Data processing

Healthcare (International Arrangements) Bill – in a Public Bill Committee am 12:00 pm ar 29 Tachwedd 2018.

Danfonwch hysbysiad imi am ddadleuon fel hyn

Photo of Julie Cooper Julie Cooper Shadow Minister (Health and Social Care) (Community Health) 12:00, 29 Tachwedd 2018

I beg to move amendment 1, in clause 4, page 3, line 17, leave out paragraph (d).

It is a pleasure to serve under your chairmanship, Mr Stringer, and I am pleased to have the opportunity to speak to clause 4. At this time of great uncertainty, when the nature of our future relationship with the European Union is still unknown, we welcome the intention outlined in the Bill to give some confidence to those who currently rely on the reciprocal health arrangements between the UK and the nations of the EU and EEA. We are only surprised that the Bill has taken so long to come before us.

The scope of the Bill is designed to cater for all possible outcomes of the UK and EU negotiations. The intention is that, deal or no deal, the Bill will empower the Secretary of State to negotiate future reciprocal healthcare arrangements between the nations of the UK and the EU, and any other such nation as is desired. Providing for pensioners, visitors, students and workers to live, work, study and travel in EU member states with complete peace of mind regarding the provision of healthcare is a priority for Labour. We therefore recognise the need for the Bill.

While understanding that any future agreement must allow for the smooth transference of data for the achievement of the best possible outcomes for patients, we believe it is also crucial that the Bill provides robust powers to protect personal data. Health records contain both personal and sensitive data, and access to such information must be allowed sparingly and only for medical purposes. Access to personal data should be available to health professionals who are bound by a duty of confidentiality on the basis of need to know. The Data Protection Act 2018 outlines the key principles relating to the protection of data; compliance with the spirit of those principles is fundamental to good data protection practice, and embodies the spirit of lawful, fair and transparent use of data.

Currently, the General Data Protection Regulation places restrictions on the transfer of personal data to countries outside the EU and EEA. As the UK leaves the EU, we will not automatically enjoy existing protections; indeed, this Bill provides powers for negotiations to take place with nation states across the world, to reach agreement on a bilateral basis. That makes it imperative, in our view, that the Bill protects against potential misuse of personal data.

Clause 4 outlines the detail of how data will be processed for the purposes of the Bill. We have noted the wide-ranging powers to be given to authorised persons, who may

“process personal data held by the person in connection with any of the person’s functions where that person considers it necessary for the purposes of implementing, operating or facilitating the doing of anything under or by virtue of this Act.”

We are not satisfied that sufficient safeguards are in place when defining an authorised person for the purposes of the Bill. We have listened carefully to the concerns of the British Medical Association, and share that organisation’s concerns about the lack of detail in the definition of “authorised person” in subsection (6). Mr Jethwa, representing the BMA, said in his evidence to this Committee that data

“has to be accessed on a need-to-know basis, and only when it is in line with patients’ expectations. Data sharing has to be transparent. We would be absolutely concerned that any safeguards meet those criteria and principles. I do not think the details in the Bill make that clear at the moment. We would like to see more clarity and detail about that in future.”––[Official Report, Healthcare (International Arrangements) Public Bill Committee, 27 November 2018; c. 5, Q14.]

Mr Henderson, from the Academy of Medical Royal Colleges, said that although he recognises that there must be a “free flow” of data,

“individual patients’ data must be protected”,

and that

“it is slightly hard to say whether there is sufficient protection there or not”.––[Official Report, Healthcare (International Arrangements) Public Bill Committee, 27 November 2018; c. 5, Q13.]

He is correct: it is hard to see that there are sufficient protections in the Bill. This is a hugely important issue that needs to be fully addressed.

With that in mind, we are of the view that subsection (6)(d) should be deleted, principally because it gives the Secretary of State a power—to authorise private health companies to access patient data—that is far too wide ranging. We believe that removing that paragraph protects personal data and achieves a balance, giving more confidence to patients while allowing the smooth transfer of data to designated qualified personnel.

The right to privacy and access to healthcare are rights that we value, and the one should not be conditional on the other. We wish to ensure that the Bill gives UK patients, and patients from the EU, full confidence that their personal information will not be shared inappropriately. That remains the case whether healthcare is received in the UK or overseas as part of a reciprocal healthcare agreement. As we leave the European Union, citizens accessing medical care as part of a reciprocal health agreement need to be sure that their personal data will not be shared inappropriately. Without that assurance, citizens may be discouraged from seeking medical assistance.

Photo of Stephen Hammond Stephen Hammond Minister of State (Department of Health and Social Care)

I thank the hon. Member for Burnley for moving this amendment, because it gives me the opportunity to set out clearly and in some depth why we have chosen to include clause 4(6)(d) in the Bill. I want to lay out the reasoning for our concerns about this amendment. I hope that I will be able to reassure her of the vital importance of paragraph (d), and that it is necessary and appropriate, because we will be unable to accept the amendment.

Reciprocal healthcare agreements are made possible by close, consensual co-operation of different parties and bodies, such as the Department of Health and Social Care, the Commissioners for Her Majesty’s Revenue and Customs, Ministers of devolved Administrations, healthcare providers and all their opposite numbers in EU and EEA countries. Since the Bill is about the provision of healthcare, it would be remiss of Her Majesty’s Government to exclude healthcare providers, either those in the United Kingdom or those in other countries, from the list with authority and sanction to process and share data. Given that it is the Government’s position that in the agreement with the EU, future arrangements for the provision of healthcare abroad will reflect existing ones, it is worth reflecting on the place of healthcare providers in these processes, to illustrate the role they play in the commission and delivery of healthcare abroad.

Under the S2 route, a UK resident may decide to seek planned treatment abroad. As part of the ordinary procedure, the UK resident must visit a healthcare provider in the UK. The clinician would then provide written evidence that the person has had a full clinical assessment, which must clearly state why the treatment is needed in their circumstances and what the clinician considers to be a medically justifiable time period within which they should be treated again, based on their circumstances. As is clear under existing arrangements, this function can only be served by a medically trained healthcare provider. This paperwork is then passed on to NHS England or the comparable authority in the devolved Administrations for further processing. Many of those organisations are provided for by subsection (6)(c). Members will, I hope, understand that the lack of qualification around the term “provider of healthcare” is appropriate and necessary at this stage, given that future arrangements are not yet clear.

If the Government are adequately to fulfil the purposes outlined in clause 1, they need to be able to facilitate and fund healthcare for UK persons, for whom they feel responsible, whether the provider is based in the UK or overseas. In that connection, I think it is worth pointing out that the current reciprocal healthcare arrangements allow UK persons to access treatment from providers of healthcare in another country that are not NHS bodies or comparable state providers in another country, as defined by UK healthcare legislation. That might include an optometrist or a dentist, many of whom fall outside the state healthcare system.

Subsection 6(d) proposes to ensure that other types of healthcare providers are authorised to process personal data under the Bill, but most importantly that NHS bodies are able, where necessary, to share personal data for the purposes of the Bill with healthcare providers based outside the UK. Simply, if such providers were not also considered authorised, it would be impossible for healthcare commissioned, implemented, facilitated or funded by the UK to be authorised to be rendered abroad.

The hon. Lady is concerned that the clause will allow private providers access to patient data and the powers to process it. She should be reassured that that is already legal and proper under existing arrangements governed by EU regulations. Under existing reciprocal healthcare arrangements, UK persons are able to receive treatment in another country on the same basis as a local resident of that country. That includes healthcare or other treatments given by healthcare providers other than those that fall within the scope of domestic UK healthcare legislation.

After the fact and on return to the UK, the person would be able to seek reimbursement, where appropriate, from the relevant UK authorities. It is worth noting that the person who sought treatment abroad would typically only be reimbursed up to the amount it would have cost under the NHS. It would be for the person, not the Department of Health and Social Care, to bear the financial risk of any additional cost.

Since our desire to continue existing arrangements is shared by those on both sides of the House, I do not feel that the clause has inappropriate powers. To further allay any other fears, I remind members of the Committee that the clause contains safeguards to guard against any misuse of data. The Bill gives powers to providers, either in state healthcare systems or private ones, to process solely where it is necessary for the limited purpose of funding or arranging healthcare abroad—nothing more.

All processing of the data by all parties must also comply with existing data protection legislation. That is a crucial safeguard under UK data legislation. Data concerning healthcare is personal or specific category data. That can only be processed where specific conditions are met, namely that processing is necessary for the purpose of healthcare and in the public interest. Members will recognise that clause 4(6)(d) does not represent a deviation or new departure from existing arrangements and simply allows for the Government to maintain or improve those arrangements in whatever circumstances we find ourselves in after exit.

In closing, were the amendment agreed, it could risk patient outcomes by excluding providers of healthcare from the list of authorised persons. The hon. Lady expressed some concerns, and I hope that my response has allayed them. I offer to make my officials available to provide a briefing on this matter to her and any other member of the Committee who should so wish, so that they can be completely reassured that the normal data protection legislation will apply to the Bill. The exchange of data may happen only for a limited and focused purpose. The hon. Lady was right to express her concerns, and I hope she will be reassured by my words and that she will not feel the need to press her amendment to a Division.

Photo of Julie Cooper Julie Cooper Shadow Minister (Health and Social Care) (Community Health)

I am grateful to the Minister for those explanations, and I welcome him saying it is a very limited and focused use of the data. I would be happy to take a briefing from his officials, but further to that, to give assurance to our side, I would be grateful if he will undertake to go further on Report and outline the scope of the subsection. If he will do that, we will not press the amendment to a Division.

Photo of Stephen Hammond Stephen Hammond Minister of State (Department of Health and Social Care)

We will carefully consider what the hon. Lady has said and her request for further details on Report. I have listened and have offered that briefing, and I hope that is sufficient for her to decide not to press the amendment to a Division now.

Amendment, by leave, withdrawn.

Question proposed, That the clause stand part of the Bill.

Photo of Stephen Hammond Stephen Hammond Minister of State (Department of Health and Social Care) 12:15, 29 Tachwedd 2018

I will try to limit my comments, given that we have already had discussions on the amendment. I am sure that will be welcome on this cold November day in a rather warm room.

Clause 4 provides a clear legal basis for processing personal data under the Bill for the purposes of UK data protection legislation. At present, the EU regulations provide a lawful basis for processing data for the purposes of reciprocal healthcare. Personal data is integral for providing healthcare abroad. It is vital that authorised persons in the UK can process data for that purpose. The clause ensures that, after exit day, there is a clear and transparent basis for processing personal data for the purposes of providing healthcare abroad, as required by UK data protection legislation. Clause 4 will ensure that safeguards are in place for that processing.

Subsection (1) limits processing to that which is necessary for the purposes of the Bill. Subsections (2) and (3) ensure that any such processing must remain in compliance with UK data protection legislation and the Investigatory Powers Act 2016, and any other relevant restrictions. Finally, the persons who can process data under the Bill are limited to those authorised in subsection (6), which we have just discussed.

The safeguards limit the scope of clause 4 to what is necessary and proportionate to provide healthcare abroad. For reciprocal healthcare, personal data is required to process reimbursements to and from other countries, and where reimbursement is made to a person as well. It is also sometimes necessary for healthcare providers to share medical information to facilitate treatment. The clause ensures that the Government can continue to process personal data as necessary, after exit day, in an effective and lawful way. Personal data transferred from outside the UK will remain subject to the need for safeguards to be put in place before it is transferred. Those safeguards will not be able to be contracted out as part of any healthcare agreement with the EU or member states or third countries.

As I said a moment ago, subsection (1) provides for an authorised person to process data related to the provision of healthcare abroad. Personal data is defined in the GDPR as data that relates to a living person who can be directly or indirectly identified from the data. Specific category data is personal data containing health and genetic data. At present, there are different routes for providing healthcare abroad, such as the S1, S2 or EHIC routes, and each route requires different forms of personal data.

Subsection (2) disapplies the duty of confidence and any restriction on the processing that would otherwise apply. The exemption ensures that data can be disclosed where it is necessary for the limited purposes of the Bill. The measure is necessary and appropriate. For example, authorised persons may need to share data if a person is unconscious and therefore not in a state to provide it themselves. Importantly, as expressed in subsection (3), data processing must continue to comply with the UK data protection legislation, which ensures there are further safeguards around data processing. The GDPR also governs data transfers between the UK and other countries. All EU and EEA countries are bound by the GDPR, which means the relevant national data protection safeguards in each country are adequate, allowing the free transfer of data between countries.

Subsection (3)(a) expressly requires that the processing of data does not contravene existing data protection legislation, and subsection (3)(b) requires that the processing of data must comply with parts 1 to 7 or chapter 1 of part 9 of the Investigatory Powers Act 2016. The only purposes for which investigatory powers may be required are to investigate and tackle suspected cases of fraud and error relating to healthcare abroad.

As set out in subsection (1), the processing of data under the Bill is limited to authorised persons who, as we have discussed, are defined in subsection (6). The list reflects those persons and bodies currently involved in processing data, including personal data under existing reciprocal healthcare arrangements.

I mentioned that, for clarity’s sake, subsection (6)(a) lists

“the Secretary of State, the Treasury, the Commissioners for Her Majesty’s Revenue and Customs, the Scottish Ministers, the Welsh Ministers and a Northern Ireland department”.

Healthcare abroad is entirely managed and operated by the Department of Health and Social Care in co-operation with the Executives in the devolved Administrations and their local healthcare systems. Although the Bill is about the provision of healthcare abroad, it is vital that the Executives of the devolved Administrations are considered authorised persons, since healthcare abroad is often facilitated in co-operation with them. Under subsections (6)(b), (c) and (d), healthcare bodies and providers are considered authorised persons as they are directly involved in the provision of healthcare.

Finally, subsection (6)(e) gives the Secretary of State the power to add to the list of authorised persons, which will ensure that the Government can respond appropriately, whatever the outcome of EU exit. It is also deemed necessary to allow the Secretary of State to respond to the changing demands of systems and operations. In future, duties may change and adding to the list will be difficult, so it is necessary to have the power in place.

Clause 4 is an important component of the Bill. It provides the Government with the necessary power to process and share data that relates to healthcare provided abroad. Therefore, I recommend that the clause stand part of the Bill.

Question put and agreed to.

Clause 4 accordingly ordered to stand part of the Bill.

Clause 5