My Lords, this group covers issues relating to health and care data. I will speak to Amendments 45, 49 and 50. The Government are fully committed to the principles of the care.data programme and to the core principles that underpin its use, namely: to promote transparency in the quality of health and care services while at the same time protecting privacy and confidentiality; to promote health and care research; and to better integrate health and care services.
The data collected across health and care in England are the envy of the world. The care.data programme offers the ability to link existing data securely and safely in order to produce information that can save lives, quickly find new treatments and cures, and support research to benefit all of us.
I say at the outset that, in my view, the care.data programme is very good news and offers a great deal to help improve our country’s health and care system. However, in order to realise its huge potential, patients and professionals must have absolute trust in the way that data will be protected and used together with an understanding of why collecting data on such a big scale is important .
5.15 pm
The care.data programme has been the subject of much discussion and debate in recent months, with concerns expressed by patients and professionals that insufficient assurances have been given about who would have subsequent access to the data once they had been collected by the HSCIC, the information centre, and how it would be used. My department and NHS England are continuing to engage with people in order to listen and respond to these concerns. In March my right honourable friend the Secretary of
State announced a package of measures to enhance the protection of people’s data. Some of these measures would be given effect through the amendments I will speak to, and NHS England is now conducting a minimum of six months of engagement with stakeholders to listen to their concerns, to consider and debate these openly and to develop its response.
Before I turn to the amendments I will clarify several misapprehensions about the nature of the care.data programme and what it will mean for how data will be used. It is important to frame the debate in its proper context by being absolutely clear about how information may or may not be used in the current and proposed legislative framework.
The 2012 Act provided the information centre, the HSCIC, with new powers to collect information. These new powers laid the foundations for the care.data programme and provided the basis for the unprecedented opportunity we now have to use information to improve care and treatment. What the 2012 Act did not change, and what will not change under this Bill, is that whenever the HSCIC or any other body shares information that names an individual or from which an individual’s identity could be ascertained, there must be a legal basis for it to do so. It is important to stress that nothing in this Bill, the 2012 Act or anything we are seeking to do outside of it will create any automatic entitlement to receive information of this kind from the HSCIC. We have no intention of allowing that.
I stress this point in particular, as I understand that it has been the subject of some confusion. There is already a strong legal framework protecting the confidential and identifiable data held in people’s health and care records, not just the information held by the HSCIC but more generally. The Data Protection Act, which implements the EU data protection directive into UK law, provides powerful protection of information about living individuals. To summarise what is a lengthy and complex provision, it requires all such data to be anonymised except where there is good reason to the contrary.
It remains the case that the Data Protection Act continues to offer strong protection of personal data. There are criminal and civil penalties, with the Information Commissioner’s Office in certain circumstances able to impose a civil penalty on a data controller of up to £500,000. The HSCIC already uses strict controls in line with the Information Commissioner’s Office’s published code of practice on anonymisation which relates to the Data Protection Act. For example, if there is any risk of reidentification, and there is a legal basis that enables the HSCIC to disseminate the information, the HSCIC will put a legal contract in place with penalties for any misuse of the information.
The 2012 Act built on the protections in the Data Protection Act for information handled by the HSCIC by introducing a raft of safeguards to balance the huge benefits that linking health and care data can bring while offering greater protection for people than was the case.
The Act provided that the HSCIC must not publish any information that it obtains in a form that would allow an individual to be identified—other than a health or care provider; for example, a GP. Furthermore,
the HSCIC must not disseminate information which could be used to identify an individual, unless there is a legal basis to do so; for example, because a person has consented to their information being shared or the requester of data has obtained approval under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002, which the noble Lord, Lord Hunt of Kings Heath, will, I am sure, remember. The Act also provided for greater transparency in the way in which the HSCIC exercises its functions, making its decisions to share information open to greater scrutiny than ever before, including a requirement to publish details of all the requests for information with which it complies and to publish a register containing descriptions of the information that it has obtained under the 2012 Act.
These safeguards have been further bolstered by a package of measures announced in March which, in addition to the amendments that I will speak to, reiterated the commitment previously made that, if a patient has concerns about his or her information flowing from their GP record to the Health and Social Care Information Centre, his or her objection will be respected. A key focus of NHS England’s engagement will be the operation of this opt-out process. We also committed to making regulations which would strengthen the rules around the use of pseudonymised data disseminated by bodies such as the HSCIC.
It is to this last point that I particularly draw the attention of noble Lords, for of course it is not just the protections and safeguards that we apply to the HSCIC that we must be concerned with if we are to win the trust of patients and professionals in the care.data programme; it is also the wider protections on the use and handling of data outside the HSCIC. Later in the spring, we intend to consult on regulations that would not only strengthen the rules around the use of pseudonymised data but create new safeguards around information sharing for commissioners, requiring pseudonymised data to be processed in “accredited safe havens” and clarifying the rules on when information about people in care, particularly the most vulnerable, must be shared. Of course, the Data Protection Act continues to offer a strong legal framework for the protection of personal data outside the confines of the care.data programme.
I shall be absolutely clear: no named or pseudonymised data may be shared by the HSCIC without a legal basis to do so, and this will not be changed by the care.data programme; the protections offered by the Data Protection Act will continue to apply to all personal data; the 2012 Act strengthened protections against the misuse of data collected by the HSCIC, and these protections will remain; the amendments I will speak to and the wider package of measures announced in March will further enhance the safeguards against the misuse of data; and it is equally important that protections are put in place to ensure that, once data from which the identity of a person may be ascertained have left the HSCIC, they are not misused. We are consulting on that issue.
I am confident that the amendments, taken with the other principles and measures that I have outlined, will give the public greater clarity and reassurance that
their data are safe. Amendment 45 contains changes to the Health and Social Care Act 2012 which, taken together, clarify when the Health and Social Care Information Centre may and may not release data. The amendment expressly prevents the information centre using its general dissemination power for the dissemination of anonymised and certain other information—for example, where the data are of poor quality—where there is not a clear health or adult social care or health promotion purpose; for example, for commercial insurance purposes. Health promotion purposes would include wider public health purposes such as research into environmental factors associated with asthma, or for healthy eating.
I am sure the House would agree that it is essential that this valuable data resource is available to support a broad range of health research. Amendment 45 clarifies that, in carrying out any of its functions, the information centre must have regard to the need to promote and respect the privacy of those receiving health services and other adult social care in England.
Amendment 45 also requires the information centre to take into account advice from the advisory committee that the Health Research Authority is required to appoint under paragraph 8 of Schedule 7 to the Bill. The advice from the Confidentiality Advisory Group—the CAG—will provide a new level of independent scrutiny of the HSCIC’s dissemination of patient information, or information which enables the identity of a person to be ascertained.
Amendment 49 would enable the Confidentiality Advisory Group to advise the information centre on the exercise of functions conferred in regulations under Section 251 of the National Health Service Act 2006, or more generally on decisions to disseminate information which could be used to identify individuals. Amendment 45 would require the HSCIC to have regard to that advice. We are putting in place a further raft of safeguards.
Amendment 50 provides the Secretary of State with regulation-making powers to set criteria to govern the advice that the Confidentiality Advisory Group gives to the Secretary of State, the Health Research Authority or the information centre, in carrying out their duties.
This provision is intended to enable regulations which would require that the Confidentiality Advisory Group considers the purposes for which the data will be used, the need to respect and promote people’s privacy, and whether patient consent could be obtained, or anonymised data used, to achieve the same purpose. The intent is also that the regulations would create a “one strike and you are out” deterrent to discourage the misuse of this kind of data.
Government amendments 45, 49 and 50 provide robust assurance that this kind of information may not be disseminated for purposes such as commercial insurance, or assessing an individual’s mortgage application, while ensuring that information may be disseminated to support research for health or care commissioning, for health and public health purposes, for medical purposes, or for other purposes relating to the provision of health care or adult social care or the promotion of health.
I hope that that rather lengthy explanation—for which I apologise—has served to clarify some areas of uncertainty and has reassured noble Lords of the intent of these amendments, which are wholly positive and helpful in the context of the public concerns that have been raised in this area. I beg to move.