My Lords, I thank the noble Lords, Lord Patel and Lord Kakkar, even though the latter is not here, for Amendment 22, the noble Baroness, Lady Jolly, and the noble Lord, Lord Clement-Jones, for Amendment 23, the noble Baroness, Lady Thornton, for Amendment 24, and the noble Lord, Lord Patel, for Amendment 25. Each amendment allows me to speak to strict data processing protections in the Bill.
As my noble friend Lord O’Shaughnessy said, data processing is an important element of operating effective complex reciprocal healthcare arrangements, such as the current arrangements we have with the EU. I reassure noble Lords that the Government are committed to the safe, lawful processing of people’s data in healthcare. Clause 4 provides a lawful basis for the processing of data in respect of future reciprocal healthcare arrangements that are outside the EU regulations mechanism. Data processing will be permitted only for the limited purposes set out in the Bill.
Under the Bill, personal data can be processed only in accordance with UK data protection law, namely the Data Protection Act 2018 and the general data protection regulation, which will form part of UK
domestic law under the EU withdrawal Act 2018 from exit day. The purpose of including data provision in the Bill is to provide a transparent basis for the processing of personal data for the purposes of funding or arranging healthcare abroad. That is it, my Lords.
On this point, I address Amendment 22, tabled by the noble Lords, Lord Patel and Lord Kakkar, which would limit the scope of personal data processed to data directly related to health. Although I appreciate the sentiment behind the amendment, it would unfortunately undermine the successful operation of reciprocal healthcare arrangements. Personal data is defined in the GDPR as data relating to a living person who can be directly or indirectly identified from that data. Examples include someone’s name, date of birth or residential address.
For example, the current European health insurance card scheme allows for UK nationals to access emergency and needs-arising care when travelling, working short-term or studying in the EU. To establish someone’s eligibility for an EHIC, we need first to establish that the person is living in the UK on a lawful basis and properly settled. Were persons authorised under the Bill unable to process data other than that strictly related to health, they would be unable to make the checks to ensure that those receiving healthcare abroad were entitled to it. Allowing authorised persons to process non-health-related personal data also ensures that we can prevent misuse arrangements and limit fraudulent activity.
The noble Lord, Lord Kakkar, and others, expressed concern at Second Reading that provisions in the Bill must not open the door to the mishandling of patient data. I believe that this is what Amendment 24, tabled by the noble Baroness, Lady Thornton, is intended to address. I absolutely agree with the sentiment. I should like to set out why we think that it would prevent the successful operation of future reciprocal healthcare arrangements. They are made possible by the close co-operation of different parties and bodies, such as the Department of Health and Social Care, commissioners of Her Majesty’s Revenue and Customs, Ministers of the devolved Administrations, healthcare providers and their opposite numbers in other EU and EEA countries. The Bill is about the provision of healthcare. It must include all possible healthcare providers who may provide NHS care in the UK in the list of those with authority to process data for the purposes of implementing arrangements under the Bill—just under this Bill.
It is also worth reflecting on the place of healthcare providers in the current EU arrangements to illustrate the vital role that they play in both the commission and delivery of healthcare abroad. Currently, under the planned treatment route, known as the S2 route, a UK resident may decide to seek planned treatment abroad. As part of the procedure, the UK resident must visit a healthcare provider in the UK to have such treatment authorised. The clinician will provide written evidence that the person has had a full clinical assessment, which must clearly state why the treatment is needed in the person’s circumstances and what the
clinician considers to be a medically justifiable period within which they should be treated—again, based on their circumstances.
Under existing arrangements, this function can be served only by a medically trained healthcare provider. This paperwork is then passed to NHS England or the comparable authority in the devolved Administration—that answers a point made by the noble Baroness, Lady Finlay—for processing. Many of these persons are provided for by Clause 4(6)(b), which refers to NHS bodies. However, some NHS services in England are provided by non-NHS bodies, as was rightly pointed out by my noble friend Lord O’Shaughnessy. For example, some primary care providers, such as GPs, may not be captured by this list of NHS bodies. However, they could be involved in pre-authorisation for planned treatment and so would need to process data in that regard. Such providers not also being termed “authorised persons” may limit what reciprocal healthcare arrangements we could implement under the Bill; it could even prevent us fully implementing an agreement. Under existing arrangements governed by EU regulations, some private providers in the UK already process patient data, which is perfectly legal and proper. Of course, data protection safeguards apply to private providers too.
To further allay any other fears, I remind your Lordships that this clause contains protections to guard against any misuse of data. The persons who can process data for the purposes of the Bill are limited to “authorised persons”—quite rightly, as the noble Lord, Lord Patel, said. The list of such persons can be amended only by way of statutory instrument; the term cannot just be given automatically to anyone. The Government included a delegated power in Clause 4(6)(e) to amend this list because future arm’s-length bodies may need to process personal data to enable reciprocal healthcare arrangements to operate effectively. Amendment 25 in the name of the noble Lord, Lord Patel, would limit that ability. I appreciate that that is out of concern for the safety and security of patient data—a sentiment I share totally—but the amendment would undermine the successful operation of future reciprocal healthcare arrangements.
As the noble Lord knows, the existing reciprocal healthcare arrangements are part of a complex web of systems. They rely on the well-spirited co-operation of a number of parties and bodies, which share accurate and relevant data in a prompt fashion. That extends from patients themselves all the way up to healthcare providers and public sector administrators. In time, public bodies change: they are reformed and refashioned, and functions are transferred between them in consequence. Clause 4(6)(e) gives the Secretary of State powers to respond to such changes.
Again, I assure the Committee that the Government are committed to the safe, lawful and responsible processing of people’s data, both now and in future. In doing so, I address Amendment 23 in the names of the noble Baroness, Lady Jolly, and the noble Lord, Lord Clement-Jones, which honourably seeks to include further principles for the safe processing of data in the Bill. As the noble Baroness, Lady Jolly, and my noble friend Lord O’Shaughnessy noted, the Caldicott principles
and the Government’s Data Ethics Framework are admirable standards to apply to the handling of patient data. Both of these non-legislative frameworks are in line with the Data Protection Act and the GDPR, which are enshrined in the Bill.
As has been said, data processing is an important element of operating effective complex reciprocal healthcare arrangements, like our current arrangements with the EU. Before I move on, I will answer a couple of the questions asked by the noble Baroness, Lady Thornton, about the Commons data briefing. I understand that officials met Julie Cooper MP, although I am not clear about the written briefing. However, I will pass the issue on to the Minister and bring it to his attention.
I have already covered data protection in the devolved Administrations, which would have to apply under both the GDPR and the DPA 2018. Of course, I would be happy to meet noble Lords should they wish to discuss those issues any further. My noble friend Lord O’Shaughnessy is right to say that we cannot enter into reciprocal agreements if the other country does not meet our data protection standards.
In the light of the assurances I have given and the safeguards in place to protect people’s information, I hope the noble Lord feels able to withdraw his amendment.
10 pm