Memorandum of understanding on data-sharing between NHS Digital and the Home Office Contents

Appendix: Letter from the Chair of the Committee to the Chief Executive of NHS Digital, 29 January 2018

Sarah Wilkinson

Chief Executive, NHS Digital

Dear Ms Wilkinson,

Thank you for attending the hearing of the Health Committee on 16 January to discuss the memorandum of understanding between NHS Digital, the Home Office and the Department of Health on processing information requests from the Home Office to NHS Digital for tracing immigration offenders.

We were pleased to hear you affirm, in answer to Dr Williams’s final question (Q94), that the decision as to whether the data-sharing arrangement should continue lies firmly with NHS Digital. I write on behalf of the Committee, in light of the evidence which we have received in the course of our inquiry, to request that NHS Digital immediately withdraw from the memorandum of understanding, and cease sharing data with the Home Office for immigration tracing purposes, whilst it conducts a full review of its decision on the public interest test for such requests.

Background to the tracing arrangements

As a Committee, we accept that the Home Office has a responsibility to seek to identify immigration offenders, to re-establish contact with them, and to take the required enforcement action.

We understand why the Home Office seeks information to enable it to carry out its immigration enforcement role. NHS Digital, and its predecessor organisations, undoubtedly hold information which the Home Office would view as useful. However, the NHS should not place that above the serious adverse consequences of such a decision.

As your senior non-executive director Sir Ian Andrews acknowledged (Q89), these arrangements had produced a “haphazard” process. Our predecessor Committee’s work in 2014 also identified that point, and NHS Digital established a review in response. The review has resulted in many changes to practice and procedure in NHS Digital’s “back office” functions.

Public interest

However, the evidence which we have received makes very clear that the review has not adequately addressed the fundamental question of whether the arrangements for data sharing for immigration purposes, which had grown up in the haphazard way described by Sir Ian and without consideration of their appropriateness in a wider context, should continue. Specifically, we do not believe that NHS Digital has fully considered and appropriately taken account of the public interest in maintaining a confidential medical service, or appropriately considered the ethical implications of their decision.

Inadequate consultation

The submissions which have been sent to us indicate that not only was there inadequate consultation with concerned non-governmental organisations such as the National Aids Trust and Doctors of the World, but more seriously, the concerns of both the General Medical Council (GMC) and the National Data Guardian (NDG) about the practice now enshrined in the memorandum of understanding have not been adequately addressed. We also find it disturbing that the matter has not been considered by NHS Digital’s own Independent Group Advising on the Release of Data (IGARD) (Q1).

The inadequacy of the consultation with bodies and individuals concerned about confidentiality is apparent throughout the submissions which we have received. It is most clearly demonstrated, however, by the fact that, despite the five paragraphs in the memorandum of understanding devoted to public interest in disclosing information for the purposes of immigration enforcement, there is no mention anywhere in the MoU of the public interest in the maintenance of a confidential medical service.

It is unfortunate that, throughout both our and our predecessors’ scrutiny of this matter, both NHS Digital and the Department of Health have continued to maintain that consultation on the memorandum of understanding was unnecessary, or would have been inappropriate, because it was merely an “internal governance assurance document” which “represents the operationalisation of existing functions”. That is wholly to miss the point. It is not the MoU itself on which full consultation should have taken place, but on the practice of data-sharing for immigration enforcement which it enshrined. That full consultation clearly has not taken place.

Compatibility with guidance on confidentiality

This lack of consultation has resulted in a situation where data-sharing is taking place in a manner which is incompatible both with the guidance on confidentiality given by the GMC and the NHS Code of Confidentiality. We find that situation unacceptable. The Minister’s inability to respond to our questioning about whether clinicians should be expected to inform their patients that their names and addresses might be shared with the Home Office (Qq 33–36) was telling. So is the fact that NHS Digital does not, so we understand, involve clinicians within the organisation, including its own Caldicott Guardian and Deputy Caldicott Guardian, in decision-making on these requests, in order to protect them from the risk that in so doing they would be acting in conflict with the GMC’s confidentiality guidance. National Data Guardian Dame Fiona Caldicott observes—with, we believe, understatement—that “if an organisation in the NHS family such as NHS Digital considers it necessary to make arrangements so that doctors, including its most senior staff responsible for protecting confidentiality, do not take part in decision-making, particularly in an area on which they might be expected to give advice, because doing so might place them in breach of professional confidentiality guidelines, this could be taken to be an indication that there is a problem.”

Advice from Public Health England

We are also concerned that the advice of the one organisation in the health field who was appropriately consulted, the Government’s statutory public health adviser Public Health Enland, has been so comprehensively ignored. PHE’s advice was very clear: “the perceived or actual sharing of identifiable information from confidential health records in order to trace individuals in relation to possible immigration offences [ … ] could present a serious risk to public health and has the potential to adversely impact on the discharge by PHE of the Secretary of State’s statutory health protection duty”. The reference, in the National Back Office review report, to a lack of “robust statistical evidence” as a justification for rejecting PHE’s advice is wholly unconvincing. Still less convincing as a justification is NHS Digital’s invocation of “the potential harm that might arise by not processing these tracing requests, i.e. an individual would be out in the community without appropriate support for longer”. The purpose of tracing is not to provide these individuals with medical assistance but to take enforcement action, presumably leading to deportation, and it seems to us to be misleading to include this point. As Dame Fiona Caldicott has observed, “the evidence presented by colleagues from Public Health England and the voluntary and charity sector that undocumented migrants are deterred from seeking healthcare for the fear that information about them will be shared with other parts of Government is convincing, and appears to be considerably more substantial than the evidence available about the benefit of these disclosures”.

In this context, the commissioning of PHE to carry out a further evidence review appears to be little more than window-dressing. Given the nature of the population about whom this further evidence is intended to be sought, we doubt that the kind of data which NHS Digital is demanding is even capable of being collected. As Yusef Azad of NAT told us (Q16), “The irony is not lost on us, to be asked for statistical evidence by a tracing service desperately trying to find the basic whereabouts of thousands of migrants every year. The Home Office itself does not have robust statistical evidence around undocumented migrants. That is the problem.” Witnesses at our hearing provided accounts of individuals already being deterred from seeking help and NHS Digital needs to take a precautionary approach. Absence of evidence is not evidence of absence when it comes to assessing an avoidable risk of communicable diseases going untreated.

Suspension of the MoU

For those reasons, we request that NHS Digital suspend the MoU immediately, and undertake a further and more thorough review of the public interest test. In order to ensure that there is no continued conflict between the standards of confidentiality applied in different parts of the health system, consideration of the public interest test, and whether the arrangements set out in the memorandum of understanding should be resumed, should not be undertaken until NHS England’s review of the NHS Code of Confidentiality is complete. The decision about the application of the public interest test should be undertaken in the light of the reviewed Code, and the sharing of data held by the NHS for immigration enforcement should not be resumed in the meantime. Furthermore, the decision about the application of the public interest test should be taken in the light of public consultation, and with the full participation of both the General Medical Council and the National Data Guardian.

Our evidence on the public interest test

The evidence which has been presented to us in the course of our brief inquiry suggests very strongly—contrary to your own assessment—that the public interest in the disclosure of information held by the NHS is heavily outweighed by the public interest in the maitenance of a confidential medical service. The evidence of harm both to individuals and to health-seeking behaviour, with its potentially serious implications for public health, and to the patient-clinician relationship, which depends crucially on trust, is tangible. Furthermore, the practice of sharing data for immigration tracing purposes—even data at what the Minister referred to as “the low end of the spectrum of confidentiality”—has significant implications for public confidence generally in the confidentiality of health data. It is vitally important that the public has confidence in the handling of data held by the NHS, so that it can be shared in circumstances where there are genuine benefits to the health and wellbeing of individuals and the population. Those reasons alone are sufficient, in our view, to justify the suspension of the MoU until the implications of the practice of sharing these data have been fully explored.

NHS Digital’s duties

We are deeply disappointed that NHS Digital has until now approached this matter as one of “simply [seeking] to exercise our statutory duty”. We note the view of the National Data Guardian that “the legal gateway being used in the Health and Social Care Act should be considered as a necessary, but not sufficient, hurdle to be passed before the information is disclosed”. We further note that NHS Digital is also subject to the duty, under section 253(1)(ca) of the Health and Social Care Act 2012, to have regard to “the need to respect and promote the privacy of recipients of health services”.

We now expect NHS Digital to take this opportunity to demonstrate that it takes its duties in respect of confidentiality seriously by listening to the concerns raised about the MoU and taking action accordingly. If it does not, we will expect to hold a further evidence session, where you will be required to provide a very much more convincing case for the continued operation of this MoU than has been presented so far.

Yours sincerely,

Dr Sarah Wollaston MP

Chair of the Committee

Published: 15 April 2018