(5 years, 9 months ago)
Lords ChamberMy Lords, I shall speak to Amendment 22, in my name and that of the noble Lord, Lord Kakkar, and Amendment 25, which is in my name. Both relate to personal data, and seek assurance from the Government that, whatever processes are put in place, they will respect the need for confidentiality and trust. While I absolutely recognise the value of transferring individual health data when the patient is receiving treatment, and the need to do so, it is also important that the Bill provides powers to protect personal and health data.
Access to personal health data should be limited to healthcare purposes. Currently, the General Data Protection Regulation imposes restrictions on the transfer of data, which we may not have after we leave the EU. A separate issue is the definition of “authorised persons”, which, when they gave evidence, both the BMA and the Academy of Medical Royal Colleges referred to as a concern.
I am also unhappy about the mechanisms that will operate for patients to consent to having their data transferred. Amendment 25 refers to Clause 4(6), relating to data processing. It says:
“In this section—‘authorised person’ means”.
Paragraphs (a) to (e) then define who the authorised people might be. Amendment 25, which I tabled only to get an explanation from the Minister, suggests that paragraph (e) should be deleted. It says that,
“any other person authorised, or falling within a description of persons authorised, by regulations made by the Secretary of State for the purposes of this section”.
That sounds too wide to me. In this country we have clear protocols and guidelines about who should be transferring patients’ data and to whom. It is not to anybody not clearly defined as an authorised person. I beg to move.
My Lords, the NHS in England has a long history and a good record of data governance. In 1996, Fiona Caldicott was called in and asked to look at the whole issue of NHS data. It must be said that the data was not as digital then as it is now. Her review came up with a group of principles—I think there were seven—and that was then followed by Caldicott 2. More recently, there has been another look at NHS data and we are now down to three principles. It is not just the Caldicott guardians. When he was Secretary of State at DCMS, Matt Hancock announced the data ethics framework and then we had GDPR. There is a really rich background of caring for patients’ data.
The provisions in the Bill authorising the sharing of data appear wide—that is probably the best way to put it. Clause 4(1) provides:
“An authorised person may process personal data held by the person in connection with any of the person’s functions where that person considers it necessary for the purposes of implementing”,
the Act. The words,
“that person considers it necessary”,
are a very wide formulation for the exercise of a function such as this. They seem designed to make a challenge in court almost impossible.
Among others defined as an authorised person is a “provider of healthcare”, so the authority extends beyond the NHS to all organisations that provide NHS care but might not be NHS organisations. So it would include commercial organisations as well as public authorities. Can the Minister confirm this and give an example, to better understand how wide the scope is?
Moreover, it is left to bodies such as the NHS to define for themselves the level of staff who should have this degree of authority. Will the Minister confirm how data is handled with devolved states and within the island of Ireland? How are we intending to communicate clinical data with organisations in the EU, and in the rest of the world, once the Bill has been enacted? Are there issues about shared datasets? We are fairly confident about sharing research data, but clinical data will be absolutely key here.