The Data (Use and Access) Bill (DUAB) introduces significant changes to the UK’s data protection framework, including the recognition of neurodata as a sensitive category of personal data. While data protection laws have long covered health data under the special category data provisions of UK GDPR, neurodata is a relatively new concept that raises important legal and ethical questions. As neurotechnology advances, regulators must determine where neurodata fits within the broader framework of data protection and privacy.
What is neurodata?
Neurodata refers to information collected from devices or technologies that monitor, interpret, or interact with the human brain or nervous system. It includes brain-computer interfaces (BCIs), EEG readings, fMRI scans, facial emotion tracking, and even cognitive signals extracted from wearable technology such as smartwatches and virtual reality headsets. This type of data can provide insights into a person’s mental state, cognitive processes, or emotional responses, often for use in applications such as AI-driven neurotechnology, gaming, security, or mental health monitoring.
The rise of neurodata and what it means for data protection
The concept of neurodata has emerged alongside rapid developments in brain-computer interfaces (BCIs), artificial intelligence, and wearable technology. Companies such as Neuralink, Emotiv, and OpenBCI are pioneering technologies that enable direct communication between the brain and external devices.
Meanwhile, consumer-focused devices like the Apple Watch and Meta’s virtual reality systems are increasingly incorporating biometric and neurological tracking to enhance user experiences.
As neurotechnology advances, concerns around data privacy, consent, and ethical implications have grown. Unlike traditional personal data, neurodata has the potential to reveal highly intimate details about an individual’s cognitive state, emotions, or neurological health, raising questions about how it should be regulated.
Neurodata v health data: What are the differences?
Under UK GDPR, health data is classified as special category data, meaning it is subject to stricter protections, including the requirement for explicit consent or another legal justification for processing. The introduction of neurodata as a distinct category under DUAB creates the need for clear boundaries between these two forms of sensitive data.
| Criteria | Neurodata | Health Data (Special Category Data under UK GDPR) |
| Definition | Data generated from brain-computer interfaces, wearables, neurotechnology, or systems that interpret cognitive states. | Data related to a person’s physical or mental health, including medical history, conditions, diagnoses, or treatment. |
| Examples | EEG readings, fMRI scans, neural activity from BCIs, emotion-tracking from facial expressions, VR headset data measuring mental states. | Medical records, prescriptions, heart rate data linked to a condition, test results, clinical diagnoses. |
| Purpose of Use | Often used for cognitive tracking, biometric authentication, AI-driven neurotechnology, gaming, and productivity tools. | Used in healthcare, insurance, medical diagnostics, employee health monitoring, or clinical research. |
| Legal Protections under DUAB | Recognised as a sensitive category, with specific processing rules. Could require implicit or explicit consent depending on use case. | Strictly controlled under special category data rules, requiring explicit consent or meeting a legal exemption under UK GDPR. |
What are some examples of neurodata and health data?
While neurodata and health data share some similarities, the context in which they are collected and processed determines their classification.
- A smartwatch tracking brain activity to measure stress levels → Likely neurodata.
- A medical EEG scan performed in a hospital for diagnosis → Health data (special category data).
- A meditation app measuring brainwave activity for relaxation → Likely neurodata, unless used for diagnosing medical conditions.
- A mental health app collecting emotional response patterns for therapy → Likely health data.
These distinctions matter because the level of protection required for health data is stricter than for neurodata, although DUAB does introduce new compliance obligations for neurodata processing. Companies working with neurodata will need to assess their data protection obligations, consent mechanisms, and security safeguards carefully.
How will the DUAB regulate neurodata?
While DUAB does not yet impose the same strict rules on neurodata as UK GDPR does on health data, its recognition as a sensitive category suggests that additional protections may be required. This will likely mean:
- Informed Consent: Companies collecting neurodata may need to provide clear and specific consent options to users, particularly if data is used for AI-driven applications.
- Transparency: Businesses will need to explain how neurodata is collected, stored, and used, particularly in consumer-facing products.
- Data Minimisation: Organisations should ensure they only collect neurodata necessary for a specific purpose and avoid excessive data retention.
- Ethical Considerations: Given the intimate nature of neurodata, companies should consider ethical guidelines for its use, particularly in AI and automated decision-making.
What does DUAB mean for businesses handling neurodata?
With DUAB introducing neurodata as a distinct legal category, businesses handling biometric, brainwave, or cognitive tracking data should prepare for increased scrutiny. Key actions to take include:
- Conducting a Data Protection Impact Assessment (DPIA) to determine whether neurodata processing aligns with compliance obligations.
- Updating privacy policies to clarify how neurodata is collected and used.
- Implementing consent mechanisms that are transparent and user-friendly.
- Ensuring security measures such as encryption and access controls for neurodata storage.
- Monitoring regulatory updates from the ICO or the new Information Commission, which will likely issue further guidance on neurodata compliance.
