Data Protection and Digital Information (No. 2) Bill

Supplementary written evidence submitted by Medtronic plc (DPDIB27)

Re: Data Protection and Digital Information (No.2) Bill Committee

Members of the Data Protection and Digital Information Select Committee,

1. On behalf of Medtronic plc, I write to thank you once again for the opportunity to address the UK Parliament in the context of the public consultations on the Data Protection and Digital Information Bill ("Bill") on 10 May 2023. We appreciate the Committee taking the time to hear from a diverse set of professionals and to consider their perspectives. As a complement to my oral testimony, I write to hereby share our written perspective, including two recommended improvements that could contribute significantly to strengthen the British ecosystem of innovation and life-sciences research. I was prepared to offer these during the May 10 session, but the opportunity did not arise.

2. In summary, this letter:

· Endorses the clarification that scientific research includes private and industry partners as well as other helpful definitional clarifications as outlined further in this letter;

· Supports the Bill’s express language making research presumptively compatible with a legitimate use in a number of contexts;

· Seeks further change to the Bill to explicitly clarify that data "processors," not just data "controllers", may further process data when they have an appropriate legal basis for the further use to do so (and subject to compliance with all requirements applicable as a new "controller" for this additional use);

· Seeks to clarify that further use of data for research with presumptive compatibility is also possible when data were collected on the basis of consent; and

· Seeks further clarification in the Bill to expressly include scientific research in Article 8, paragraph 4 (b).

3. In general terms, we support the Bill as an important step in the right direction to ensure proper user and patient privacy, and to contribute to enhancing the UK’s attractiveness as a destination for investment and R&D activities by multinational companies like ours in the fast-evolving digital age.

4. As the Bill is currently formulated, we support the following items as positive:

· The definition of "identifiable data" resulting in organisations considering identifiability at the time of processing rather than in the future, and within a reasonable degree of parties involved or that may reasonably access the data. This common-sense perspective will make it easier for data outside of the definition of personal data to be available for scientific research purposes, provided of course that appropriate safeguards are in place to prevent re-identification of individuals and ensure data security. As I mentioned in my testimony, "real world" data is critical to advancing healthcare research.

· We support the clarification that scientific research has a broad meaning to include critical partners in the research ecosystem such as privately funded and industry-led research and that purpose compatibility applies when personal data is used further for scientific research as defined.

5. In addition to these positive clarifications in the current Bill draft, our team has compared the Bill to legal language previously enacted or under development in other jurisdictions, and we strongly recommend the following two suggestions to significantly improve the UK’s attractiveness as an R&D investment destination and global research hub for companies in the healthcare space:

First, we recommend the Bill explicitly allow data "processors," not just data "controllers," to further process data when they have an appropriate legal basis for the further use to do so (and subject to compliance with all requirements applicable to controllers) and recognize that their further processing for personal data for scientific research (including product improvement and development) is compatible with the original purpose for which the data were collected. This clarification would more clearly allow manufacturers to rely on presumed compatibility for scientific research, particularly because improving technology is now included in the new, more clear definition of scientific research, while at the same time affording that data the same privacy protections.

6. Having manufacturers go back to each site and ask it to evaluate compatibility and seek their individual authorization is inefficient, burdens healthcare administrators, impedes innovation, and leads to significant delay. This is particularly true where the Bill language makes clear that such use is presumed legitimate for research. When accessing data in this way, the manufacturer will be acting as a controller and the data will subject to all of the same protections, such as de-identification, access controls, data minimization and retention and robust security standards.

7. As I mentioned in my remarks, real world evidence is critical for the digital opportunity to vastly improve healthcare, root out bias, personalize medicine, identify new and more effective treatments, and make innovation available to doctors and patients faster. This proposed clarification will facilitate use of such real world evidence in a sensible, safe, and expeditious manner. To this end, we further recommend the Bill expressly recognize that data "processors" do not infringe the UK GDPR when becoming a new data "controller," subject to the above conditions. This is consistent with ICO guidance.

8. Second, the Bill’s new Article Art. 8A, par. 4 recognizes that, where a person has consented to a data use, and there is both a new legitimate personal data use and under the circumstances it is not reasonable to go back for a new consent (for example, you may not have contact information), a controller may undertake a compatibility analysis to determine whether the additional use is allowable. The Bill then enumerates scenarios where such a process is permitted, but does not include processing carried out in accordance with Article 84B for scientific research purpose. We believe this should be included. (Specifically, in Article 8 A "Purpose Limitation: further processing" paragraph 4(b) should read "it falls within paragraph 3(b), (d) or (e)," where "b" is added and refers to the approved research-related uses.)

Once again, I truly thank you for this opportunity to address the Committee, and Medtronic remains at your disposal for any questions you may have now or for future discussions.

Sincerely,

Thomas J. Schumacher

VP, Chief Legal Counsel, Data & Privacy

12 May 2023