Health and Social Care Information Centre (Transfer of Functions, Abolition and Transitional Provisions) Regulations 2023

Motion to Approve

That the draft Regulations laid before the House on 15 December 2022 be approved.

My Lords, to make sure that all noble Lords have the right version of this SI, I draw attention to the correction slip amending two points:

“Page 3, regulation 5(3)(a): omit ‘annual’; and Page 22 … paragraph 63(a): ‘…paragraph (b);’ should read ‘…paragraph (a);’.”

These regulations are intended to transfer the statutory functions of the Health and Social Care Information Centre, which operates as NHS Digital, to NHS England, and to abolish NHS Digital. This will create a central authority responsible for all elements of digital technology, data and transformation for the NHS, which was a key recommendation of the review by Laura Wade-Gery into how we can improve the digital transformation of the NHS. The recommendations were accepted by the Government in November 2021; we announced that we would merge NHS Digital into NHS England as soon as legislation allowed.

I know that noble Lords had concerns about this transfer during the passage of the Health and Care Bill last year, which we have sought to address. I will also seek to address the points raised by the report of the Secondary Legislation Scrutiny Committee, which are echoed in the regret amendment tabled by the noble Lord, Lord Hunt.

First, I reassure this House that the transfer will not weaken the existing protections of people’s data and that the protection of data remains a priority for NHS England, which at senior levels takes these new responsibilities very seriously. All statutory functions of NHS Digital relating to the protection of data are being transferred, including the rules and safeguards required by law. This has been a guiding principle. NHS England will be subject to the same rules on collecting and disseminating data as are applied to NHS Digital.

NHS England can establish an information system only when directed by the Secretary of State or in response to a request from another body. All directions and requests that NHS England complies with must be published, so there is full transparency on what is being collected and for what purposes, and a clear upfront control. It cannot exceed the requirements of the direction or request. It must also publish its procedures for receiving and considering requests to establish information systems and for requests to access data. NHS England will report annually on how effectively it has discharged its transferred data functions, seeking independent advice to inform this report and consulting with the National Data Guardian for their views.

Since the merger of NHS Digital with NHS England was announced in November 2021, the BMA has not raised any concerns with the department, and, as noble Lords will realise, NHS Digital liaises with the medical profession in relation to specific projects involving data of which it may be the controller.

It is not essential that the guidance is agreed for 1 February, provided it is finalised within a reasonable time following the transfer, as there will be a period while existing arrangements continue while NHS Digital and NHS England integrate. We have some time to make sure we get it right while still aiming to publish the guidance reasonably close to the transfer date. I would note also that we have been discussing the expectations that the statutory guidance will sit with NHS England for some time, to ensure that as far as possible, from day one, the organisation is able to adhere to the guidance, which builds on the good practice of NHS Digital.

I can reassure noble Lords this change will not diminish existing safeguards or standards of governance of patient data. I would also highlight that NHS England, as the body very much responsible for the running of the NHS in England, is used to dealing with sensitive and confidential information, and meeting the highest standards of governance. We will, of course, keep this transition and the statutory guidance under review, and I am happy to commit to making public the findings of our review.

I trust I have provided reassurance that this statutory instrument, with accompanying statutory guidance, keeps in place the many safeguards which ensure people’s data is safe and makes new statutory requirements. I commend these regulations to the House.

Amendment to the Motion

Moved by

At end insert “but that this House regrets that (1) the consultation on the statutory guidance that will direct NHS England’s handling of the medical data under these Regulations is being conducted in a rushed and piecemeal manner, and (2) the results of that consultation are not available alongside the Regulations to reassure the House that patient data will be used properly”

My Lords, let me say at once that I support the digital transformation of the NHS and the use of information to enhance patient outcomes. I want to see the NHS move faster in a digital world, but it is essential that there are safeguards in place to protect the integrity and confidentiality of patient data. I say that as I look back into the history of NHS data, where we confronted a number of occasions when this did not happen. That is why this is such an important debate. I am grateful to the Minister for the assurances he has already given in his opening speech, and through him I thank his officials for the way in which they have been prepared to engage with us over the past few months, which has been very helpful.

I remain of the view that it was a mistake to bring NHS Digital, or the Health and Social Care Information Centre as it was formerly known, into NHS England, and feel that there are some inevitable tensions and conflicts in so doing. I think the review that led to this overlooked the issue of the integrity of patient information and public confidence when it suggested that the two functions should be brought together. That was legislated for; here we are now, examining some of the details.

The noble Lord has already referred to the Select Committee’s disappointment about the way in which it considered this had been done in a rushed and piecemeal manner. I have no doubt the House will want to take account of the Minister’s response. It is a pity that the full statutory guidance is not available as we debate these regulations. I think, as a matter of principle, it would have been much more sensible if that had occurred.

The core issue is that in the passage of the Bill, and a number of noble Lords who are here took part in that debate, the Government gave assurances that governance arrangements would protect NHS England from marking its own homework, with independent oversight of governance decisions under the new arrangements. The noble Lord, Lord Kamall, the then Minister, said that

My Lords, I echo the thanks of the noble Lord, Lord Hunt of Kings Heath, for the helpful and detailed discussions that the Minister, his predecessors and officials have had with the small group of us who have been worried about this issue, even before the Health and Care Bill started its passage through your Lordships’ House. Although some of us were more expert than others, and I was definitely not one of the expert members of the group, I care greatly about the digital revolution and ensuring that patient data is kept confidential.

The noble Lord, Lord Hunt, said that he supports improving and transforming data in the NHS. That cannot come soon enough. I have said before in this House, and it is still true probably a decade on from when I first said it here, that for my monthly blood tests I have to print out, photocopy and send copies to my hospital consultant because the hospital that I go to and the hospital that processes my blood tests do not use the same data system. That is ridiculous. It needs to change.

It is a real problem, as the noble Lord, Lord Hunt, set out, that the consultation and draft statutory guidance have been rushed through. I want to set that in the same context as that to which he referred, about perhaps going at a slightly slower pace while wanting the revolution to start. That might have been helpful. Omitting organisations such as the BMA from seeing the original statutory guidance raises the question: who else has not seen it? The question is almost impossible to answer. However, the detail of how this is going to work in practice inside the NHS will be the business of all clinical and administrative staff at all levels. It is vital that it works.

The Minister will know that I have repeatedly raised concerns about patient data and how people were not consulted in the two previous patient data and care.data communications. Both had to be held back because there has been outrage from the public that they were not given the chance to understand how their data would be used. Earlier this week, the Mirror reported that Matt Hancock had talked about handing over private patient medical records and the Covid test results of millions of UK residents to US data company Palantir fairly early on in the pandemic. It had offered to hold its data in its Foundry system, clean it and send it back to the NHS. I spoke about this in the Procurement Bill because I am concerned about how data can be kept truly confidential. Regarding the GP data for planning and research, the NHS has already published its federated data platform details, which is called by the Mirror the Palantir procurement prospectus. Perhaps I may ask the Minister, as an example of transparency for the new NHS England digital processes set out, whether organisations such as Palantir that are handling data records will absolutely not be permitted to use that data—even anonymised or deidentified—outside the purposes of the NHS, other than for agreed research being used in what my noble friend Lord Clement-Jones would say, if he were able to be in his place today, was a safe haven, thereby ensuring that that patient data remains completely confidential. The Minister knows, because I have said it before, that the problem is that in the past it has been possible to identify patient data when it was pseudonymised. I want confirmation that deidentifying really means that individuals cannot be tracked down and, most importantly, that the data will not be used elsewhere or sold on.

I thank the Minister for his assurance so far that no patient’s data will be held and passed on beyond the NHS, but I am not sure that I have clarity about the new federated data platform. I echo the concerns of the noble Lord, Lord Hunt, about the loss of NHS Digital’s separate oversight group. That has worked well. I hear from our private discussions and from what the noble Lord said at the Dispatch Box that a mechanism is in place with an oversight committee, but it is still within NHS England. Can the Minister confirm that the first annual report that comes to your Lordships’ House will address how well this is working in practice? We need specifically to look at this issue because all noble Lords who have been involved in discussions with officials have raised this point.

I am grateful for the Minister’s speech at the Dispatch Box and it is good to hear that there will be no mission creep, and that it has to be the Secretary of State who will agree or not agree to instruct NHS England should there be any change to the data being collected.

Finally, I return to the timing and the speed. This feels very much like a rerun of the closure of Public Health England and the creation of the UKHSA when a Covid surge was still going on; officials in the department and NHS staff were working at full tilt and had to change the way in which they worked in order to cope with the UKHSA as a new body. Can the Minister reassure us that that will not be the same when NHS Digital moves into NHS England? My fear is that the pressure on the NHS at the moment means that the situation could be similar to the pressure that the UKHSA has faced over the past year in trying to create a new organisation and new structures at a time of immense pressure.

My Lords, I am grateful to the noble Lord, Lord Hunt of Kings Heath, for having put this amendment before us. I am not going to repeat the important points made by other noble Lords who have spoken but I have a few questions for the Minister. I should declare that I am a member of the BMA’s ethics committee and I am slightly concerned—if I heard the Minister right—that there has not been a comment back from the BMA, because there have been concerns about the potential monetisation of NHS data.

There were a lot of discussions within NHS Digital at the time of the passage of the legislation about pharma companies possibly having early access to some data and negotiating discounted prices as a result, particularly for expensive medication and early access. Can the Minister tell us how much discount has been achieved by some of those arrangements, whether those discounts have applied across the whole United Kingdom or whether they have been only of specific benefit within NHS England? As health is a devolved issue, we now have a problem particularly between Wales and England, where there is effectively a porous health border and many people are going from Wales to England for parts of their treatment cycles. That means that data moves across the border. So my next question is: what has happened in discussions with NHS Wales and what is being done to ensure compatibility for data transfer?

My next question relates to our experience last year when an NHS trust had its systems hacked and the whole system went down. How will the security of the new, larger holding of data be ensured? Obviously, if you have a lot of data held together, there are benefits but also risks. How are those risks being looked for and, as much as possible, mitigated against?

The other issue, again in relation to Wales, is somewhat historical but I have not been able to track down exactly what happened to some data. The Health and Social Care Information Centre merged with Connecting for Health in the 2012 Act. At that time, the data side was a UK-wide database. I wonder what happened to the data that was being held for Wales; whether NHS Digital still holds any data relevant to Wales; what discussions have been had with Wales over the transfer of relevant data; and what arrangements are being made for the future transfer of patient data—again, to allow the transfer of data while, importantly, preserving patient confidentiality. Of course, one of the problems when data is transferred between organisations is that there is a potential risk in terms of confidentiality and a possible leak.