Healthcare (International Arrangements) Bill Debate

Full Debate: Read Full Debate
Department: Department of Health and Social Care

Healthcare (International Arrangements) Bill

Lord Clement-Jones Excerpts
Moved by
14: Clause 4, page 2, line 38, at end insert—
“( ) The processing of personal data in accordance with subsection (1) must comply with—(a) the seven Caldicott principles outlined in the Caldicott Committee’s Report on the Review of Patient-Identifiable Information and subsequent reports;(b) the Government’s Data Ethics Framework.”
Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I beg to move Amendment 14, and your Lordships will be pleased to hear that I will be brief.

During the passage of the Bill, considerable concerns have been raised by a number of noble Lords about the use and sharing of data within the NHS. It is a hotly contested subject, and one of the best briefings on it is from our Library, prior to a debate on 6 September initiated by the noble Lord, Lord Freyberg. It unpacks a number of the concerns and issues about data within the NHS, and I am sorry that I have been unable to be at Second Reading or in Committee to expand on some of those issues.

During our Select Committee inquiry into artificial intelligence, there were a number of witnesses who talked about the use of data in the NHS, and we drew a number of conclusions, namely that the data was not in good shape to be utilised for beneficial purposes such as research, diagnosis and screening. That is another issue, however; what concerns noble Lords is the question of sharing. Now that we have seen Amendment 1 pass, maybe we will deal only with countries where there is a level of data adequacy which gives us an assurance about the use of NHS data. As the King’s Fund said last year in its report, Using Data in the NHS:

“National policy has to keep a balance between responding to legitimate public concern about the security and confidentiality of data and enabling data to be shared and used by NHS organisations and third parties. It is also essential that NHS national bodies are transparent with the public about how patient data is used”.


It went on to suggest that the level of opt-outs for patients would be key to the quality and validity of future research, and that NHS England and NHS Digital should keep this under review. One of the issues in the NHS is that there are several organisations responsible for NHS data. It is not just NHS England, NHS Digital, the National Information Board and Public Health England. The Caldicott Guardian—the national guardian for health and care—has a responsibility as well. It is quite a disparate, rather balkanised issue.

I was reassured on reading what the noble Baroness, Lady Manzoor, had to say when she responded, as the Minister, to this set of amendments in Committee:

“Under the Bill, personal data can be processed only in accordance with UK data protection law, namely the Data Protection Act 2018 and the general data protection regulation, which will form part of UK domestic law under the EU withdrawal Act 2018 from exit day”.


I am not going to go into all the questions about data adequacy and so on. I take what she said as quite reassuring, but it was less so when she later responded to what was then Amendment 23—this amendment is identical. She said:

“I assure the Committee that the Government are committed to the safe, lawful and responsible processing of people’s data”.


However, she then said:

“As the noble Baroness, Lady Jolly, and my noble friend Lord O’Shaughnessy noted, the Caldicott principles and the Government’s Data Ethics Framework are admirable standards to apply to the handling of patient data. Both of these non-legislative frameworks are in line with the Data Protection Act and the GDPR, which are enshrined in the Bill”.—[Official Report, 19/2/19; cols. 2261-63.]


That is not unequivocal in terms of those standards applying. As the Minister knows, we discussed this between Committee and Report. I had hoped to receive correspondence from her, but sadly I have not done so. She may need to repeat whatever text of the letter she may be able to find in her outbox. I hope she can give the House reassurance that the national data ethics framework and the Caldicott principles will apply to any sharing of data. The data ethics framework is a cross-government standard, of course, but the Caldicott principles are specific to the NHS. It is important to make sure they apply both domestically and internationally.

Lord O'Shaughnessy Portrait Lord O'Shaughnessy
- Hansard - - - Excerpts

My Lords, I am grateful to the noble Lord, Lord Clement-Jones, for giving the House the opportunity to talk about this issue again. He has been deeply involved in this topic and, as he said, I spoke on it in Committee. Compliance with this country’s very robust data protection rules is critical in general and particularly important in healthcare. This was discussed in the debate instigated by the noble Lord, Lord Freyberg; it has been a topic of conversation in this House, both in and out of the Chamber, on many occasions.

The noble Lord talked about the number of bodies that have some responsibility: he called it balkanised. It is important that we do not create a balkanisation in the law, even if a small one is in operation. One set of law should take precedence over all data protection, security and connected issues. That is, and should be, the Data Protection Act 2018. This means that there are operational guidelines, frameworks, principles and so on about how these ought to operate within individual contexts. That is precisely where the Caldicott principles come in. They take a general piece of legislation and translate what good practice in interpreting it ought to mean in a health setting. In that sense, it is important to say that we should not put those principles in a legislative setting. They are interpretive of the core, primary legislation and may need to change over time. They may need to adapt; there may be an eighth principle as we get into interesting questions about the value of data and so on.

It is important to recognise that the Caldicott principles bring to life what the Data Protection Act ought to mean in health settings. It would be a mistake to create competing law. Of course the Government agree with the noble Lord about the importance of giving force to the principles. That is one reason why we supported the Private Member’s Bill brought into this House by my noble friend Lady Chisholm to put the national data guardian on a statutory basis. I hope that that gives him the strength of reassurance about the way that the framework is constructed, which is not to create an opportunity to do funny stuff at the edges, but rather to make sure that there is primacy of one set of legislation.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, the noble Lord used the expression, “giving force”. If those principles are given force, it means that the Government treat themselves and put on the record that they are bound by those principles. That is what giving force would mean in those circumstances, because these are novel circumstances set out in the Bill. That kind of reassurance is needed with the data ethics framework.

Lord Patel Portrait Lord Patel (CB)
- Hansard - - - Excerpts

My Lords, I had amendments that the Minister responded to at the Dispatch Box and I accepted her explanation at the time. Now I take the point that the noble Lord, Lord Clement-Jones, is trying to raise, that those principles that she enunciated about data protection included the Caldicott principles. As that reassurance was given at the Dispatch Box, I think it will cover the issue.

Baroness Manzoor Portrait Baroness Manzoor (Con)
- Hansard - - - Excerpts

My Lords, I thank the noble Lord, Lord Clement-Jones, and the noble Baronesses, Lady Jolly and Lady Thornton, for tabling Amendment 14 and raising the issue of the lawful and responsible processing of data. I start with an apology to the noble Lord, Lord Clement-Jones. My noble friend Lady Blackwood did write to the noble Lord, and I am sorry that he has not yet received the letter. We will endeavour to send him another copy as soon as possible.

As my noble friend Lord O’Shaughnessy said—and I reassure the noble Lord, Lord Patel, that—data sharing is a necessary and crucial aspect of maintaining effective complex reciprocal healthcare arrangements, and the Government are committed to the safe, lawful processing of people’s personal data. There are, as the noble Lord said, safeguards in place in respect of processing personal data for the purposes set out under the Bill, for which the Bill makes express provision. The Bill makes it absolutely clear that it does not authorise the processing of data that contravenes UK data protection legislation.

Data processing will be permitted only for the limited purposes set out in the Bill. Personal data will be processed in accordance with UK data protection law—as the noble Baroness, Lady Thornton, observed—namely, the Data Protection Act 2018 and the general data protection regulation, which will form part of UK domestic law under the European Union (Withdrawal) Act 2018 from exit day.

I assure the noble Lords, Lord Patel and Lord Clement- Jones, and the noble Baroness, Lady Thornton, that the Caldicott principles are an important part of the governance of confidential patient information in the NHS and a guiding mechanism for organisations in how they should handle confidential patient information on a practical level. The NHS is expected to adhere to these principles.

Since 1999, NHS bodies have been mandated to appoint a Caldicott Guardian. These principles are therefore ingrained in the current operation of the NHS and confidential patient data handled by the NHS for purposes in relation to reciprocal healthcare will be subject to these principles. The principles are consistent with the requirements of the GDPR and a breach of the Caldicott principles would most likely amount to a breach of the GDPR and the Data Protection Act 2018. The principles are not intended for statute but are of real practical and operational importance when confidential patient information is processed. This will be the case when confidential patient information needed for reciprocal healthcare arrangements is processed.

It is also worth noting that reciprocal healthcare arrangements will not normally involve the processing of confidential patient information, except in particular circumstances, such as facilitating planned treatment. However, where this information is processed through reciprocal healthcare arrangements under the NHS, it must comply with UK data protection legislation. NHS organisations, as they do now, will be required to adhere to the Caldicott principles. The data ethics framework that the noble Lord, Lord Clement-Jones, mentioned sets out collective standards and ethical frameworks for how data should be used across the whole public sector, as well as the standards for transparency and accountability when building or buying new data technology. Where the framework refers to personal data, it consistently cross-refers to the principles in the GDPR, which is the relevant legislation that policymakers must consider when processing personal data.

Personal data processed for the purposes of reciprocal healthcare arrangements would therefore also take into account the data ethics framework. In addition, from 1 April 2019, the National Data Guardian will be put on a statutory footing and will therefore be able to issue formal guidance and informal advice to organisations and individuals about the processing of health and adult social care data in England. This will provide patients statutory independent oversight of the use of health data, with health bodies being required by law to have regard to the guidance issued by the National Data Guardian. This is another way in which NHS organisations in England which are processing data in respect of reciprocal healthcare will be monitored and personal data can be further protected as necessary.

It is important to note that express reference to these principles in the Bill would not provide any additional protections for personal data or confidential patient information, as the standard of protections required is the same as the existing data protection legislation already provided for in the Bill. I am grateful to the noble Baroness, Lady Thornton, and others for their support in observing this. Furthermore, as I have said, these principles already apply to NHS organisations and will continue to do so in respect of reciprocal healthcare. As a result, it would be inappropriate to put these in the Bill and I am therefore unable to accept the amendment. However, the Government have listened carefully to concerns surrounding the list of persons who can lawfully process data as a part of implementing new reciprocal healthcare arrangements under the Bill and have tabled an amendment on this issue.

Currently, the list of authorised persons under the Bill includes the Secretary of State, Scottish Ministers, Welsh Ministers and a Northern Ireland department, NHS bodies and providers of healthcare. Of course, over time, public bodies change, are reformed and refashioned, and functions are transferred between them in consequence. Clause 4(6)(e) gives the Secretary of State the ability to respond to such changes so that systems can operate efficiently and data can follow in an appropriate and lawful way to enable such operation. We propose, however, subjecting any regulations that add to the list of persons authorised to process data for the purposes of the Bill to the draft affirmative procedure. This would allow Parliament the opportunity to scrutinise authorised persons handling personal data while ensuring that the Government have the ability to guarantee that future agreements are administered in the most efficient way possible.

The Government are firmly committed to the safe, lawful processing of personal data, and to ensuring that patients have enforceable protections under data protection legislation. I hope, given my assurances that any data processing under the Bill would comply with the Caldicott principles and the data ethics framework as appropriate, that the noble Lord will feel able to withdraw the amendment.

The noble Baroness, Lady Thornton, kindly mentioned the factsheet. Of course, if it is useful, we would be very happy to put this in the Library. Officials do a tremendous job and I am very grateful to them. I hope, with the assurance I have given noble Lords, and the fact we are providing greater scrutiny, that the noble Lord feels able to withdraw the amendment.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, that was exactly the kind of robust response from the Minister that I was hoping for. It is very rare that I listen to a government response and nod all the way through, so I thank her for that very careful response, both on the Caldicott principles and the framework for data ethics, and for going into the accountabilities, and the affirmative procedure guarantee at the end—that was a bouquet. It is not that we on these and other Benches do not understand the value of NHS data and the real importance of that balance. This is not designed as a negative approach to the use of NHS data; it has huge potential benefits, but we have to make sure that it is kept within that ethical framework. The Minister has demonstrated that that kind of culture is ingrained—or is certainly expected to be ingrained—in the NHS and that Caldicott Guardians, post 1 April, will be very much on the case. In those circumstances, with pleasure, I beg leave to withdraw my amendment.

Amendment 14 withdrawn.