Asked by: Chi Onwurah (Labour - Newcastle upon Tyne Central and West)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, pursuant to the Answer of 23 December 2022 to Question 111586, on Medical Records: Data Protection, in which specific circumstances personal health data can be used for purposes beyond individual care and treatment; what is the legal basis for any such disclosure; and whether his Department informs the affected patients.
Answered by Will Quince
Health and care organisations must ensure there is a lawful basis for sharing confidential patient information from a person's medical records for purposes beyond their individual care and treatment. This will generally mean that the person has provided their consent; there is a statutory or other legal requirement to disclose information; or there is an overriding public interest justification.
When using personal data, health and care organisations must comply with UK General Data Protection Regulation (UKGDPR) requirements and are guided by the eight Caldicott principles which state that confidential patient information should only be used when it is lawful, necessary and there is a clear purpose for doing so.
There are a limited number of legal gateways that set aside the common law duty of confidentiality, such as the powers of NHS Digital under the Health and Social Care Act 2012 to require or request data- for example for purposes directed by the Secretary of State for Health and Social Care. In addition, where it can be demonstrated that it is impracticable to obtain patient consent or work with anonymised data, the Health Service (Control of Patient Information) Regulations 2002 permit personal information to be used for cancer registries, communicable diseases and other threats to public health and enable the approval of the use of confidential patient information for other ‘medical purpose’s such as research, clinical audit and service planning by the Health Research Authority (HRA), for research, or the Secretary of State, for other medical purposes. Before approving such applications, the HRA and Secretary of State must be advised by the Confidentiality Advisory Group, an independent body which considers all applications, balancing patient and public interest with appropriate use of confidential patient information without consent.
Both the UKGDPR and Caldicott principles include specific principles related to transparency and it is the responsibility of each health and care organisation to make a range of information materials readily available to patients and members of the public about what, why, how, when and where confidential patient information might be shared.
Asked by: Chi Onwurah (Labour - Newcastle upon Tyne Central and West)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, pursuant to the Answer of 23 December 2022 to Question 111586, on Medical Records: Data Protection, how many legal gateways there are which set aside the common law duty of confidence.
Answered by Will Quince
Health and care organisations must ensure there is a lawful basis for sharing confidential patient information from a person's medical records for purposes beyond their individual care and treatment. This will generally mean that the person has provided their consent; there is a statutory or other legal requirement to disclose information; or there is an overriding public interest justification.
When using personal data, health and care organisations must comply with UK General Data Protection Regulation (UKGDPR) requirements and are guided by the eight Caldicott principles which state that confidential patient information should only be used when it is lawful, necessary and there is a clear purpose for doing so.
There are a limited number of legal gateways that set aside the common law duty of confidentiality, such as the powers of NHS Digital under the Health and Social Care Act 2012 to require or request data- for example for purposes directed by the Secretary of State for Health and Social Care. In addition, where it can be demonstrated that it is impracticable to obtain patient consent or work with anonymised data, the Health Service (Control of Patient Information) Regulations 2002 permit personal information to be used for cancer registries, communicable diseases and other threats to public health and enable the approval of the use of confidential patient information for other ‘medical purpose’s such as research, clinical audit and service planning by the Health Research Authority (HRA), for research, or the Secretary of State, for other medical purposes. Before approving such applications, the HRA and Secretary of State must be advised by the Confidentiality Advisory Group, an independent body which considers all applications, balancing patient and public interest with appropriate use of confidential patient information without consent.
Both the UKGDPR and Caldicott principles include specific principles related to transparency and it is the responsibility of each health and care organisation to make a range of information materials readily available to patients and members of the public about what, why, how, when and where confidential patient information might be shared.
Asked by: Fleur Anderson (Labour - Putney)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, if he will make an assessment with Cabinet colleagues of the potential impact of provisions in the Data Protection and Digital Information Bill on giving data controllers discretion to decide when personal data can be classified as anonymous on the privacy of patients with sensitive private health issues; and whether his Department plans to introduce safeguards to ensure that data controllers only reclassify data when it is correct to do so.
Answered by Will Quince
The UK General Data Protection Regulation and the Data Protection Act 2018 set out the conditions which apply to the processing of personal and special category data, which includes health data. The Data Protection and Digital Information Bill will not amend the classification of special category data or remove safeguards.
Asked by: Chi Onwurah (Labour - Newcastle upon Tyne Central and West)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, what his Department's policy is on the sharing of personal health data with organisations outside the NHS (a) with and (b) without a person's permission.
Answered by Will Quince
The use of patient information must comply with data protection legislation and the common law duty of confidence, where appropriate. Personal health data can only be used for purposes beyond individual care and treatment in specific circumstances and there must be a legal basis for any disclosure.
Confidential patient information can only be shared for non-health purposes where an individual has provided consent, where there is an over-riding public interest, where the information is required by law, or where there is a legal gateway which sets aside the common law duty of confidence. Any disclosure of patient data held within NHS Digital must comply with section 261 of the Health and Social Care Act 2012. Applications for access to patient data held by NHS Digital is made to its Data Access Request Service.
The National Data Opt-Out introduced in 2018 allows patients, in specified circumstances, to opt-out of their information being used for research or planning purposes and has been mandatory since 31 July 2022.
Asked by: John McDonnell (Labour - Hayes and Harlington)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, if he will make an assessment of the potential implications for his policies of the case of Dr S. Shashikanth and the decision not to share patient data with a primary care trust; and if he will make an assessment of the potential merits of enabling general practitioners to determine at a practice-level whether to share patient data across an integrated care system.
Answered by Will Quince
‘Data saves lives: reshaping health and social care with data’, published in June 2022, prioritises appropriate data sharing across health, social care and public health systems to ensure patient safety. As of March 2022, all integrated care systems in England have implemented a basic shared care record, connecting National Health Service trusts and general practices.
Asked by: John McDonnell (Labour - Hayes and Harlington)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, with reference to the concerns raised in the letter sent on 7 November 2022 by Dr Nicola Byrne, National Data Guardian, and Dr Arjun Dhillon, chair of the UK Caldicott Guardian Council to integrated care board senior information risk owners, whether he is taking steps to assess the confidentiality of patients' data in response to those concerns.
Answered by Will Quince
‘Data saves lives: reshaping health and social care with data’ sets out the importance of transparency in maintaining trust in the use of personal information in the health and care system. NHS England supports integrated care boards with advice on identifying the appropriate legal basis for using confidential patient information for purposes beyond individual care, including ensuring that the correct approvals are sought where relevant.
Asked by: Lord Hunt of Kings Heath (Labour - Life peer)
Question to the Department of Health and Social Care:
To ask His Majesty's Government what plans they have to publish the letter sent from the National Data Guardian to NHS Integrated Care Systems and Senior Information Risk Owners on 1 November (NDG reference 299/1541); and whether they will place a copy of this letter in the Library of the House.
Answered by Lord Markham - Shadow Minister (Science, Innovation and Technology)
A copy of the letter sent by the National Data Guardian to National Health Service integrated care systems and Senior Information Risk Owners on 7 November is attached. This letter was published by the National Data Guardian on 23 November 2022.
Asked by: David Warburton (Independent - Somerton and Frome)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, what steps his Department will take to support NHS GP surgeries with the extra workload associated with the forthcoming rollout of expanded patient access to medical records.
Answered by Neil O'Brien - Shadow Minister (Policy Renewal and Development)
Since 2019, it has been a contractual requirement for general practitioner (GP) practices to offer all patients access to their record. Following recommendations published by the Royal College of General Practitioners, NHS England provided GP practices with a four-month notice period prior to the planned deployment of automatic online access to prospective records for patients registered with practices using TPP and EMIS information technology systems.
NHS England has hosted webinars for practice staff to prepare for this change, published guidance and a checklist detailing policies and processes which require updating.
Asked by: Chi Onwurah (Labour - Newcastle upon Tyne Central and West)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, with reference to the recommendations of the Goldacre Review, what assessment he has made of the potential merits of creating a single, national data controller for all NHS records; and what steps he taking to (a) recruit people with technical data skills and knowledge to senior roles in the NHS and (b) train staff in senior roles in the NHS in the basics of data analysis.
Answered by Gillian Keegan
It has not proved possible to respond to the hon. Member in the time available before Prorogation.
Asked by: Chi Onwurah (Labour - Newcastle upon Tyne Central and West)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, with reference to the recommendations in the Goldacre review, what steps he is taking to ensure that NHS data policies take into consideration the limitations of (a) pseudonymisation and (b) trust as techniques when managing patient privacy; and what discussions he has had with the Cabinet Office on the implications of that policy for Government data sharing more broadly.
Answered by Gillian Keegan
The Goldacre review highlighted that National Health Service data can accelerate medical research and allow planning for more effective services, while also describing the limitations of a system built on data sharing which relies on techniques such as trust and pseudonymisation to manage patient privacy. The Review recommends that the NHS adopts secure online platforms for verified researchers and analysts to access its data. These platforms, known as Secure Data Environments or Trusted Research Environments, will support high standards of information governance, transparency and security. Secure Data Environments remove the need for data to be physically shared between different users which reduces the reliance on factors such as trust and pseudonymisation being necessary to manage patient privacy.
The Department is currently developing policy principles and standards for the adoption of Secure Data Environments in the NHS. We will continue to engage with other Government departments on issues of data policy.