My Lords, I wholeheartedly support the amendments tabled by the noble Lord, Lord Freyberg, to protect the healthcare data generated by the NHS as well as the safety and rights of the patients and citizens it exists to serve. I commend the way in which he introduced these amendments.
I have spoken on Second Reading and earlier in Committee about the need for data adequacy to ensure that personal data transfers to third countries outside the EU are protected in line with the principles of the GDPR. By the same token, we must protect NHS data, especially given the many transactions between technology, telecoms and pharma companies concerned with NHS data. Harnessing the value of healthcare data must be allied with ensuring that adequate protections are put in place in trade agreements if that value is not to be given or traded away.
Amendments 71 and 72 would introduce clauses to the Bill to help guarantee patient safety where the data-driven medicines and medical technologies feature in a trade agreement. These are products and services that are bound to grow in number and novelty in the future, as a direct result of both the ongoing Covid-19 health emergency and the accelerated use of new technologies. Given the number of healthcare-related amendments that have been discussed in Committee, it is very clear that there are fundamental concerns about protection of the NHS and the safety, efficacy and cost of the healthcare services that it delivers. There is the potential for the Government to lose control at precisely the moment they propose to take it back. That is why I have put my name to, and support, Amendments 71 and 72.
In July, in the case of Schrems II, the European Court of Justice ruled that the privacy shield framework, which allows data transfers between the US, the UK and the EU, is invalid. That has been compounded by the recent ECJ judgment this month in the case brought by Privacy International. In future, data exporters will have to rely on standard contractual clauses. Relying on standard contractual clauses in healthcare is simply not acceptable. Relevant to Amendment 72 in particular, there is a common assumption that, apart from any
data adequacy issues, data stored in the UK is subject only to UK law. This is not the case: in March 2018, the US Government enacted the Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, which allows law enforcement agencies to demand access to data stored on servers hosted by US-based tech firms, such as Amazon Web Services, Microsoft and Google, regardless of the data’s physical location and without issuing a request for mutual legal assistance. In practice, data might be resident in the UK, but it is still subject to US law.
Data cannot, therefore, simply be considered UK sovereign, and it is notable that Amazon Web Services gave a full response to more than 1,259 subpoenas, search warrants and court orders between January and June of this year. AWS’s own terms and conditions, which form part of its agreements with the UK Government, do not commit to keeping data in the region selected by government officials if AWS is required by law to move the data elsewhere in the world. Key and sensitive aspects of government data, such as security and access rules, usage policies and permissions, may also be transferred to the US without Amazon having to seek advance permission. Similarly, AWS has the right to request customer data and provide support services from anywhere in the world.
The Cabinet Office Government Digital Service team, which sets the Government’s digital policy, gives no guidance on where government data should be hosted. It simply states that all data categorised as official —the vast majority of government data, but including law enforcement, biometric and patient data—is suitable for the public cloud, and instructs its own staff simply to use AWS, with no guidance given on where the data must be hosted. The costs of AWS varies widely, depending on the region selected—and the UK is one of the most expensive regions. Regions are physically selected by the technical staff, rather than the procurement team or the security team. I should say that Amazon Web Services has a contract with NHSX, so that should be set in this context.
The free flow of data across borders, in principle, is of crucial importance, as the noble Lord, Lord Freyberg, said. However, I hope this example illustrates that control of policy and regulation as to what that data is and who it is shared with should be retained by the UK Government. In fact, that is not even enough existing control over government data. In particular, retention of control over health data, health service planning, and research and innovation is vital if the UK is to maintain its position as a leading life sciences economy and innovator. That is what these amendments would ensure.