My Lords, to make sure that all noble Lords have the right version of this SI, I draw attention to the correction slip amending two points:
“Page 3, regulation 5(3)(a): omit ‘annual’; and Page 22 … paragraph 63(a): ‘…paragraph (b);’ should read ‘…paragraph (a);’.”
These regulations are intended to transfer the statutory functions of the Health and Social Care Information Centre, which operates as NHS Digital, to NHS England, and to abolish NHS Digital. This will create a central authority responsible for all elements of digital technology, data and transformation for the NHS, which was a key recommendation of the review by Laura Wade-Gery into how we can improve the digital transformation of the NHS. The recommendations were accepted by the Government in November 2021; we announced that we would merge NHS Digital into NHS England as soon as legislation allowed.
I know that noble Lords had concerns about this transfer during the passage of the Health and Care Bill last year, which we have sought to address. I will
also seek to address the points raised by the report of the Secondary Legislation Scrutiny Committee, which are echoed in the regret amendment tabled by the noble Lord, Lord Hunt.
First, I reassure this House that the transfer will not weaken the existing protections of people’s data and that the protection of data remains a priority for NHS England, which at senior levels takes these new responsibilities very seriously. All statutory functions of NHS Digital relating to the protection of data are being transferred, including the rules and safeguards required by law. This has been a guiding principle. NHS England will be subject to the same rules on collecting and disseminating data as are applied to NHS Digital.
NHS England can establish an information system only when directed by the Secretary of State or in response to a request from another body. All directions and requests that NHS England complies with must be published, so there is full transparency on what is being collected and for what purposes, and a clear upfront control. It cannot exceed the requirements of the direction or request. It must also publish its procedures for receiving and considering requests to establish information systems and for requests to access data. NHS England will report annually on how effectively it has discharged its transferred data functions, seeking independent advice to inform this report and consulting with the National Data Guardian for their views.
Concerns were raised during the passage of the Bill that we would lose the excellent practice that NHS Digital has followed in protecting people’s data and the crucial separation between those responsible for collecting and de-identifying data and those in NHS England analysing it. We therefore committed to place further requirements on NHS England, alongside the transfer of statutory functions, to ensure it would be a safe haven for data via statutory guidance. This is a new requirement.
This statutory guidance sets out measures that we expect NHS England to protect confidential information. There was some disquiet that the guidance did not seem to go far enough and that we had not added new duties to the regulations. This was not considered necessary; this is a straightforward transfer of functions under a legal framework which goes back to 2012 and has stood the test of time. That framework includes duties under the 2012 Act to have regard to various matters such as the need to respect people and promote the privacy of service users.
Additionally, we will issue statutory guidance, and I will come on to its contents in a moment. NHS England must have regard to this guidance; that means that it would have to demonstrate that it had justification for any decision not to follow it. Case law has shown that clear and cogent reasons would be needed to depart from guidance which is subject to a statutory duty to have regard. However, we have added strength here, as there is also a new power of direction, introduced in the Health and Care Act 2022, which could be used in cases of non-compliance with the guidance—namely, in Section 13ZC of the NHS Act 2006. Together, these mechanisms create a strong, binding commitment on NHS England to maintain the highest levels of data protection and safeguards.
NHSE is a long-established public authority which is experienced in processing personal data, including that of patients and employees. It does so in accordance with a robust legal framework which includes UK GPDR and the Data Protection Act. The lawful and proper treatment of personal data by NHS England is extremely important to maintain the confidence of service users and employees, and NHS England is well versed in processing personal data lawfully and correctly. It is aware of the importance of seeking independent advice and will be able to do so where necessary, including on the recommendation of staff transferring from NHS Digital. NHS England will also be able to approach the Information Commissioner’s Office as the independent regulatory body if it needs an independent view on particular matters.
I also reassure noble Lords that this statutory guidance covers all confidential information as defined in Section 263(2) of the 2012 Act. Therefore, it covers all data identifying an individual and all data identifying an individual which is subsequently identified or pseudonymised where an organisation, including NHS England, holds both the de-identified data and other data which would enable reidentification.
The guidance requires NHS England to obtain independent expert advice on its data access processes and procedures and, where appropriate, on individual decisions around data access. This will enable these experts to provide advice and assurance for both external and internal requests for access to data for purposes other than direct care. NHS England will be required to secure this independent advice or have a very good reason for not doing so. It is not optional or a case of doing so only when convenient.
Central to this should be a data advisory group, comprising appropriate experts and lay members, including one or more members with expertise in social care. This last point is not currently spelled out by the draft guidance, which we will amend. It would be appropriate for some internal representation to support this group to add expert knowledge and insight, such as the organisation’s Caldicott Guardian and data protection officer. However, the majority of members should be independent advisers. Minutes of the data advisory group meetings should also be published.
I know that some noble Lords have been concerned that NHS England will receive data which is still identifiable and which NHS Digital would previously have de-identified before sharing. The statutory guidance requires that the organisation will de-identify data before its internal analysis and use—the same role which NHS Digital undertook previously will be done internally, by a team separate from those who need to use the data. It explicitly states that responsibilities and accountabilities for using the data should be organisationally separate from the functions providing assurance and advice on this, such as information governance and Caldicott Guardian functions, to ensure that there are no conflicts of interest.
NHS England must ensure that there is the right governance for considering internal requests to access data, based on the same principles of risk-based assessment as for external requests for data, and drawing
on the same independent scrutiny and advice. Furthermore, the Secretary of State will issue a direction in relation to NHS England’s internal use of data, which will be published. This will make clear the legal responsibility for NHS England to de-identify data before analysis, so that an individual cannot be directly identified either from the data to be accessed or analysed from the results of the analysis carried out. The guidance also calls for NHS England to develop a register of internal data uses mirroring that which currently exists for external data uses.
In response to the concerns of the Secondary Legislation Scrutiny Committee, although we are moving at pace, we are doing so because we are keen to see the benefits of creating a single statutory body responsible for data and digital technology for the NHS delivered quickly. The statutory guidance has been neither rushed nor piecemeal in development. The guidance has been in development for a number of months; a version was shared with some noble Lords and stakeholders before Christmas, and we have been discussing it with stakeholders—including the National Data Guardian, the Information Commissioner’s Office, NHS Digital and NHS England—revising it to reflect their comments and strengthening the requirements on internal use of data, which was a predominant concern.
We have now published the second draft, which we have drawn to the attention of noble Lords. This was also shared with the Secondary Legislation Scrutiny Committee and the British Medical Association and other professional organisations, to seek their feedback. I am sorry that we did not share the guidance before with the BMA.
8 pm
Since the merger of NHS Digital with NHS England was announced in November 2021, the BMA has not raised any concerns with the department, and, as noble Lords will realise, NHS Digital liaises with the medical profession in relation to specific projects involving data of which it may be the controller.
It is not essential that the guidance is agreed for 1 February, provided it is finalised within a reasonable time following the transfer, as there will be a period while existing arrangements continue while NHS Digital and NHS England integrate. We have some time to make sure we get it right while still aiming to publish the guidance reasonably close to the transfer date. I would note also that we have been discussing the expectations that the statutory guidance will sit with NHS England for some time, to ensure that as far as possible, from day one, the organisation is able to adhere to the guidance, which builds on the good practice of NHS Digital.
I can reassure noble Lords this change will not diminish existing safeguards or standards of governance of patient data. I would also highlight that NHS England, as the body very much responsible for the running of the NHS in England, is used to dealing with sensitive and confidential information, and meeting the highest standards of governance. We will, of course, keep this transition and the statutory guidance under review, and I am happy to commit to making public the findings of our review.
I trust I have provided reassurance that this statutory instrument, with accompanying statutory guidance, keeps in place the many safeguards which ensure people’s data is safe and makes new statutory requirements. I commend these regulations to the House.
Amendment to the Motion