My Lords, I beg to move Amendment 22 and will speak to Amendments 48, 54, 61, 64, 68 and 71, which all cover doctor-patient confidentiality in Clauses 7 to 17 in Part 2, Chapter 1 of the Bill.
I particularly thank the General Medical Council, the British Medical Association, the British Psychological Society and the British Association for Counselling and Psychotherapy for their briefings. I also thank the noble Lords, Lord Patel and Lord Ribeiro, who have added their names to these amendments. Their knowledge of and expertise in the regulatory and practical reality of doctor-patient confidentiality is especially welcome. Bluntly, the requirement for a specified authority to hand over data to police and other bodies, as set out in the Bill, is in conflict with the requirement of doctors and those working with patient data to maintain doctor-patient confidentiality.
It is particularly disappointing that the issues I will raise, which I also raised at Second Reading, were covered in the GMC response to the government consultation on a public health response to serious violence in 2019. Unfortunately, not one of the serious issues the GMC raised has been dealt with since then, which makes me wonder if this is deliberate. I hope the Minister will be able to demonstrate that that is not the case.
Our amendments seek to protect a patient’s data as confidential to them and the healthcare professionals who look after them. Amendment 22 adds to Clause 7 to make it clear that, regardless of any other data from other public bodies, patient medical data is protected by rules of confidentiality. Amendment 48 adds the same provisions to Clause 8, Amendments 61 and 64 add these to Clause 15 and Amendment 68 adds them to Clause 16. Amendment 54 deletes CCGs and health boards in Wales from the list of specified authorities, thus removing entirely the duty on them to be part of the regulations in this Bill. Finally, Amendment 71 reiterates these exclusions from the powers that Clause 17 gives the Secretary of State on the direction of CCGs and health boards in Wales.
It is quite extraordinary that this Bill proposes that any Home Secretary can, at will, demand that doctors and other healthcare professionals must breach patient confidentiality, over and above their responsibilities of confidentiality to their patients and their commitments to their regulatory body. Part 2, Chapter 1 of the Bill, on functions relating to serious violence, would introduce a new legal duty for the relevant agencies
“to collaborate, where possible through existing partnership structures, to prevent and reduce serious violence”.
If enacted in its current form, the Bill, particularly Clause 16(5), may mean that health services are no longer confidential. I hope this is unintended.
The Bill explicitly sets aside the common law duty of confidentiality owed to all patients by all regulated health professionals. This will undoubtedly raise questions and concerns in the minds of doctors, who understand their responsibilities around patient confidentiality as a fundamental, ethical duty which is crucial to upholding the trust that lies at the heart of doctor-patient relationships.
Elsewhere, in countries where healthcare services are not seen as confidential, and where there is a resulting lack of trust in healthcare professionals appropriately protecting as well as sharing information, there are real consequences for the health of individuals, communities and wider society. The public health implications of individuals and communities not interacting with healthcare services and professionals are particularly urgent and concerning in the context of the ongoing global Covid-19 pandemic. Unfortunately, as drafted the Bill carries these risks.
This is not just a concern for doctors. If you stopped anyone in the street and asked them if the personal medical information they discuss with their doctor at their GP surgery or at a hospital could be passed on to any other public body, including the police, they would be astonished. The one thing they know, they say, is that doctors—which is shorthand for healthcare service professionals and their staff—absolutely have to keep their personal medical data confidential. The problem is that it is not clear in the Bill whether sensitive health information is properly protected from inappropriate disclosure to policing bodies. This is worrying on two levels. First, the data is still subject to the requirements of data protection law. Also, any decision to disclose personal medical data must take account of the common law duty of confidentiality owed to patients by their health professionals, however that information is held.
Healthcare professionals, including doctors, also have to respond to the ethical standards set by their regulatory body. As drafted, policing authorities can request patient information, including identifiable information, which clinical commissioning groups and health boards in Wales must provide to them. Whatever the merits of this requirement, CCGs and Welsh health boards can share identifiable patient information only if that information has, in turn, been actively shared with them by the health professional who holds that patient data.
Professional standards, as regulated by the General Medical Council and the Nursing and Midwifery Council, among others, mean that doctors and other healthcare professionals are able to release confidential patient information, in this case to a CCG or health board,
where one of the following conditions is met: the patient gives their consent; the doctor judges that it is in the best interests of the patient to do so; the law requires them to disclose, which would not be the case here; or they judge that the common-law test for disclosure without consent would be met. The GMC guidance to doctors, Confidentiality: Good Practice in Handling Patient Information, is very helpful in setting out where these boundaries lie, but makes it clear that it must be the decision of the individual doctor because, rightly, the natural assumption must be that personal patient data must be kept confidential.
The Minister may argue that the organisational duty to share information with a police authority or individual police officer would not impose a duty on an individual health professional to make a disclosure to the CCG or to health boards in Wales. That is a fallacy. I have a word of warning for the Government: imposing the duty on CCGs and health boards will not make it easier for identifiable patient information to be readily obtained by a policing body. That is because all staff in CCGs, health boards and GP surgeries, as part of their admin, and hospital staff who are not regulated but are part of a healthcare team are also subject to confidentiality duties as part of their employment contracts. They access patient records as part of their role and, in so doing, they will have to comply with the Data Protection Act and those contractual obligations about ethical confidentiality. This means that even if the common-law duty to protect confidentiality is not part of their contract, because they are not regulated, the relevant staff member, at whatever level in the organisation, would still have a duty to comply with the request from a policing body. If the Bill were to pass unamended and, say, CCGs and health boards decided to abide by the law under the Bill, could they put pressure on staff to release those records that they have accessed by virtue of their role that breaches GDPR?
I have some questions for the Minister, to better understand how the Bill will not destroy the confidentiality of patient data. Will its provisions mean that authorities such as CCGs and health boards in Wales—and integrated care boards, following the passage of the Health and Care Bill next year—will no longer owe a common-law duty of confidentiality to their patients, clients and service users? Will this mean that health services are no longer confidential services? If a duty to provide identifiable information to policing bodies is introduced, what provisions will be made for possible recourse for a patient or service user who finds out that their confidential information was shared with the police and considers that they suffered some unfair or unjustifiable detriment as a result? Will this be dependent on them being able to make a claim that GDPR obligations had not been met by the data controller? Most importantly, what independent safeguards, such as court orders or use of the court, are available to stop or limit the sharing or use of personal information?
Will the Government remove provisions that state that disclosures of information to the police would not breach that duty of confidentiality owed by doctors and others to patients, clients and service users? Will the Government instead work with the professional regulation, with the profession, with patient groups
and others to create statutory guidance to support any new duty to collaborate? If the Government seek to retain provisions which require specified persons to share information, would anonymised information be sufficient? Will the Government commit to amending the Bill to provide that policing bodies can only request anonymous information?
I appreciate that the Minister might not have all the information in front of her to answer these questions, so will she write to me with the answers and have a meeting with me and the noble Lords, Lord Patel and Lord Ribeiro, who have added their names to these amendments? I know that the noble Lord, Lord Ribeiro, apologises for not being able to be in his place this afternoon. I beg to move.
5.15 pm