My Lords, I want to ask about the information gateway provisions, and in particular Amendments 8 to 11. These are very substantial and intrusive new powers introduced at a very late stage of the Bill. Will the Minister elaborate a little on the justification for introducing them and why they were not thought of at an earlier stage of the Bill, even before Committee? They seem very wide, talking about the disclosure of information,
“for the purposes of the exercise of any function of the Director”.
Like my noble friend Lady Hamwee, I would be interested to know whether the Information Commissioner has given advice. If so, will the Minister share that advice and assessment with us? There is a need for safeguards to match the breadth and depth of the powers. It strikes me that, while mention is made of the Data Protection Act and the Regulation of Investigatory Powers Act—which is not quite RIP—there is, of course, a new EU regulation on data protection that will be directly applicable and therefore will not have to be transposed into an Act of Parliament. Have these powers been health-checked against the new regulation, which may be somewhat tighter than the Data Protection Act in certain areas?
I want to ask specifically about medical confidentiality. In Amendment 9, which introduces a new clause after Clause 5, subsection (1) says:
“A disclosure of information … authorised by section (Information gateways) does not breach … an obligation of confidence owed by the person making the disclosure”.
Since health bodies—NHS trusts, the Care Quality Commission and so on—are on the list for information sharing, this obviously raises the question of whether medical information is going to be covered, which is likely.
There do not seem to be any similar provisions to those in new subsections (5), (6), (7) and (8) of the new clause in relation to intelligence information and
information pertaining to HMRC, where there is an obligation not to disclose information,
“without authorisation from the appropriate service chief”,
or “from HMRC Commissioners”. There does not seem to be anything comparable for medical data. Clearly, these are sensitive personal data for which a higher level of stewardship is already required under the Data Protection Act, and even more so under the new EU regulation. I would like an assurance that these provisions have gone through the filter of the ICO and the new EU regulation.