That is an incredibly important point and it goes to the question that I was about to ask my noble friend. My reading of it is that it will not be possible for us to make reciprocal healthcare arrangements that involve the flow of data with another country unless we deem that country to be adequately complying with the GDPR. That is absolutely right and it is a high bar. It does not just provide a degree of regulatory compliance and standardisation; there are also international healthcare codes that underpin it, as the noble Baroness will know. It would be useful if my noble friend could confirm that, because it is clearly a really important point that will, in a sense, allay some of the fears that have been raised tonight about just how the powers in the Bill, once they extend beyond the European Union, Switzerland, the EEA and so on, might be used.
9.45 pm
Amendment 22, in the name of the noble Lord, Lord Patel, wants to insert “related to health” after “data”. Of course, it is completely understandable
why he would want that. It becomes slightly problematic because there are certain pieces of information that one would need about a person to reclaim information, or to have an exchange of funding for reciprocal arrangements, that do not necessarily relate to their health. Examples might be their name—that does not relate to their health—or the time they were in a country, to verify the fact that they are who they say they are and so can make a claim. I think that this kind of latitude is covered in the GDPR and that that provides the reassurance that this will not be misused, because we would not be able to strike an agreement with a country that was not applying the same standards to healthcare data—but there is a need for some non-health data to be processed as part of a reciprocal healthcare arrangement. That is why the broader definition is used. Another example might be the names of family members for a child—again to verify a claim.
The final element I want to speak to is that of non-NHS providers. This is rather important, because a number of non-NHS providers provide healthcare on behalf of the health system. It is not just the obvious ones that have been mentioned—I include GPs in that. It might also be private bodies carrying out NHS-funded care. A lot of diagnostic care is carried out by third parties. It might also cover providers of healthcare IT that records data. If we think of such systems as TTP, Cerner, Epic and so on that are used in hospitals, we would clearly want those bodies to be legally able to share that information. Of course, it needs to be connected with the healthcare purpose, but it is important that the Bill allows for that kind of latitude in a variety of ways, as I said. We must be absolutely clear—that is what I am seeking from my noble friend—that because of GDPR, because of the need and demand for adequacy on behalf of another country, a reciprocal partner, we would not be entering into the kind of arrangements that would bring the kinds of concerns that the public and, indeed, parliamentarians would have.