GDPR changes could ease AI rules for insurers using personal health data

Proposed changes to the general data protection regulation (GDPR) legislation could make artificial intelligence (AI) easier to use when processing health data.

This is according to Gareth Rees, senior associate in the commercial team at law firm Gardner Leader, who was commenting on government’s Brexit Freedoms Bill published last week.

The bill will contain proposals on data and AI and commits to “moving in a faster, more agile way to regulate new digital markets and AI and creating a more proportionate and less burdensome data rights regime compared to the EU’s GDPR”.

Rees predicted the rise of AI was “inevitable” and would undoubtedly be increasingly used in the insurance field, whether for assessing risk, making decisions on underwriting or to price claims.

“Similarly, AI is increasingly important in the health sector including in identifying and mapping health risks,” he said.

“While the proposed government changes are not a complete overhaul of data protection legislation, they would make the use of AI easier in a field where the law is perhaps slightly lagging behind advances in technology.”

 

Uncontroversial and controversial changes

Commenting on what this means for overall GDPR controls in the UK, Rees noted government is proposing a number of changes to data protection legislation with a view to cutting guidelines which it claims will bring benefits of over £1bn.

He explained the proposals range from “fairly uncontroversial” changes to the way that cookies are dealt with to creating an exhaustive list of legitimate interests that can be used as a basis for processing without applying the balancing test where firms must take into account the rights and interests of the data subject.

But Rees noted that while a number of the changes would undoubtedly be welcome to business, concerns have been raised about the potential effect on data subjects.

He added that should changes proceed as outlined in the government’s consultation document, a key issue will be whether or not they will affect the UK’s adequacy status with the EU.

“Some of the more significant changes proposed by the government relate to AI and automated decision-making,” Rees said.

“The government is suggesting that the list of legitimate interests that can be used as a basis for processing without having to apply a balancing test will include processing personal data (including special category data) for the purposes of ensuring bias monitoring, detection and correction in relation to AI systems.

“More controversially, the government is also considering whether or not Article 22 of the UK GDPR should be removed to allow for decision-making to be solely automated, subject to the processing meeting all of the other requirements of data protection legislation.

“It is worth highlighting that the response from the Information Commissioner’s Office to the consultation was against this proposed change, noting that removing the right to human review ‘could undermine public support for the use and deployment of AI’.”

 

‘Inordinate amount of time’

However Peter Wright, managing director of Digital Law, pointed out that legislative changes could take a long time to be implemented.

“If you look at the nuts and bolts of this, it is actually quite far ranging,” Wright said.

“It will take an inordinate amount of time to get a bill together to replace the current UK Data Protection Act 2018 so this isn’t going to happen for a number of years.”

 

Exit mobile version