Data Protection and Digital Information (No. 2) Bill

Written evidence submitted by the National AIDS Trust (DPDIB21)

Data Protection and Digital Information (No.2) Bill

1. National AIDS Trust is the UK’s HIV rights charity. We work to stop HIV from standing in the way of health, dignity and equality, and to end new HIV transmissions.

2. In 2022, we launched a Discrimination Advice service for people living with HIV, supported by the National Lottery Community Fund. This service allows us to provide people living with HIV access to free legal advice about whether they have experienced discrimination related to their HIV status.

3. One of the most common types of discrimination experienced by people living with HIV is when their HIV status is shared to others without their consent. Medical data (such as HIV status) is currently considered ‘personal data’ under the GDPR definition, but these regulations are often broken in relation to individuals’ HIV status.

4. Some of the most common settings where data protection law is broken related to sharing of HIV status are: employment, healthcare services, by the police and by people in an individual living with HIV’s personal life. The sharing of an individual’s HIV status can lead to further discrimination being experienced by people living with HIV and can often increase their risk of harassment.

5. We are supportive of the overall aims and principles of the Data Protection and Digital Information (No.2) Bill, as we believe it is vital that people’s personal data (such as their HIV status) is as strongly protected as possible.

6. We are however concerned that the Bill as drafted does not go far enough to prevent individuals’ HIV status from being shared to others without their consent. Our concerns relate to specific clauses of Part 1 of the draft Bill and related Schedules, that may have unintended consequences when people’s HIV status is shared without their consent within their workplaces, by the police or when their medical data is transferred internationally.

7. In order that this Bill adheres to the Government’s Public Sector Equality Duty, to eliminate discrimination, harassment and other conduct prohibited by the Equality Act 2010 against people living with HIV, we strongly recommend that the following amendments are needed:

8. The Bill must:

- Clarify what an ‘administrative purpose’ is for organisations processing employees’ personal data.

- Retain the duty on police forces to justify why they have accessed an individual’s personal data.

- Mandate that a third country’s ‘data protection test’ is reviewed annually to ensure ongoing suitability of international data transfer.

- Remove the proposed powers of the Secretary of State to assess other countries’ suitability for international transfers of data and place these on the new Information Commission instead.

Comments on Part 1 of the draft Bill and related Schedules

9. Clause 5(9)(b) allows for transmission of data within an organisation related to employees "where it is necessary for internal administrative purposes". This is not however a clear enough definition of what an ‘administrative purpose’ is. As this paragraph currently reads, an employer could transfer any personal data about an employee internally for any reason and justify this as "necessary for an internal administrative purpose". This might have the unintended consequence of a person living with HIV’s status being shared with colleagues without their consent, if processed incorrectly or carelessly.

10. This is an issue we see reported to our Discrimination Advice service time and time again, and often leads to harassment of individuals by their colleagues. For example, we have been made aware of examples of individuals who have been threatened by colleagues with having their HIV status shared publicly on social media, or with family or friends who are unaware of their HIV status. These threats often lead the individuals affected to have poorer mental health (such as increased anxiety), and to find their workplaces inhospitable or even dangerous environments.

11. Therefore, we believe there should be additions to this sub-clause to clarify that intra-group transmission of personal data in the workplace should only be permitted for the individuals who need to access an employee’s personal data as part of their work. We also believe there should be wording in this sub-clause that explicitly makes it an offence to share an employee’s personal data with internal colleagues who are not required to process this data as part of their job role. Adding this additional wording would make sure that employees’ personal data (including health data such as HIV status) is protected adequately and not shared with individuals who do not need to process this data. This would consequently protect their privacy and reduce the risk of harassment.

12. Clause 16 seeks to amend the Data Protection Act 2018 so that the police would not have to provide justification for why they are consulting or disclosing personal data. We believe that the introduction of this clause is not sensible because it removes an important check and balance on the police’s processing of an individual’s personal data. National AIDS Trust have been involved in cases of people living with HIV whose HIV status was shared without their consent by police officers, both internally within their police station and within the wider communities that they serve.

13. The consequences of this sharing of HIV status by police officers have been that individuals living with HIV have been subjected to harassment and further discrimination. For example, we have been made aware of cases of police officers sharing individuals’ HIV status with witnesses to crimes under investigation, or to other people within individuals’ local communities. Such police behaviour can often encourage greater harassment or other forms of discrimination against people living with HIV under criminal investigation and can lead to poorer mental health (e.g., increased anxiety) for the individuals affected.

14. Therefore, making sure that police officers justify why they have accessed an individual’s personal data is vital evidence in cases of police misconduct. Such cases include when a person’s HIV status is shared inappropriately by the police, or when not relevant to investigation of criminal activity. The purposes outlined in Section 62(4) of the Data Protection Act 2018 are an important check and balance on police access to personal data and should be kept in law. For this reason, we think Clause 16 should be removed from the draft Bill in its entirety.

15. Schedule 5 gives the Secretary of State the regulatory power and responsibility to make decisions related to the transfer of personal data to third countries. HIV is criminalised in many countries around the world, and the transfer of personal data such an individual’s HIV status to these countries could put an individual living with HIV, their partners or family members at real risk of harm. This is because HIV stigma is incredibly pronounced in these countries, which fosters a real-risk of HIV-related violence. In the specific context of HIV, it is unlikely that the Secretary of State (or their Departmental officials) are going to have the specialist knowledge to assess whether there is risk of harm to an individual by transferring data related to their HIV status to a third country.

16. There are also issues related to capacity to make this assessment of the data protection test for each country. For example, how regularly will each country’s data protection test be reviewed, and who will make this assessment? We therefore recommend that Schedule 5(5) should contain additional provisions to mandate regular review of the data protection test for each third country (such as annually), to ensure that the data protection regime in each third country is secure, and that people’s personal data such as their HIV status will not be shared inappropriately in such a way as to put individuals at risk of material harm.

17. On a broader principle related to both Schedules 5 and 6, we question whether it is appropriate that the Secretary of State has the regulatory power to make these decisions about the data protection regimes of third countries. Given that the activities of Government departments are political by their nature, the Secretary of State making these decisions related to the suitability of transfer of third countries may not be viewed as objective by individuals whose personal data is transferred.

18. Many people living with HIV we hear from feel comfortable reporting breaches of data protection law in relation to their HIV status to the Information Commissioner’s Office (ICO), due to its position as an independent regulator. We therefore recommend that the Bill places these regulatory powers on the new Information Commission created by this Bill instead, as this may inspire greater public confidence.

May 2023