My Lords, I thank Ministers, officials and other Peers, including my noble friends Lord Clement-Jones and Lady Walmsley, and the noble Lord, Lord Hunt of Kings Heath, and the noble Baroness, Lady Finlay, for the discussions that we have had since Committee. I am particularly grateful for the letter from the Minister late yesterday and the meeting this morning.
I have laid Amendment 60, and I support Amendment 116, tabled by the noble Lord, Lord Hunt, which try to protect only the lawful disclosure of personal patient data. For the purposes of the debate on this group, can we accept that this is shorthand for the confidential personal and medical data currently mainly held by GPs and hospital doctors in England? Amendment 60 would provide that protection in legislation and was laid only because we have not yet had a clear response from Ministers on what is permitted and what the existing rules will be relation to ICBs taking over responsibilities from CCGs because ICBs are new bodies. This is in the light of new Section 14Z61. At Second Reading and in Committee, noble Lords expressed concerns that this new section, which outlines ICBs’ permitted disclosures of information, looks very wide ranging and could, for example, enable a police officer, or another person from a public body, to demand the disclosure of a patient’s personal data.
The new section uses the phrase that ICBs can disclose data where
“disclosure is necessary or expedient”
for the person making the request, but nowhere does it explain how the decision is made by the ICB or what the decision-making process is to release the data and, importantly, where the protection of that personal data sits in the hierarchy of the request of necessary and expedient demands. I have asked repeatedly how this process would work, and in responses at the Despatch Box, in meetings and in letters I have not really had a response that has laid out simply and clearly how this process would work. I shall therefore ask the Minister the following questions in an attempt to clarify how a patient’s confidential personal data will be protected and what the process would be for it to be released to a person making a request. What rules and guidance are available for staff, including those in ICBs, to manage a request from a non-NHS person requesting information other than through a court order? How would it be processed and reviewed? ICBs would not normally be the holder of such data, and new Section 14Z61 does not set out the balance between the rights of the patient and those of the requestor who believes they have a necessary or expedient reason for being sent this data.
We wish to be confident that the structures are in place for when shared care records come into force. Let me be clear: from these Benches, we welcome the principle of shared care records, but the processes need to be in place to ensure that personal data is protected when every part of NHS England would have access to that data. I raise this particularly because just this week Health Service Journal stated that the
Secretary of State is speeding up the shared care records project to be complete and implemented by December 2023.
Can the Minister therefore commit that the powers in Section 14Z61(1) will be constrained such that for requests of disclosure that come from outside the health and care system, the ICB will only ever disclose the direct care providers the requester could ask instead? Can he confirm that if an ICB is to become data controller for shared care records, he will return to this clause with primary legislation on such implementation?
I am very grateful for the discussion with Ministers and officials and hope that the Minister will be able to provide your Lordships’ House with a response that demonstrates that patient, personal and confidential data remains secure. I look forward to his response, and I beg to move.