Data Protection Bill

Written evidence submitted by the British Medical Association (DPB14)

About the BMA

The BMA is a professional association and trade union representing and negotiating on behalf of all doctors and medical students in the UK. It is a leading voice advocating for outstanding health care and a healthy population. It is an association providing members with excellent individual services and support throughout their lives.

Executive summary:

§ Clause 16’s regulation-making power: the BMA repeatedly expressed its concern, during the Bill’s passage in the House of Lords, that clause 16 of the Data Protection Bill would give the Government an inappropriate, fast-track power to change the law, through secondary legislation, on how confidential health data are shared, with little scrutiny or oversight. Significantly, the House of Lords’ secondary legislation scrutiny committee also warned that delegations of power in clause 16 "are inappropriately wide" and they would "recommend their removal from the Bill". [1]

§ Public Bill Committee stage – clarity needed on the face of the Bill: we welcomed the Government’s acknowledgement in the Lords of the concern about clause 16, and its "commit[ment] to looking at the issue of delegated powers". [2] However, we were disappointed by the subsequent amendments brought forward by the Government, in the final Lords’ stages, [3] which we do not believe have done enough to moderate the scope of clause 16’s new regulation-making power. In particular, we believe the potential remains in 16(1)(a) of the Bill for future secondary legislation to be brought forward that could erode protections for medical confidentiality. If this is not the Government’s intention, it should be reflected in the Bill. This could be achieved through amendment 131, tabled by members of the committee; or the amendment proposed below, which would ensure, specifically, that future changes to the application of the GDPR do not set aside the protection for medical confidentiality in the common law.

Proposed amendment

Page 9, line 36, at end insert-

"() Nothing in this section authorises the making of regulations which would enable a disclosure which contravenes the common law duty of medical confidentiality."


1.0. The European Union’s GDPR (General Data Protection Regulation) is Europe’s new framework for data protection laws and will apply to all member states from May 2018. It will replace the previous 1995 data protection directive, upon which our Data Protection Act is based. The UK Government has decided to implement the GDPR into UK law ahead of time, "helping Britain prepare for a successful Brexit", through this Data Protection Bill. [4]

1.1. Clause 16 of the Data Protection Bill, ‘Power to make further exemptions etc by regulations’, embeds a provision in Article 6 of the GDPR, which allows for member states to determine "specific provisions to adapt the application of the rules" of the GDPR for the lawful processing of data. Specifically, Article 6 allows member states to determine their own "specific requirements" for when data are being processed (i) in compliance with a legal obligation, (ii) for the performance of a task in the public interest, or (iii) in the exercise of official authority.

1.2. Rather than setting out these "specific requirements" on the face of the Bill, clause 16 legislates that the UK will define its specific requirements for the lawful processing of data through secondary legislation. Such regulations will be made by the relevant Secretary of State and affirmed by Parliament (the ‘affirmative resolution’). Parliamentarians are, therefore, being asked to give the Government extremely wide powers to make future changes to the rules on sharing of data (potentially including health data) without any specifics as to how this power will be used or what, if any, restrictions will be applied. Attempts [5] to amend the procedure for scrutinising future regulations to the more rigorous ‘super affirmative’ procedure were denied.

1.3. The BMA is concerned that this new regulation-making power in clause 16, specifically the provision in 16(1)(a), will give the Government an inappropriate, fast-track procedure to change the law, through secondary legislation, regarding how confidential health data are shared, with very little scrutiny or oversight by Parliament or key stakeholders.

Clause 16’s Henry VIII regulation-making power – House of Lords’ scrutiny

2.0. Significantly, two House of Lords select committees reported on the worrying scope of the regulation-making power in clause 16, calling attention to the inadequate justification provided for the inclusion of the power in the Bill. [6]

2.1 The Lords’ Delegated Powers and Regulatory Reform Select Committee [7] stated that the Government’s rationale for the new power is "an insufficient and unconvincing explanation for such an important power", which is "inappropriately wide". They advised that the affirmative procedure for secondary legislation "is not an adequate substitute for a Bill allowing Parliament fully to scrutinise proposed new exemptions to data obligations and rights". Therefore, they recommended its "removal from the Bill".

2.2 Furthermore, the Lords’ Constitution Select Committee [8] reported on the "breadth" of the delegated powers in clause 16, which "causes considerable concern". They advised that "the Government’s desire to future-proof legislation, both in light of Brexit and the rapidly changing nature of digital technologies, must be balanced against the need for Parliament to scrutinise and, where necessary, constrain executive power."

2.3 The BMA’s specific concern regarding the potential impact that the scope of clause 16(1)(a)’s regulation-making power could have on medical confidentiality, was echoed by cross-party Peers at both second reading and committee stage. In response to probing amendments, such as 108A, minsters recognised that further work was needed to balance future-proofing the Bill with ensuring proper parliamentary scrutiny of subsequent delegated powers. Ahead of revisions to the Bill at report stage, ministers agreed to be "open to constructive suggestions as to how provisions in the Bill can be improved", and to reflect on the select committees’ recommendations. Importantly, Lord Ashton gave a "reassurance" that whilst the Government did not accept proposed amendment 108A regarding medical confidentiality, "the Government are committed to looking at the issue of delegated powers in the round. I will certainly include that [amendment 108A] in that discussion".

2.4 The Government moved a number of amendments at report stage to respond to these concerns about the regulation-making powers. Whilst the BMA acknowledges these concessions, we were not reassured by the changes made to the Bill as they did not alter the provisions in clause 16(1)(a). Therefore, it is our understanding that the power remains in the Bill for the Government to make regulations in the future that could alter the application of the GDPR without thorough oversight or consultation – potentially altering data-sharing arrangements with regards to confidential health data.

2.5 This point was reflected by Lord Clement-Jones’ response to the Governments amendments at report stage. He highlighted that the Government had still not made the case for the "extraordinary" Henry VIII powers in the Bill, and he hoped that the powers would be further reduced at a later stage. [9]

2.6 The BMA urges the Public Bill Committee to reflect on the select committees’ expert advice, as well as concerns expressed by Peers during the Bill’s passage in the Lords, that the new regulation-making power in clause 16 is not fit for purpose, and to remove remaining uncertainty about 16(1)(a)’s scope and application on the face of the Bill. As such, we support amendment 131, which would delete clause 16 from the Bill.

2.7 We believe clarity is especially important regarding the particular sensitivity of health information – such data has a special legal status in the common law, over and beyond the Data Protection Act, which we believe must not be jeopardised.

2.8 If the power in clause 16 is not removed, as per amendment 131, it must be clear what safeguards will be put in place to ensure that any future secondary legislation amending 16(1)(a) will not set aside the common law duty of confidentiality. As such, we would urge the committee to support the amendment proposed by the BMA, outlined in this submission.

March 2018

[1] Delegated Powers and Regulatory Reform Committee, ‘6th Report of Session 2017-19: The Data Protection Bill’ (25/10/17), Clauses 15 to 111:

[2] Lord Ashton, Parliamentary Under-Secretary (Department for Digital, Culture, Media and Sport), Committee Stage (Day 2) of the Data Protection Bill, Hansard: column 1645

[3] The concerns about clause 16, and the Government’s response, is summarised in the House of Commons library note, available here: (accessed 08/03/18)

[4] Department for Digital, Culture, Media and Sport, ‘Government to strengthen UK data protection law’ press release (07/09/17), (accessed 05/10/17)

[5] Amendments were proposed by Lord Clement-Jones, Lord Paddick, Baroness Jones, Baroness Neville-Rolfe and Lord Arbuthnot.

[6] Baroness Williams, Minister of State at the Home Office, Second Reading of the Data Protection Bill: "Given how quickly technology evolves and the use of data can change, there may be occasions when it is necessary to act relatively quickly to provide organisations with a legal basis for a particular processing operation."

[7] HoL Delegated Powers and Regulatory Reform Committee, ‘6th Report of Session 2017-19: The Data Protection Bill’ (25/10/17), Clauses 15 to 111:

[8] HoL Constitution Committee, ‘6th Report: Data Protection Bill’ (26/10/17):

[9] Lord Clement-Jones, Report Stage of the Data Protection Bill, Hansard: column 1468


Prepared 12th March 2018