to enable us to deliver efficient services,” it adds.
Elsewhere, there are small but potentially meaningful tweaks in the language used regarding individuals’ rights and their involvement in how their information may be used.
In the previous version of the policy, the DHSC committed that it would “not make your personal information available for commercial use without your consent”.
This provision has been entirely removed.
The guidance also formerly contained a pledge that “the data we are collecting is your personal information and you have considerable say over what happens to it”.
This has been amended to simply “the data we are collecting is your personal data”.
Similarly, a previous explicit reference to ensuring that individuals have the “right to request [data] and [that] incorrect information can be rectified” has been replaced with the less specific commitment that the DHSC will “assure you that your individual rights under UK GDPR can be exercised”.
The guidance outlines a comprehensive range of groups of people whose data the department will process – including all NHS staff, patients, and “the general populace”. Information can be shared with all public bodies, including government and law enforcement, as well as commercial suppliers and the financial services industry, according to the terms of the policy.
The guidelines retain the commitment that the DHSC will “only ask for what we need, and not to collect too much or irrelevant information” and will “let you know if we are going to share it with other organisations”.
Also still featured in the department’s data-use policy is a pledge that “outside of specific exemptions under the legislation, your personal data shall be retained for no longer than the purposes for which it is being processed”.
The DHSC is the second major department in the space of a couple of weeks to make amendments to its personal data policy to reflect the likelihood of government’s increased use of automated processing – including in decision-making.
Last month, the Department for Work and Pensions released a new version of its personal information charter, in which the section of automated decisions was completely rewritten. Unlike the DWP’s previous guidance, the updated version explicitly states that the department does make use of “automated processing in some decision making” and provides for the possibility that some decisions could be made entirely via automation – where “the law allows this”. The changes also include the removal of references to “meaningful input from staff” and “review or appeal options” for benefit claimants.
PublicTechnology contacted the DHSC requesting comment and information on the reason for the changes and the likely impact in the coming months. The department declined to comment.