Health and Social Care Information Centre (Transfer of Functions, Abolition and Transitional Provisions) Regulations 2023
(Limited Text - Ministerial Extracts only)
Read Full debate
Lord Markham
That the draft Regulations laid before the House on 15 December 2022 be approved.
Relevant document: 25th Report from the Secondary Legislation Scrutiny Committee (special attention drawn to the instrument).
The Parliamentary Under-Secretary of State, Department of Health and Social Care (Lord Markham) (Con)
My Lords, to make sure that all noble Lords have the right version of this SI, I draw attention to the correction slip amending two points:
“Page 3, regulation 5(3)(a): omit ‘annual’; and Page 22 … paragraph 63(a): ‘…paragraph (b);’ should read ‘…paragraph (a);’.”
These regulations are intended to transfer the statutory functions of the Health and Social Care Information Centre, which operates as NHS Digital, to NHS England, and to abolish NHS Digital. This will create a central authority responsible for all elements of digital technology, data and transformation for the NHS, which was a key recommendation of the review by Laura Wade-Gery into how we can improve the digital transformation of the NHS. The recommendations were accepted by the Government in November 2021; we announced that we would merge NHS Digital into NHS England as soon as legislation allowed.
I know that noble Lords had concerns about this transfer during the passage of the Health and Care Bill last year, which we have sought to address. I will also seek to address the points raised by the report of the Secondary Legislation Scrutiny Committee, which are echoed in the regret amendment tabled by the noble Lord, Lord Hunt.
First, I reassure this House that the transfer will not weaken the existing protections of people’s data and that the protection of data remains a priority for NHS England, which at senior levels takes these new responsibilities very seriously. All statutory functions of NHS Digital relating to the protection of data are being transferred, including the rules and safeguards required by law. This has been a guiding principle. NHS England will be subject to the same rules on collecting and disseminating data as are applied to NHS Digital.
NHS England can establish an information system only when directed by the Secretary of State or in response to a request from another body. All directions and requests that NHS England complies with must be published, so there is full transparency on what is being collected and for what purposes, and a clear upfront control. It cannot exceed the requirements of the direction or request. It must also publish its procedures for receiving and considering requests to establish information systems and for requests to access data. NHS England will report annually on how effectively it has discharged its transferred data functions, seeking independent advice to inform this report and consulting with the National Data Guardian for their views.
Concerns were raised during the passage of the Bill that we would lose the excellent practice that NHS Digital has followed in protecting people’s data and the crucial separation between those responsible for collecting and de-identifying data and those in NHS England analysing it. We therefore committed to place further requirements on NHS England, alongside the transfer of statutory functions, to ensure it would be a safe haven for data via statutory guidance. This is a new requirement.
This statutory guidance sets out measures that we expect NHS England to protect confidential information. There was some disquiet that the guidance did not seem to go far enough and that we had not added new duties to the regulations. This was not considered necessary; this is a straightforward transfer of functions under a legal framework which goes back to 2012 and has stood the test of time. That framework includes duties under the 2012 Act to have regard to various matters such as the need to respect people and promote the privacy of service users.
Additionally, we will issue statutory guidance, and I will come on to its contents in a moment. NHS England must have regard to this guidance; that means that it would have to demonstrate that it had justification for any decision not to follow it. Case law has shown that clear and cogent reasons would be needed to depart from guidance which is subject to a statutory duty to have regard. However, we have added strength here, as there is also a new power of direction, introduced in the Health and Care Act 2022, which could be used in cases of non-compliance with the guidance—namely, in Section 13ZC of the NHS Act 2006. Together, these mechanisms create a strong, binding commitment on NHS England to maintain the highest levels of data protection and safeguards.
NHSE is a long-established public authority which is experienced in processing personal data, including that of patients and employees. It does so in accordance with a robust legal framework which includes UK GPDR and the Data Protection Act. The lawful and proper treatment of personal data by NHS England is extremely important to maintain the confidence of service users and employees, and NHS England is well versed in processing personal data lawfully and correctly. It is aware of the importance of seeking independent advice and will be able to do so where necessary, including on the recommendation of staff transferring from NHS Digital. NHS England will also be able to approach the Information Commissioner’s Office as the independent regulatory body if it needs an independent view on particular matters.
I also reassure noble Lords that this statutory guidance covers all confidential information as defined in Section 263(2) of the 2012 Act. Therefore, it covers all data identifying an individual and all data identifying an individual which is subsequently identified or pseudonymised where an organisation, including NHS England, holds both the de-identified data and other data which would enable reidentification.
The guidance requires NHS England to obtain independent expert advice on its data access processes and procedures and, where appropriate, on individual decisions around data access. This will enable these experts to provide advice and assurance for both external and internal requests for access to data for purposes other than direct care. NHS England will be required to secure this independent advice or have a very good reason for not doing so. It is not optional or a case of doing so only when convenient.
Central to this should be a data advisory group, comprising appropriate experts and lay members, including one or more members with expertise in social care. This last point is not currently spelled out by the draft guidance, which we will amend. It would be appropriate for some internal representation to support this group to add expert knowledge and insight, such as the organisation’s Caldicott Guardian and data protection officer. However, the majority of members should be independent advisers. Minutes of the data advisory group meetings should also be published.
I know that some noble Lords have been concerned that NHS England will receive data which is still identifiable and which NHS Digital would previously have de-identified before sharing. The statutory guidance requires that the organisation will de-identify data before its internal analysis and use—the same role which NHS Digital undertook previously will be done internally, by a team separate from those who need to use the data. It explicitly states that responsibilities and accountabilities for using the data should be organisationally separate from the functions providing assurance and advice on this, such as information governance and Caldicott Guardian functions, to ensure that there are no conflicts of interest.
NHS England must ensure that there is the right governance for considering internal requests to access data, based on the same principles of risk-based assessment as for external requests for data, and drawing on the same independent scrutiny and advice. Furthermore, the Secretary of State will issue a direction in relation to NHS England’s internal use of data, which will be published. This will make clear the legal responsibility for NHS England to de-identify data before analysis, so that an individual cannot be directly identified either from the data to be accessed or analysed from the results of the analysis carried out. The guidance also calls for NHS England to develop a register of internal data uses mirroring that which currently exists for external data uses.
In response to the concerns of the Secondary Legislation Scrutiny Committee, although we are moving at pace, we are doing so because we are keen to see the benefits of creating a single statutory body responsible for data and digital technology for the NHS delivered quickly. The statutory guidance has been neither rushed nor piecemeal in development. The guidance has been in development for a number of months; a version was shared with some noble Lords and stakeholders before Christmas, and we have been discussing it with stakeholders—including the National Data Guardian, the Information Commissioner’s Office, NHS Digital and NHS England—revising it to reflect their comments and strengthening the requirements on internal use of data, which was a predominant concern.
We have now published the second draft, which we have drawn to the attention of noble Lords. This was also shared with the Secondary Legislation Scrutiny Committee and the British Medical Association and other professional organisations, to seek their feedback. I am sorry that we did not share the guidance before with the BMA.
Lord Markham (Con)
I thank noble Lords for their contributions and agree that we are all trying to achieve the same thing: to ensure the digital benefits come from this system and maybe—who knows?—create a UTOPIA, but also, vitally, maintain confidence. I take all these comments in the helpful spirit in which they are intended, and I hope that noble Lords will like my replies. At the same time, anything that I do not properly cover now—I suspect there will be some things I am not able to cover—I will, as ever, follow up on in detail in writing. Such is the importance of this that I am happy to meet again as well. The various meetings that we have had have been very productive, so I will make sure that those written answers come out quickly. I invite noble Lords to please come back if they feel there are some bits that still need further clarification. I will definitely set that up quickly and ensure that the officials are there as well. I have had various bits of feedback from the officials—I have tried to be engaged all the way through this. As the noble Baroness, Lady Merron, said, we have tried to get this right. I accept that we have not always done it perfectly, but I hope noble Lords can see that the good will is there.
On the specific questions asked by the noble Lord, Lord Hunt, I agree not only to publish the review but, happily, to brief Parliament on that. On the idea of including the LGA in the composition, I am very happy to do that. Regarding the points made by the noble Baroness, Lady Brinton, on the ability to use Palantir outside of the agreed research, the intent is absolutely that it can be used only for the agreed purposes and it cannot be used or sold elsewhere without suitable agreement. Again, the annual report will address how well it is working in practice.
I hope that the merger will not be like the PHE closure. I think they have been working on the new timing, in terms of February, since October, when it was announced, and have been working with the staff on that timing. I know that the plans that I have seen have taken into account the ability or need to retain people, which is obviously crucial to this, as we know that you need additional skills in this space and the importance of retaining them.
On the questions asked by the noble Baroness, Lady Finlay, my understanding regarding Wales—and I will make sure that this is followed up properly in writing—is that it has consented to the transfer arrangements in this. Generally, NHS England will continue to play the same role it has currently; that has been agreed. I entirely take and accept her point about the hacking risk, that the more attractive you make the data pool, for want of a better word, obviously the more essential it is to make sure that security and protections are in place.
As ever, I enjoyed the points made by the noble Lord, Lord Allan. He was talking about UTOPIA. He mentioned the geeks, and I am sure he is aware that that word came out of the Second World War, when they were looking for general engineering and electrical knowledge in their recruitment of soldiers, so that is one for him. Going forward, those extra forms of transparency and the quadruple lock all sound very sensible to me. I had a quick note from my team, saying that they also thought that it sounded sensible. Again, I think that we will probably need to put some detail around that, but I thank the noble Lord for those suggestions. Let us try to make sure that we work with those.
I absolutely take all the points made by the noble Baroness, Lady Merron, again, in the spirit in which they are intended. I do not think that I have a good answer to the “marking their own homework” point, to be fair. I hope that the noble Baroness knows me well enough to know that I will never try to argue that black is white from where we are. I think that is, quite rightly, the concern that all noble Lords have raised tonight, and it is obviously these protections, such as the quadruple lock and the other things that we need to put in place, that we need to make sure are there.
On the kind of things mentioned, the advice and the minutes from the meetings and the advice given by the independent groups—absolutely. I spent a bit of time today on how we would involve the ICSs, and my understanding—again, I freely admit my understanding is probably at GCSE level right now, so I need to do a bit more work on this—is that a lot of this is around the data standards that the ICSs are starting to deploy to make sure that the formatting of the data is correct so that everything can be kept in this common data warehouse. That is something that they are working on already, in terms of establishing those standards. A number of trusts have worked towards that, accepting that it cannot be completely finalised until we know who is going to win the tender for it.