Mr Davis

- View Speech - Hansard -

Copy Link

- - Excerpts

I take the hon. Gentleman’s point and will elaborate on it as I make progress. As presented, the plan is to collect the data first and think about the problems second, but the information is too important and the Department’s record of failed IT is too great for it to be trusted with carte blanche over our privacy.



There is also the so-called honeypot problem. Data gathered centrally inevitably attracts actors with more nefarious intentions. The bigger the database, the greater the incentive to hack it. If the Pentagon, US Department of Defence and even Microsoft have been hacked by successful cyber-attacks, what chance does our NHS have?

The Secretary of State for Health and Social Care (Matt Hancock)

- View Speech - Hansard -

Copy Link

- - Excerpts

I have come to the House today to answer this debate because of the importance of the subject matter and the importance of getting this right. I recognise and acknowledge the chequered history that my right hon. Friend the Member for Haltemprice and Howden (Mr Davis) described, and I see that chequered history as one of the reasons that the NHS does not yet have the modern data architecture that it needs. Previous attempts—both the national programme for IT and care.data—have failed, so people have shied away from tackling this problem in a modern, secure and agile way.

I have come to demonstrate and to argue that there is no contradiction between high-quality security and privacy of the data held in a health system and the use of that data to save lives, because in a well-structured, well thought through system, both are enhanced. I profoundly believe that. I think that my right hon. Friend does too, and I agree with him when he says that we agree on aims; the key is the path. I agree with him, too, that the proper use of data has the potential to save hundreds of thousands of lives if we use it as safely as possible but also allow for the insights in the data to be discovered in order to promote better healthcare, better discoveries and the better operation of the NHS.

If someone did not believe that before, they could not have failed to be persuaded by it if they have looked at the experience of the last 18 months. We discovered that an old, cheap drug, dexamethasone, helped to reduce the likelihood of someone dying if they ended up in hospital with covid, and as a result it has saved around a million lives across the globe. We discovered that in the NHS because of the data that we have and because of a well-structured, high-quality data architecture project to find out which drugs worked.

We know that the NHS will operate better if different parts of it can compare their performance better. We also know that patients want their data to be used better, because the frustration expressed to me so frequently by patients who are asked over and over “Who are you and what’s wrong with you?”, when that data should be available to the clinicians who need to see it, is palpable. And we know that the clinicians in the NHS want high-quality use of data so that they do not waste so much time on outdated IT and can treat the people in their care better. All these things matter, and they will save lives.

The current GP data service, GPES—the general practice extraction service—is over 10 years old, and it needs to be replaced. The project that my right hon. Friend referred to, GP data for planning and research, is there to unlock the intrinsic benefits of this data, but that must be done in a way that maintains the highest possible standards of security. The goals of this, and the outcomes when we get it right—I say when, not if—are that it will reduce the bureaucracy and workload for GPs, it will strengthen privacy and security, and it will replace around 300 separate data collections with one single collection.

If I may take my right hon. Friend back to 2018, I piloted through this House the Data Protection Act 2018, in which we brought the GDPR into UK law and strengthened provisions for data security. You may remember that, Mr Deputy Speaker, because you may have received a few emails about it at the time from companies asking whether you were still happy for them to hold your data. You could have replied, “No.” In fact, I came off quite a few lists I was no longer interested in receiving emails from because I was reminded that I was still on them and that I could opt out. I think the time has come for a similar approach—an update—to the way we think about health data in this country that puts security and privacy at its heart and, in so doing, unlocks the insights in that data and allows us to hold the trust of the citizens we serve.

The way I think about that is this. Current law considers that citizens do not control their health data, but the NHS does. For instance, GP data is controlled by GPs. However, the approach we should take is that citizens are in charge of their data. It is our data. The details of my bunion are a matter for me, and me primarily. I will not have anyone in the NHS tell me whether I can or cannot disclose the details of my bunion—it is going fine, thank you very much for asking. It matters to me, even though it is a completely uncontroversial health condition, but, as my right hon. Friend set out, for many people their health data is incredibly sensitive and it is vital that it is kept safe.

On the question at hand, the programme—GP data for planning and research—will be underpinned by the highest standards of safety and security. Like my right hon. Friend, I am a huge fan of the progress and advances we have seen in trusted research environments. Those are the safe and secure places for bringing together data, where researchers can access the data or, more accurately, the insights in the data while maintaining the highest standards of privacy.

I, too, am an enormous fan of Dr Ben Goldacre and his team. The OpenSAFELY project has shown the benefits that TREs can bring, because they allow us to support urgent research and to find the insights in the data while protecting privacy. During the pandemic, the project was absolutely fundamental to our response. In fact, it existed before the pandemic, but really came into its own during the pandemic. For instance, it was the first project to find underlying risk factors for covid-19. OpenSAFELY was the first project around the world to find statistically and significantly that obesity makes it more likely that someone will die of covid. That was an important fact, discovered through this project and without disclosing anybody’s body mass index in doing so. That is therefore the approach that we will take.

I can tell my right hon. Friend and the House that I have heard people’s concerns about using dissemination of pseudonymised data. We will not use that approach in the new GPDPR. The new system will instead use trusted research environments. All data in the system will only ever be accessible through a TRE. This means that the data will always be protected in the secure environment. Individual data will never be visible to the researcher, and we will know, and will publish, who has run what query or used which bit of data. The question was asked: who has access to what data, and who knows about it? The answer is that we should all know about it and that people should have access in a trusted way, but to be able to find insights in the data, not people’s individual personalised data itself.

I hope that that will help to build trust. It will mean a different way of operating for data researchers, but I disagree with my right hon Friend that it will allow us only to get 80% or 90% of the research benefit. A well structured TRE allows us to find more insight from the data, not least because the data could be better curated, and therefore more people can spend more time finding the insights in the data, rather than curating it over and over again. The dangers that come with the dissemination of pseudonymised data are removed.

It will take some time to move over to the new system, hence I have delayed its introduction, but we have also made that delay to ensure that more people can hear about it. That is the other reason that I came to the House today: I want people to be engaged in the project. People are engaged in their health like never before, and in their health data like never before, in part because of the pandemic. If we think about the NHS app, which is no doubt in everyone’s pocket—it is certainly in mine—if we think about the covid app, which has been downloaded 25 million times, we have never seen people more interested in their health data. We have never seen a greater connection, and we should use that to make sure that consent, when it is given, is given fully and properly.

I can assure the House we have an extremely high benchmark for who can access data. We have put in place a rigorous and independent approvals process, and audits are carried out to make sure the data is only being used for legitimate purposes. We will make sure that the right data can be accessed by the right people at the right time, but only by the right people at the right time. Both sides of that—that it can be accessed by people who need to see it, but only by the people who need to see it—are critical to getting this right.

On the question of the giving of that consent, it is crucial that we ensure that there is enough knowledge and understanding of these changes, that people are brought into the process, and that people know they have an opt-out. The research is clear: the majority of people are keen to allow their data to be used to help to save other people’s lives, but they want to know they have an opt-out and are reassured if they have one, even if they stay opted in, because they know then that it is based on their consent.

This important programme will have an opt-out system. We are strengthening the opt-out system already, and we will take the time to work with those who are enthusiastic about using data properly, with those who ensure that questions of privacy and security are put to the fore, with the public and, of course, with clinicians to make sure that we strengthen this programme further in terms of its security and privacy, yes, but also in terms of the outcomes we can get from the data, so that we can find new treatments to help save lives.

This is an important programme. The use of data in the NHS will have a huge impact on the future of health and care in this country, and we want to take people with us on this mission. We have developed this policy together with doctors, patients and experts in data and privacy, and more than 200 prominent scientific and medical researchers have endorsed a statement of support for this mission, but we have decided to take some extra time to consult further and to be even more ambitious about what we want to deliver, with a new implementation date of 1 September.

One of the central lessons of the pandemic is that data makes a difference, so let us keep working to take this programme forward, learning the lessons of the crisis, so that we can build back better and use data to save lives.