An insurance company wants to use NHS patient data for their machine learning algorithms to

determine the likelihood of prospective customers acquiring a disease and adjusting the insurance
policy accordingly. Identify the applicable legal principles and any issues or gaps arising from such
application of AI-based technology in the existing legal framework.

It is true that the use of AI applied to patient data by the NHS can bring great benefits
such as cost reduction, early diagnosis, prevention and proper treatment of chronic
diseases.

On the one hand, it is a good opportunity for patients, with certain information, to face
a plan of preventive action. At the governmental level, on the other, it will allow
analysing population-scale health factors.

However, such information in the hands of insurance companies that intend to adjust
the policy accordingly, not only would undermine the principle of non-discrimination,
but would not be compatible with some of the principles contained in the General Data
Protection Regulation (GDPR), Data Protection Act 2018 (DPA) and Code of Conduct
for data-driven health.

Recital 54 of the GDPR states on the processing of special categories of personal data
that ‘such processing of data concerning health for reasons of public interest should
not result in personal data being processed for other purposes by third parties such as
employers or insurance or banking companies’.1

If the data subject gave explicit consent for the insurance company to process their
data according to Article 9.2.(a) of the GDPR then the latter could count on said
information. However, it seems unlikely that the subject will do it if that means paying
a more expensive policy.

Article 96 of the DPA grants the data subject the ‘right not to be subject to automated
decision-making’.2 Without prejudice to the aforementioned principles, the terms in
which a person contracts a policy could not be at the mercy of algorithms created by

1
‘Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free
Movement of Such, and Repealing Directive 95/46/EC (GDPR)’
2
Data Protection Act 2018 2018.

1
insurance companies based on their health data.

On the other hand, I understand that the provisions of Article 185 of the DPA would be
applicable, since it establishes that ‘a term or condition of a contract is void in so far as
it purports to require an individual to supply another person with a record which (a)
consists of the information contained in a health record’.3

The Code of Conduct designed by the Department of Health & Social Care determines
not only that the use of data must be in line with the GDPR and the DPA but also that
it is necessary to ‘demonstrate how and where the product will add value to people
and the health care system’.4

In this sense, the eventual use of patient data by insurance companies for the indicated
purposes would not fit the existing legal framework.

(467 words)

3
ibid.
4
Department Of Health & Social Care, ‘Code of Conduct for Data-Driven Health and Care Technology’
<https://www.gov.uk/government/publications/code-of-conduct-for-data-driven-health-and-care-
technology/initial-code-of-conduct-for-data-driven-health-and-care-technology>.