Summary
In December 2013, NHS England directed the Health and Social Care Information Centre to establish a system for uploading and linking GP patient coded data with identifiers, using its new powers in Part 9 of the Health and Social Care Act 2012. In February, after an effective campaign by the British Medical Association, the Royal College of General Practitioners and medConfidential, a six-month delay was announced.
In March the government sought to amend the Care Bill in the House of Commons in a bid to allay concerns about patient confidentiality. Its amendments, however, were criticised as inadequate, and the Bill is due to come before the House of Lords on 07 May. The fiasco and the rushed legislative response are symptoms of the government’s privatisation agenda trumping patient confidentiality and the need to collect and use data for public health research, planning and audit.
We set out below three proposed amendments to the Care Bill which we consider are needed to help restore public trust in the handling of patient information.
Proposed amendment 1: retaining control and management of confidential information
This amendment would ensure as a general rule that disclosure to and use of confidential information by commercial organisations involved in health and social care is not permitted. Three clear and mainly consent-based exceptions to this general rule are proposed; and, in addition, it would not apply to future “section 251 approvals” or to drug trials.
Proposed amendment 2: putting the Independent Information Governance Oversight Panel on a statutory footing
This amendment would place on a statutory footing the current non-statutory Independent Information Governance Oversight Panel chaired by Dame Fiona Caldicott and set up by the Secretary of State with the main function of advising on information governance across the health and social care system.
Proposed amendment 3: independent oversight over certain directions and the accreditation scheme
This amendment would revoke the directions made by NHS England in December 2013 in order to implement the Care.data programme, and ensure independent oversight of the Secretary of State’s and NHS England’s directions to the Health and Social Care Information Centre, and of the awaited Secretary of State’s regulations to establish an accreditation scheme for private sector information providers.
We set out and explain further each of the proposed amendments below.
Proposed amendment (1)
Retaining control and management of confidential information
Insert the following new section into Part 9 of the Health and Social Care Act 2012-
Control and management of confidential information
(1) Subject to subsections (3), (4) and (5), nothing in this Part shall permit or require the collection, analysis, publication, dissemination or other processing of confidential information by or to any person which is a relevant commercial organisation.
(2) Subject to subsections (3), (4) and (5), any confidential information held at the date this subsection comes into force by any person which is a relevant commercial organisation shall not be processed and shall be held subject to directions from the Secretary of State.
(3) Subsections (1) and (2) shall not apply if and to the extent that the confidential information has been disclosed to the relevant commercial organisation:
(a) by the individual to whom the information relates, or
(b) in the lawful exercise of a statutory power and not in breach of any professional regulation,
and, in either case, one of the three conditions set out in subsection (4) applies.
(4) The conditions referred to in subsection (3) are:
(a) the purpose of the processing has been previously disclosed to the individual to whom the information relates and his prior express consent has been obtained, or
(b) the individual to whom the information relates is dead or is a minor, the purpose of the processing has been previously disclosed to his next of kin or his parent or guardian, as the case may be, and their prior express consent has been obtained, or
(c) previous disclosure and prior express consent was reasonably and manifestly impracticable and the organisation holding the information acted reasonably in all the circumstances.
(5) This section does not apply to aggregated information provided to a person which has been designated an accredited information service provider under section 267.
(6) In this section:
“confidential information” means information which—
(a) identifies any individual to whom the information relates who is not an individual who provides health care or adult social care, or
(b) enables the identity of such an individual to be ascertained.
“processing” in relation to information has the same meaning as in the Data Protection Act 1998; and “processed” shall be construed accordingly;
“professional regulation” means any regulation, rule, standard, advice, guidance or recommendation applicable to the person disclosing the information and adopted by a regulatory body listed in section 25(3) of the National Health Service Reform and Health Care Professions Act 2002;
“relevant commercial organisation” means:
(a) a body which is incorporated under the law of any part of the United Kingdom and which carries on a business (whether there or elsewhere) relating to health and social care,
(b) any other body corporate (wherever incorporated) which carries on a business, or part of a business, in any part of the United Kingdom, relating to health or social care,
(c) a partnership which is formed under the law of any part of the United Kingdom and which carries on a business (whether there or elsewhere) relating to health or social care, or
(d) any other partnership (wherever formed) which carries on a business, or part of a business, in any part of the United Kingdom, relating to health or social care.
Explanation
The purpose of this amendment is to ensure as a general rule that disclosure to and use of confidential information by commercial organisations (as defined by the Bribery Act 2010, section 7) involved in health and social care is not permitted.
The general rule is in two parts. The first part is set out in subsection (1) and applies to the future. It would apply to confidential information which might in the future be processed under the new provisions in Part 9 of the Health and Social Care Act 2012. It would not apply to processing under future approvals under The Health Service (Control of Patient Information) Regulations 2002 (commonly referred to as “section 251 approvals”). This reflects the higher level of trust in the longer-established s.251 approval process.
The second part is set out in subsection (2) and applies to the past. Because of the present lack of transparency as regards which private companies already hold confidential patient information, for what purposes (including internal corporate group use), under which legal powers and subject to what legal restrictions, this subsection would apply to confidential information held by companies at the time the subsection came into effect. Before the subsection came into effect, the intention is that the Secretary of State would investigate, publish and consult on these aspects, and thereafter give directions to the commercial organizations concerned as to how they should deal with the confidential information.
Three categories of exception to the general rule are proposed. First, it would not apply where the organisation (such as a GP practice operating in partnership or as a limited company or a private health company offering publically-funded GP or other services) had obtained the information from the individual himself or herself, the purpose of the processing was previously disclosed to the individual, and his or her prior express consent was obtained.
Second, it would not apply where the information was disclosed to the relevant commercial organisation in the lawful exercise of a statutory power and not in breach of any professional rule or standard (for example, established by the General Medical Council or similar professional regulator), the processing purpose had been previously disclosed to the individual and he or she had given express consent.
Third, it would not apply to aggregated information provided to private sector information service providers accredited under regulations which the Secretary of State may make under section 267 of the Health and Social Care Act 2012, on the assumption that such regulations would be adopted after approval by The Independent Oversight Panel or under the super-affirmative resolution procedure (see Proposed Amendments (2) and (3)).
If individuals have died or are children, their next of kin’s or parental consent should have been obtained. Consent and previous disclosure would not be needed where this would have been reasonably and manifestly impracticable, provided the person holding the information has acted reasonably in all the circumstances (which could involve, for example, having advertised the intended use and made attempts to identify and locate the individuals concerned).
This amendment is not intended to apply to the pre-marketing trials of new drugs, which require participants’ consent, or to post-marketing surveillance and pharmacovigilance obligations of drug companies under drug regulation law.
Proposed amendment (2)
Putting the Independent Information Governance Oversight Panel on a statutory footing
Insert the following new section into the Care Bill –
The Oversight Panel
(1) There is to be a panel known as the Independent Information Governance Oversight Panel (referred to in this section as “the Oversight Panel”).
(2) The main duty of the Oversight Panel shall be to provide independent advice on all matters relating to the governance of information in relation to health and adult social care services.
(3) In exercising its main duty, the Oversight Panel shall:
(a) provide advice and make recommendations and proposals on such governance to the Secretary of State, and report annually; and
(b) provide advice on such governance to any other person or body in relation to health and adult social care services.
(4) Any person or body who is advised by the Oversight Panel pursuant to this section shall have regard to that advice.
(5) The Secretary of State may by regulations make provision about the Oversight Panel relating, in particular, to appointment of the chair and other members, terms of appointment, establishment and membership of committees or sub-committees, its proceedings and payment of remuneration, allowances and expenses.
Explanation
This amendment would place on a statutory footing the current non-statutory Independent Information Governance Oversight Panel chaired by Dame Fiona Caldicott and set up by the Secretary of State, as well as its present non-statutory terms of reference. It would also require persons and bodies across the health and social care system to have regard to its advice.
Reinstating independent statutory oversight of information governance is a prerequisite for public trust, after abolition in the 2012 Act of the National Information Governance Board. The Panel’s currently non-statutory annual reports and functions to advise and challenge would become legal duties to which regard must be had.
Proposed amendment (3)
Independent oversight over certain directions and the accreditation scheme
Insert the following new section into Part 9 of the Health and Social Care Act 2012-
Revocation and independent oversight
(1) The Health and Social Care Information Centre (Establishment of Information Systems for NHS Services: Collection and Analysis of Primary Care Data) Directions 2013 are revoked.
(2) Directions of the Secretary of State and of NHS England under section 254(1), and regulations under section 267 shall not be made without the approval of The Independent Information Government Oversight Panel.
Explanation
Subsection (1) of this amendment would revoke the directions made by NHS England in December 2013 in order to implement the Care.data programme.
Subsection (2) would ensure in the future independent oversight of the Secretary of State’s and NHS England’s directions to the Health and Social Care Information Centre under section 254 (1) of the 2012 Act, and of the regulations that the Secretary of State is empowered to make under s.267 to establish an accreditation scheme for private sector information providers, by requiring the previous approval of the Oversight Panel.
If the Oversight Panel was not to be put on a statutory footing (along the lines set out in Proposed Amendment (2)), we would propose that subsection (2) should read:
“(2) Directions of the Secretary of State and of NHS England under section 254(1), and regulations under section 267 shall not take effect unless an order has been made by the Secretary of State in accordance with the super-affirmative resolution procedure under section 18 of the Legislative and Regulatory Reform Act 2006; and the provisions of Part 1 of that Act shall apply to such an order as if it was to be made and was made under that Part.”