Asked by: Lord Hunt of Kings Heath (Labour - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government what assessment they have made of the compliance by UK Biobank with NHS England’s assertion that “information is never passed to insurance companies without patient consent.”
Answered by Viscount Camrose - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
The assurance that identifiable data will not be shared with any organisation, including insurance companies, was provided to participants at the time of recruitment, and still applies. Members of the public invited to join UK Biobank were given information leaflets and a consent form that stated that de-identified data would be made available to researchers from across industry, academia, charitable and government sectors if the applications met the required thresholds of including a bona fide researcher and doing health-related research in the public good.
Asked by: Lord Hunt of Kings Heath (Labour - Life peer)
Question to the Department of Health and Social Care:
To ask His Majesty's Government, further to the Written Answer by Lord Markham on 19 September (HL10083), whether they intend to direct NHS England to change the name of the Advisory Group for Data to avoid confusion with the National Data Advisory Group.
Answered by Lord Markham - Parliamentary Under-Secretary (Department of Health and Social Care)
Following discussion at the National Data Advisory Group in March, the Department raised with NHS England the possibility of changing the name of the interim Advisory Group for Data. There are no plans to direct NHS England to change the name.
Asked by: Lord Hunt of Kings Heath (Labour - Life peer)
Question to the Department of Health and Social Care:
To ask His Majesty's Government what are the differences in (1) the remit, and (2) the membership, of NHS England’s Advisory Group on Data and the Department of Health and Social Care's National Data Advisory Group.
Answered by Lord Markham - Parliamentary Under-Secretary (Department of Health and Social Care)
The Advisory Group for Data (AGD) is convened by NHS England and builds on the previous work by the Independent Group Advising on the Release of Data (IGARD). Currently operating in interim form, it includes the members of IGARD, alongside a representative of the Caldicott Guardian of NHS England, the Data Protection Officer, and senior staff supporting on Data and Analytics.
It provides NHS England with access to expert advice and assurance on internal and external access to data in relation to the exercise of NHS England’s functions transferred to it from NHS Digital, including on specific requests for the dissemination of information in accordance with the statutory guidance issued by my Rt hon. Friend, the Secretary of State for Health and Social Care. Its minutes are published on the NHS England website.
The National Data Advisory Group (NDAG) is convened by the Department to provide strategic policy advice on data and data sharing, including the implementation of Data Saves Lives, the data strategy. It does not advise on specific data sharing requests and has a different membership to the ADG. NDAG includes, among others, the National Data Guardian for Health and Social Care, the Chair of the Academy of Medical Royal Colleges and the Chief Executive of the Patient’s Association.
Asked by: David Mundell (Conservative - Dumfriesshire, Clydesdale and Tweeddale)
Question to the Department for Science, Innovation & Technology:
To ask the Secretary of State for Science, Innovation and Technology, whether she has had recent discussions with the Information Commissioner’s Office on the adequacy of the guidance provided on their website for (a) identifying and (b) reporting breaches of data protection law related to personal health data.
Answered by John Whittingdale
The UK’s data protection legislation requires all organisations to process personal data lawfully, fairly, transparently and securely. There are stricter conditions and safeguards in relation to processing of personal data relating to people’s health.
The Data Protection and Digital Information (no. 2) Bill does not remove or amend these foundational principles. Instead, it builds on the existing elements of the legislation to make it more ambitious and innovation-friendly, while still underpinned by secure and trustworthy data standards.
The ICO already has published guidance for organisations on the use of special category data, but it has recently been made aware of concerns linked to the inappropriate sharing of personal health data, including the HIV status of individuals. It is currently engaging with the organisations involved to understand these issues further. It has indicated that it will take the necessary steps to ensure that it supports and advises relevant organisations about sharing sensitive information, and that it is clear in its guidance about identifying and reporting breaches linked to health data.
Asked by: Lord Hunt of Kings Heath (Labour - Life peer)
Question to the Department of Health and Social Care:
To ask His Majesty's Government whether they intend to publish a list of organisations from whom views have been sought, whether formally or informally, on drafts of the new terms of reference for NHS England’s Advisory Group for Data.
Answered by Lord Markham - Parliamentary Under-Secretary (Department of Health and Social Care)
NHS England advises that it has sought views on the draft terms of reference for its Advisory Group for Data from the Department, The National Data Guardian, The Independent Group Advising (NHS Digital) on Release of Data prior to the legal merger, and subsequently the interim data advisory group established until terms of reference are finalised and approved and NHS England's Cyber Security and Risk Committee. The draft terms of reference are currently being updated to take into account feedback and once they have been approved by the Board or a sub-committee of the Board, NHS England advises it will publish them in line with the Statutory Guidance.
The statutory guidance on NHS England’s protection of patient data states that the data advisory group should, among other functions, be able to provide NHS England with advice as requested on "streamlining and continuously improving internal and external data access processes, using a clearly understood risk management framework, precedent approaches and standards that requests must meet". Once the terms of reference for the new group are approved and the group is in place NHS England will work, with the new group's advice, to agree an appropriate risk management framework including considering the form that might take, how it might be summarised or articulated, and what information about it should be published. Interim arrangements are in place while this new group is being established and advice is sought based on the published Data Access Request Service (DARS) Standards and Precedents in relation to applications for access to data. These arrangements and the advice provided by the group are reflected in the minutes of each meeting of the interim group.
Asked by: Lord Hunt of Kings Heath (Labour - Life peer)
Question to the Department of Health and Social Care:
To ask His Majesty's Government whether they intend to place a copy of the risk management framework, which was referred to in NHS England’s protection of patient data, published on 23 May, in the Library of the House.
Answered by Lord Markham - Parliamentary Under-Secretary (Department of Health and Social Care)
NHS England advises that it has sought views on the draft terms of reference for its Advisory Group for Data from the Department, The National Data Guardian, The Independent Group Advising (NHS Digital) on Release of Data prior to the legal merger, and subsequently the interim data advisory group established until terms of reference are finalised and approved and NHS England's Cyber Security and Risk Committee. The draft terms of reference are currently being updated to take into account feedback and once they have been approved by the Board or a sub-committee of the Board, NHS England advises it will publish them in line with the Statutory Guidance.
The statutory guidance on NHS England’s protection of patient data states that the data advisory group should, among other functions, be able to provide NHS England with advice as requested on "streamlining and continuously improving internal and external data access processes, using a clearly understood risk management framework, precedent approaches and standards that requests must meet". Once the terms of reference for the new group are approved and the group is in place NHS England will work, with the new group's advice, to agree an appropriate risk management framework including considering the form that might take, how it might be summarised or articulated, and what information about it should be published. Interim arrangements are in place while this new group is being established and advice is sought based on the published Data Access Request Service (DARS) Standards and Precedents in relation to applications for access to data. These arrangements and the advice provided by the group are reflected in the minutes of each meeting of the interim group.
Asked by: Julian Lewis (Conservative - New Forest East)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, when his Department expects to announce dates for nuclear test veterans to receive the medals and clasps in recognition of their service; and what steps his Department is taking to make available to interested parties the findings of medical tests carried out on participants in the nuclear testing programme.
Answered by Andrew Murrison - Parliamentary Under-Secretary (Ministry of Defence)
The Government continues to recognise and be grateful to all Service personnel who participated in the British Nuclear testing programme. They contributed to keeping our nation secure during the Cold War and since, by ensuring that the UK was equipped with an appropriate nuclear capability.
I am pleased that a forthcoming commemorative Nuclear Test Medal was announced by the Prime Minister in November 2022, which is intended to recognise Service veterans and civilians who participated in the UK’s nuclear tests between 1952 and 1967. The first Nuclear Test Medals are expected to be available in summer 2023. Details on the eligibility criteria for the Medal, together with information on the application process, will be announced by the end of March 2023. There is a long-established process to design, procure and produce a new Medal and collectively this process takes some months.
In relation to medical test results, an individual can make a Subject Access Request (SAR) to the relevant military service, Veterans UK or the Atomic Weapons Establishment to have sight of what records are held on them. Information is provided on request to individuals, or representatives acting on their behalf, under ‘General Data Protection Regulation (GDPR), Chapter 3, Article 15 – Right of access’.
Asked by: Chi Onwurah (Labour - Newcastle upon Tyne Central)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, pursuant to the Answer of 23 December 2022 to Question 111586, on Medical Records: Data Protection, in which specific circumstances personal health data can be used for purposes beyond individual care and treatment; what is the legal basis for any such disclosure; and whether his Department informs the affected patients.
Answered by Will Quince
Health and care organisations must ensure there is a lawful basis for sharing confidential patient information from a person's medical records for purposes beyond their individual care and treatment. This will generally mean that the person has provided their consent; there is a statutory or other legal requirement to disclose information; or there is an overriding public interest justification.
When using personal data, health and care organisations must comply with UK General Data Protection Regulation (UKGDPR) requirements and are guided by the eight Caldicott principles which state that confidential patient information should only be used when it is lawful, necessary and there is a clear purpose for doing so.
There are a limited number of legal gateways that set aside the common law duty of confidentiality, such as the powers of NHS Digital under the Health and Social Care Act 2012 to require or request data- for example for purposes directed by the Secretary of State for Health and Social Care. In addition, where it can be demonstrated that it is impracticable to obtain patient consent or work with anonymised data, the Health Service (Control of Patient Information) Regulations 2002 permit personal information to be used for cancer registries, communicable diseases and other threats to public health and enable the approval of the use of confidential patient information for other ‘medical purpose’s such as research, clinical audit and service planning by the Health Research Authority (HRA), for research, or the Secretary of State, for other medical purposes. Before approving such applications, the HRA and Secretary of State must be advised by the Confidentiality Advisory Group, an independent body which considers all applications, balancing patient and public interest with appropriate use of confidential patient information without consent.
Both the UKGDPR and Caldicott principles include specific principles related to transparency and it is the responsibility of each health and care organisation to make a range of information materials readily available to patients and members of the public about what, why, how, when and where confidential patient information might be shared.
Asked by: Chi Onwurah (Labour - Newcastle upon Tyne Central)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, pursuant to the Answer of 23 December 2022 to Question 111586, on Medical Records: Data Protection, how many legal gateways there are which set aside the common law duty of confidence.
Answered by Will Quince
Health and care organisations must ensure there is a lawful basis for sharing confidential patient information from a person's medical records for purposes beyond their individual care and treatment. This will generally mean that the person has provided their consent; there is a statutory or other legal requirement to disclose information; or there is an overriding public interest justification.
When using personal data, health and care organisations must comply with UK General Data Protection Regulation (UKGDPR) requirements and are guided by the eight Caldicott principles which state that confidential patient information should only be used when it is lawful, necessary and there is a clear purpose for doing so.
There are a limited number of legal gateways that set aside the common law duty of confidentiality, such as the powers of NHS Digital under the Health and Social Care Act 2012 to require or request data- for example for purposes directed by the Secretary of State for Health and Social Care. In addition, where it can be demonstrated that it is impracticable to obtain patient consent or work with anonymised data, the Health Service (Control of Patient Information) Regulations 2002 permit personal information to be used for cancer registries, communicable diseases and other threats to public health and enable the approval of the use of confidential patient information for other ‘medical purpose’s such as research, clinical audit and service planning by the Health Research Authority (HRA), for research, or the Secretary of State, for other medical purposes. Before approving such applications, the HRA and Secretary of State must be advised by the Confidentiality Advisory Group, an independent body which considers all applications, balancing patient and public interest with appropriate use of confidential patient information without consent.
Both the UKGDPR and Caldicott principles include specific principles related to transparency and it is the responsibility of each health and care organisation to make a range of information materials readily available to patients and members of the public about what, why, how, when and where confidential patient information might be shared.
Asked by: Fleur Anderson (Labour - Putney)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, if he will make an assessment with Cabinet colleagues of the potential impact of provisions in the Data Protection and Digital Information Bill on giving data controllers discretion to decide when personal data can be classified as anonymous on the privacy of patients with sensitive private health issues; and whether his Department plans to introduce safeguards to ensure that data controllers only reclassify data when it is correct to do so.
Answered by Will Quince
The UK General Data Protection Regulation and the Data Protection Act 2018 set out the conditions which apply to the processing of personal and special category data, which includes health data. The Data Protection and Digital Information Bill will not amend the classification of special category data or remove safeguards.