An insurance company wants to use NHS patient data for their machine learning algorithms to

determine the likelihood of prospective customers acquiring a disease and adjusting the insurance policy
accordingly. Identify the applicable legal principles and any issues or gaps arising from such application
of AI-based technology in the existing legal framework.

It is true that the use of AI applied to patient data by the NHS can bring great benefits such as
cost reduction, early diagnosis, prevention and proper treatment of chronic diseases.
On the one hand, it is a good opportunity for patients, with certain information, to face a plan
of preventive action. At the governmental level, on the other, it will allow analysing
population-scale health factors.
However, such information in the hands of insurance companies that intend to adjust the
policy accordingly, not only would undermine the principle of non-discrimination, but would
not be compatible with some of the principles contained in the General Data Protection
Regulation (GDPR), Data Protection Act 2018 (DPA) and Code of Conduct for data-driven
health.
Recital 54 of the GDPR states on the processing of special categories of personal data that
‘such processing of data concerning health for reasons of public interest should not result in
personal data being processed for other purposes by third parties such as employers or
insurance or banking companies’.1
If the data subject gave explicit consent for the insurance company to process their data
according to Article 9.2.(a) of the GDPR then the latter could count on said information.
However, it seems unlikely that the subject will do it if that means paying a more expensive
policy.
Article 96 of the DPA grants the data subject the ‘right not to be subject to automated
decision-making’.2 Without prejudice to the aforementioned principles, the terms in which a
person contracts a policy could not be at the mercy of algorithms created by insurance
companies based on their health data.
On the other hand, I understand that the provisions of Article 185 of the DPA would be
applicable, since it establishes that ‘a term or condition of a contract is void in so far as it
purports to require an individual to supply another person with a record which (a) consists of
the information contained in a health record’.3
The Code of Conduct designed by the Department of Health & Social Care determines not
only that the use of data must be in line with the GDPR and the DPA but also that it is
necessary to ‘demonstrate how and where the product will add value to people and the health
care system’.4
In this sense, the eventual use of patient data by insurance companies for the indicated
purposes would not fit the existing legal framework.
(467 words)

1
‘Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection
of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such, and
Repealing Directive 95/46/EC (GDPR)’
2
Data Protection Act 2018 2018.
3
ibid.
4
Department Of Health & Social Care, ‘Code of Conduct for Data-Driven Health and Care Technology’
<https://www.gov.uk/government/publications/code-of-conduct-for-data-driven-health-and-care-
technology/initial-code-of-conduct-for-data-driven-health-and-care-technology>.

1
2