Introductory description

This module provides a critical understanding of the evolving legal landscape for the regulation and governance of data.
We are in the midst of a digital revolution underpinned by data. The rapid pace of technological innovation, such as machine learning and big data analytics, continues to increase the scale of data being collected, stored, linked and analysed. Big data provides big opportunities for innovation, for profit, and for public benefit (for example, the use of data for public health purposes and the management of COVID-19). But, there is also big potential for societal harm including misuse of personal, sensitive data. Using contemporary examples from the national and international context, this module considers the data protection, human rights, confidentiality, and wider governance questions that arise when personal, often sensitive, information is used by the state, law enforcement agencies, corporations and business, healthcare professionals and researchers.

Module web page

Module aims

Outline syllabus

This is an indicative module outline only to give an indication of the sort of topics that may be covered. Actual sessions held may differ.

• Introduction to Data Protection, Privacy and Confidentiality:
  The module opens with an introduction to the origins of data protection law, privacy, and the common law duty of confidentiality. The first week will provide an overview of the sources of law and key institutions, and situate the national legal framework in the European and international context.

• Key Concepts and Debates:
  The second week will introduce foundational concepts of data law and governance such as personal data, sensitive data, anonymisation and de-identification. As an area of law that aims to strike a balance between effective data use on the one hand, and protection of individuals on the other, we will explore what it means to be a ‘data subject’, ‘data processor’ or ‘data controller’ and critique the strengths and weaknesses of individual-level data protection approaches.

• Data Protection Principles:
  Building on these foundational concepts and debates, the focus of the next four weeks will be to critically analyse key provisions of the EU General Data Protection Regulation (GDPR), which is often used as a blueprint and is perceived to have set an international standard of data protection. In this week we will analyse the principles - approach that underpins the GDPR, including lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, and accountability. We will critically analyse their interpretation by national and international courts, and explore their operation in different contexts.

• Data Protection Obligations:
  The focus of this week is on the responsibilities of ‘data controllers’ and ‘data processors’. We will analyse governance instruments such as privacy impact assessments and data processing agreements using contemporary examples, and evaluate the role of oversight bodies such as the European Data Protection Board and the national regulator the Information Commissioner’s Office.

• Data Protection Rights and Derogations:
  The focus of this week is on data subject’s rights including rights to access personal data, the right to rectification, and the right to be forgotten. We will also analyse and critique the various derogations from these rights in context.

• Cross-border Data Transfers and International Approaches:
  Exploring the extra-territorial scope of the GDPR, this week will analyse the GDPR’s adequacy decision mechanism and the international countries that have equivalence under the GDPR, as well as those that do not. As UK data protection law evolves as a result of leaving the EU, we will consider the future of data protection law in the UK, and explore the implications of wider international agreements pertaining to data governance.

• Health Data Governance:
  This final week will use the case study of health data to bring together all the topics covered and explore topical examples such as population health research and biobanking, international data sharing collaborations, public attitudes to health data use, and genetic exceptionalism.

Learning outcomes

By the end of the module, students should be able to:

• Understand and critically analyse the rules, concepts and principles of national and international data law and governance.
• Understand the history and evolution of the regulation and governance of data.
• Critically analyse and assess the effectiveness of the legal rules, principles, and concepts of the legal framework for data, and apply knowledge to factual situations and contemporary examples.
• Draw on a range of sources, including policy, academic literature, advisory opinions, and case law relating to data laws and practices, and evaluate the effectiveness of the existing instruments as well as arguments made by scholars and policy makers.
• Understand broader public policy, socio-legal, and theoretical dimensions of the regulation and governance of data.
• Demonstrate an ability to conduct independent, critical research on issues of data protection and information governance.
• Engage in debate, problem-solving and critical thinking about the contemporary challenges associated with the collection and processing of personal data, and be able to discuss sensitive questions in a constructive and coherent manner.
• Effectively work in groups, contributing effectively to group tasks and discussions.
• Demonstrate advanced written and oral presentational skills.
• Develop arguments in a coherent, logical and sophisticated manner.

Indicative reading list

Peter Carey (2020) Data Protection: A Practical Guide to UK Law.
Andrew Murray (2019) Information Technology Law: The Law and Society.
Lillian Edwards (2018) Law, Policy and the Internet.
Orla Lynskey (2015) The Foundations of EU Data Protection Law.
Lee Bygrave (2014) Data Privacy Law: An International Perspective.
Mark Taylor (2012) Genetic Data and the Law: A Critical Perspective on Privacy Protection.

View reading list on Talis Aspire

Research element

• To research, collate and evaluate primary and secondary materials on data law and governance;
• To retrieve legal documents, policy reports, regulatory guidelines, communications and court judgements from the internet.

International

A comparative approach to data regulation and governance will be adopted in this module.

Subject specific skills

• Understand the legal rules, concepts and principles of data protection law and governance, in the UK, EU and comparable international jurisdictions;
• Understand the history and evolution of the regulation and governance of data;
• Understand the broad scope of data protection law, its public policy dimensions and wider socio-legal issues;
• Apply knowledge to factual situations and contemporary examples at the intersection of law, technology and policy.

Transferable skills

• To develop arguments in a coherent, logical and sophisticated manner;
• To engage in problem-solving and innovative thinking about the present and future challenges that accompany the collection and processing of personal data and its interaction with human rights and public policy;
• To utilise electronic resources to gather information and retrieve legal documents, intergovernmental reports, communications, and court judgements;
• To have developed skills of research to critically analyse a broad range of sources including journal articles, regulatory guidelines, policy documents and soft-law sources;
• To have developed skills of legal analysis and oral presentation and to make presentations to audiences.