(5 years, 9 months ago)
Lords ChamberMy Lords, I thank the noble Lord, Lord Clement-Jones, and the noble Baronesses, Lady Jolly and Lady Thornton, for tabling Amendment 14 and raising the issue of the lawful and responsible processing of data. I start with an apology to the noble Lord, Lord Clement-Jones. My noble friend Lady Blackwood did write to the noble Lord, and I am sorry that he has not yet received the letter. We will endeavour to send him another copy as soon as possible.
As my noble friend Lord O’Shaughnessy said—and I reassure the noble Lord, Lord Patel, that—data sharing is a necessary and crucial aspect of maintaining effective complex reciprocal healthcare arrangements, and the Government are committed to the safe, lawful processing of people’s personal data. There are, as the noble Lord said, safeguards in place in respect of processing personal data for the purposes set out under the Bill, for which the Bill makes express provision. The Bill makes it absolutely clear that it does not authorise the processing of data that contravenes UK data protection legislation.
Data processing will be permitted only for the limited purposes set out in the Bill. Personal data will be processed in accordance with UK data protection law—as the noble Baroness, Lady Thornton, observed—namely, the Data Protection Act 2018 and the general data protection regulation, which will form part of UK domestic law under the European Union (Withdrawal) Act 2018 from exit day.
I assure the noble Lords, Lord Patel and Lord Clement- Jones, and the noble Baroness, Lady Thornton, that the Caldicott principles are an important part of the governance of confidential patient information in the NHS and a guiding mechanism for organisations in how they should handle confidential patient information on a practical level. The NHS is expected to adhere to these principles.
Since 1999, NHS bodies have been mandated to appoint a Caldicott Guardian. These principles are therefore ingrained in the current operation of the NHS and confidential patient data handled by the NHS for purposes in relation to reciprocal healthcare will be subject to these principles. The principles are consistent with the requirements of the GDPR and a breach of the Caldicott principles would most likely amount to a breach of the GDPR and the Data Protection Act 2018. The principles are not intended for statute but are of real practical and operational importance when confidential patient information is processed. This will be the case when confidential patient information needed for reciprocal healthcare arrangements is processed.
It is also worth noting that reciprocal healthcare arrangements will not normally involve the processing of confidential patient information, except in particular circumstances, such as facilitating planned treatment. However, where this information is processed through reciprocal healthcare arrangements under the NHS, it must comply with UK data protection legislation. NHS organisations, as they do now, will be required to adhere to the Caldicott principles. The data ethics framework that the noble Lord, Lord Clement-Jones, mentioned sets out collective standards and ethical frameworks for how data should be used across the whole public sector, as well as the standards for transparency and accountability when building or buying new data technology. Where the framework refers to personal data, it consistently cross-refers to the principles in the GDPR, which is the relevant legislation that policymakers must consider when processing personal data.
Personal data processed for the purposes of reciprocal healthcare arrangements would therefore also take into account the data ethics framework. In addition, from 1 April 2019, the National Data Guardian will be put on a statutory footing and will therefore be able to issue formal guidance and informal advice to organisations and individuals about the processing of health and adult social care data in England. This will provide patients statutory independent oversight of the use of health data, with health bodies being required by law to have regard to the guidance issued by the National Data Guardian. This is another way in which NHS organisations in England which are processing data in respect of reciprocal healthcare will be monitored and personal data can be further protected as necessary.
It is important to note that express reference to these principles in the Bill would not provide any additional protections for personal data or confidential patient information, as the standard of protections required is the same as the existing data protection legislation already provided for in the Bill. I am grateful to the noble Baroness, Lady Thornton, and others for their support in observing this. Furthermore, as I have said, these principles already apply to NHS organisations and will continue to do so in respect of reciprocal healthcare. As a result, it would be inappropriate to put these in the Bill and I am therefore unable to accept the amendment. However, the Government have listened carefully to concerns surrounding the list of persons who can lawfully process data as a part of implementing new reciprocal healthcare arrangements under the Bill and have tabled an amendment on this issue.
Currently, the list of authorised persons under the Bill includes the Secretary of State, Scottish Ministers, Welsh Ministers and a Northern Ireland department, NHS bodies and providers of healthcare. Of course, over time, public bodies change, are reformed and refashioned, and functions are transferred between them in consequence. Clause 4(6)(e) gives the Secretary of State the ability to respond to such changes so that systems can operate efficiently and data can follow in an appropriate and lawful way to enable such operation. We propose, however, subjecting any regulations that add to the list of persons authorised to process data for the purposes of the Bill to the draft affirmative procedure. This would allow Parliament the opportunity to scrutinise authorised persons handling personal data while ensuring that the Government have the ability to guarantee that future agreements are administered in the most efficient way possible.
The Government are firmly committed to the safe, lawful processing of personal data, and to ensuring that patients have enforceable protections under data protection legislation. I hope, given my assurances that any data processing under the Bill would comply with the Caldicott principles and the data ethics framework as appropriate, that the noble Lord will feel able to withdraw the amendment.
The noble Baroness, Lady Thornton, kindly mentioned the factsheet. Of course, if it is useful, we would be very happy to put this in the Library. Officials do a tremendous job and I am very grateful to them. I hope, with the assurance I have given noble Lords, and the fact we are providing greater scrutiny, that the noble Lord feels able to withdraw the amendment.
My Lords, that was exactly the kind of robust response from the Minister that I was hoping for. It is very rare that I listen to a government response and nod all the way through, so I thank her for that very careful response, both on the Caldicott principles and the framework for data ethics, and for going into the accountabilities, and the affirmative procedure guarantee at the end—that was a bouquet. It is not that we on these and other Benches do not understand the value of NHS data and the real importance of that balance. This is not designed as a negative approach to the use of NHS data; it has huge potential benefits, but we have to make sure that it is kept within that ethical framework. The Minister has demonstrated that that kind of culture is ingrained—or is certainly expected to be ingrained—in the NHS and that Caldicott Guardians, post 1 April, will be very much on the case. In those circumstances, with pleasure, I beg leave to withdraw my amendment.