It's surely on shaky ground. The GDPR rules are still the main ones that will apply at present, and those require stronger protections by default for sensitive types of personal data such as health data. A massive data lake like this with such a generic purpose and an opt-out permission scheme is obviously not in the spirit of those protections. For it to be permitted by the letter of the law, the government will have to rely on one or more of the specific provisions relating to public health or the like, and given that even those still have quite a lot of specific compliance requirements, it's not immediately obvious to me which one(s) would allow something as broad as this.
Obviously under our political system the government can legally do whatever it wants if it can get a law through Parliament to say so, but to achieve that they'd have to be open about what they're doing and convince enough MPs and Lords that it's justified.
I had a check and it looks like the law was passed in 2012[1]. They say that gave them a legal responsibility to hold clinical information, combined with instruction from government that should be enough for this to fall under another basis in GDPR without consent being required. Not saying it's right, especially with the risk of the data being shared further once they hold it, but it'd probably be difficult to challenge.
Yes, that is probably the relevant national law for NHS Digital itself.
Then presumably they're relying on GDPR points 9(2)(h) and 9(2)(i) with reference to that national law to argue that the default prohibition on processing health data in paragraph 9(1) doesn't apply.
And then they've got public interest/official authority under 6(1)(e), or perhaps compliance with a legal obligation under 6(1)(c), as a lawful basis.
But all of that just means the processing wasn't automatically prohibited under the GDPR. All the normal rules including the principles set out in Article 5 still apply as well, and those principles include purpose limitation, data minimisation, storage limitation, and integrity and confidentiality. There are also some specific obligations around professional secrecy under Article 9 because it's health data.
Given the extremely broad scope of the intended data lake here, the ambiguity about who might end up with access to it, and the extremely sensitive nature of the data, I don't think I'd want to be the one defending NHS Digital when the seemingly inevitable ICO investigation comes.
Well, it was meant as a question but I can see it came out as an accusation but after having read about the unlawful GCHQ data collection court case the other day and then this article saying that this is "unwarranted, unparalleled in its scale and implications and quite possibly unlawful" I arrived at unlawful. Especially as this seems to go back quite some years in different forms and I'm quite positive that the EU (GDPR etc.) would not like this. But I'm neither a lawyer or live in the UK (though I do have family in England so I follow the happenings more than most foreigners I guess).
What makes you think any of this is 'unlawful'?