My Lords, I would just like to say a few words about this because I am very involved in the whole world of IT, personal data and identification and the issues around examining the data. One of the things that has become apparent to me is that if care.data is to be effective, public trust must be maintained in it—that is the core problem. It needs to be there so that we can do epidemiological studies, and to do those some information will have to be in the database—such as postcodes, so that you can look for clusters and so on—which will potentially allow people to be identified. Once you compare it and link it across to other databases, if you are looking for someone who is of a certain age, a certain health profile and in a certain area down to 100 yards, it is fairly easy to start working out who they are by cross-linking. However, it may be important to take that risk from time to time, as long as it is done properly. What we do not want if this is to work is for people to feel a need to opt out. You cannot do epidemiological studies if half the population decide they are going to opt out. It is essential that the public trust the database, trust that they will be protected as far as possible and trust that the information will not be misused against them. That is the core to getting this whole thing to work, and if you fail on that you have had it.
The noble Lord, Lord Lester, made a very good point about the human rights stuff being in there and that we have the Data Protection Act and all these things. The Minister also mentioned the Data Protection Act. However, there are some challenges with this. One of them is how you bring a case under the Human
Rights Act when a department or the health service is acting incorrectly. It is quite tricky; it does not happen overnight and you would be lucky to stop it. There are wonderful protections in the Data Protection Act but there is a certain amount of vagueness about exactly where the limits are and, worse still, it will all be changed this autumn or winter when the new European Parliament assembles. The proposals nearly got through before the coming elections. Under the digital single market agenda, a new Data Protection Act regulation will almost certainly come out of Europe somewhere towards the end of the year. That will have direct action in this country. We have no control over it as it is a European law that is directly effective in this country, and the Information Commissioner over here will be the person who will enforce it. We will have no say in whether it relaxes things too far or becomes too prescriptive in what it does. We cannot rely on it for certainty in the future