Health and Care Bill

Written evidence submitted by the Information Commissioner (HCB102)

The Information Commissioner’s response to the Health and Care Bill Committee’s call for evidence

Executive summary

An overview of data protection obligations with reference to the relevant clauses of the Health and Care Bill (the Bill) including:

· Data Protection by design and default

· Data sharing

· Definitions

· Article 36(4) UK GDPR Prior Consultation

· Enforcement

Introduction

1. As Information Commissioner I have responsibility for promoting and enforcing the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA18), the Freedom of Information Act 2000 (FOIA), the Privacy and Electronic Regulations 2003 (PECR) and the Environmental Information Regulations 2004 (EIR).

2. I am independent from government and uphold information rights in the public interest, promoting transparency and openness by public bodies and organisations and data privacy for individuals. I discharge these duties via my office, the Information Commissioner’s Office (ICO).

3. I welcome the government’s aim to normalise some of the innovative practices that emerged from the COVID-19 pandemic in this Bill, specifically around the use of data. This legislation recognises the centrality of effective data sharing to the integration of health and social care systems. My office is uniquely placed to advise on how effective data sharing, which respects data protection principles, can be achieved.

4. The new legal framework proposed by the Bill will involve the storing and sharing of special category personal data (health data), and this will be subject to data protection legislation. I am, therefore, an interested party.

5. Processing of personal data must comply with the overarching principles of fairness. Where it involves interference with data subjects’ rights it must be necessary and proportionate. These requirements provide additional protection for the public and assist in securing trust and confidence in data processing.

6. My recommendations ensure due consideration is given to data protection implications during the passage of the Bill. I am raising these issues at this early stage to aid the committee in anticipating where compliance issues could arise further down the line.

7. I welcome the opportunity to respond to the Bill and offer guidance and expertise. I already have established relationships with key stakeholders working on health data sharing and regularly advise on data protection considerations. I have highlighted areas where the committee may benefit from further input from my office.

Data protection by design and default

8. Firstly, I will highlight the requirement under UK GDPR (Article 25) of data protection by design and default. Where provisions are introduced which will be subject to existing data protection obligations, the implications of this should be duly considered as early as possible.

9. The ICO’s guidance on data protection by design and default [1] assists in putting in place appropriate technical and organisational measures to implement data protection principles effectively. It will help in demonstrating compliance with the requirements set out in the UK GDPR. These focus on accountability by illustrating how measures have been built in to protect personal data from the outset. This is important for building public trust and confidence.

10. For example, at Part 1, General duties of integrated care boards, Clause 19 (14Z39) there is a duty to promote innovation in the provision of health services (including innovation in the arrangements made for their provision). Whilst this duty is drafted quite broadly in the Bill, it is unclear how far the promotion will extend. I strongly advise adopting a data protection by design approach from the outset in the implementation of any system.

11. I also highlight the requirement to carry out a data protection impact assessment (DPIA) for any high risk processing operation under Article 35 of the UK GDPR. The obligation to explain why the processing is necessary and proportionate, and the requirement to identify and assess risks, ensures due consideration is given to this at the outset. Any new initiative which involves data processing activities should be subject to this approach.

12. The data protection by design approach links closely to transparency, a key data protection principle. Transparency is fundamentally linked to fairness and is about being clear, open and honest from the start about who you are and how and why you use people’s personal data. This includes being clear about the risks and challenges. Articles 13 and 14 of the UK GDPR set out the information which individuals must be provided with, and an individual’s Right to be informed [2] is a key transparency requirement. Again, this is vital in building trust and confidence

13. I note the powers granted to the Secretary of State under the Bill. Specifically, the power to require any person to whom an information standard applies to provide information, records or documents to enable monitoring of compliance. This is considered below in the section headed Enforcement.

14. Many of the clauses feel broad in terms of the discretion granted to the Secretary of State. For example, the Powers of direction at Part 1, 13ZC (5) where the public interest test is referred to but there is no further detail of what is considered to be in the public interest. I do however note the obligation on the Secretary of State in this section to publish any direction as soon as reasonably practicable. This promotes transparency and accountability.

Data sharing

15. The ICO aims to promote confident, responsible and lawful data sharing in the public interest. I recognise the benefits of appropriate data sharing to improve patient care. But it is important to consider how data can be shared lawfully, while protecting people’s personal information. Data storage, sharing and security also need to be considered, together with data minimisation, particularly when processing special category data.

16. The ICO’s statutory code of practice on data sharing [3] demonstrates that the legal framework is an enabler to responsible data sharing. The code provides guidance on taking practical steps to share data while protecting people’s privacy. This should improve data linkage between sources and should give confidence to share data in a fair, safe and transparent way.

17. Whilst I appreciate the Bill is unlikely to include this level of detail, it would be prudent to consider the guidance when assessing the data protection implications of the provisions at this stage. It is important to incorporate data protection principles in data sharing agreements, including clear lawful basis, well-defined purposes, proportionality, transparency and accountability. Reference could also be made to the data sharing code in any relevant guidance published by the Secretary of State as per Clause 64 of the Bill.

18. Part 1, the insertion of a new Section 13ZF, grants the Secretary of State power to direct NHS England to provide any documents or other information that may be specified in the direction. The power is granted to NHS England to require an integrated care board to provide them with information at 14Z58 and also any of its partner NHS foundation trusts at 14Z62. There is also provision for the permitted disclosure of information by integrated care boards in the circumstances set out at 14Z61. At Part 2, Chapter 3, 277A there is a section relating to the provision for adult social care information to the Secretary of State.

19. Whilst it is not a defined term in the Bill (see Definitions section below), I assume the term ‘information’ as referred to in the various clauses will, in some circumstances include personal data. As such, responsible and trustworthy sharing of such personal data between the parties should be a key consideration. Guidance and safeguards should be in place to ensure any data sharing under this provision is necessary and proportionate.

20. There are other sections of the Bill where I consider data sharing may take place and the implications of this should be considered. These include:

a. Part 1, the Joint working and delegation of functions and the Collaborative working sections. Whilst I do not have the detail of the proposals, it is reasonable to assume these may involve sharing of personal data.

b. Part 2 sets out the General Duties of the Health and Social Care Information Centre. This allows for the collection of information from private health care providers and providers of adult social care centres. There is also a restriction on onward disclosure of adult social care information. The Secretary of State may not disclose this information except for purposes connected with the health care system, or adult social care system, in England.

21. There is a further restriction on disclosure of commercially sensitive information, which is subject to consideration of the public interest as well as the interest of the person to whom the commercially sensitive information relates. If this information includes personal data, the collection of this information and onward disclosure will be subject to data sharing considerations. The UK GDPR provisions of fairness, necessity and proportionality should form part of any assessment to disclose.

22. The section on the Health Services Safety Investigations Body (HSSIB), and in particular their relationship with other bodies at Part 4, Clause 110(2) and the obligation to co-operate will no doubt include sharing between the listed persons at (3) and this may include personal data.

23. In terms of the definition of Transfer schemes referred to at Clause 13, Chapter A3, 14Z28 (2), it is unclear if the transfer of property, rights or liabilities also includes data controllership, partnerships and databases for example. And if so, whether there will be a provision in place for data sharing.

Definitions

24. The term ‘information’ is referred to throughout the Bill, however there is no definition of this term. I have assumed this will include personal data. However, a clear definition would bring clarity and promote consistency of interpretation.

25. Chapter 1B ‘Sharing of Anonymised Information’ at Part 2 of the Bill defines ‘personal information’ as ‘information which is in a form that (a) identifies any individual, or (b) enables the identity of any individual to be ascertained’. This is not equivalent to the definition of personal data in Article 4 (1) of the UK GDPR which means ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.

26. This definition is much wider than that of personal information contained in the Bill. The personal data definition differentiates between data that relates to an individual and data which may identify an individual but not relate to them. This distinction may have subsequent implications under data protection law. It would be sensible to be consistent with the UK GDPR Article 4 definition for that reason and to ensure controllers are complying with data protection legislation when processing personal data.

27. In the proposed Chapter 1A entitled Regulations: Information Systems, the regulations will make provision relating to various types of information including ‘information relating to individuals’.

28. Part 2, Information Systems allows for provision about the establishment and operation by the Health and Social Care Information Centre. 7A(3) sets out examples of the types of information regulations may make provisions for, specifically at (c) information (including information relating to individuals which is of a specified description).

29. It would be helpful to understand whether these will include personal data, as per the Article 4 UK GDPR definition set out above. If so, the processing of such information will be subject to existing data protection statutory requirements.

30. I am interested to see if regulations, when drafted, will specify the type of information to be entered and retained in the information systems and how that information will be processed and/or disclosed.

31. The Bill lacks a clear definition of anonymous information. The ‘Sharing of Anonymised Information’ section simply places a duty to ‘require another health or social care body to provide information, other than personal information……’. It therefore appears anonymous information is information other than personal information but this is not explicitly defined. It is unclear whether this detail will be provided elsewhere.

32. However, in view of the dedicated section, and the fact that other terms such as personal information are defined for the purposes of the section, it would be sensible to also define the term anonymisation. Aligning this with the UK GDPR definition will assist controllers in complying with the data protection legislation.

33. Recital 26 of the UK GDPR defines anonymous data as: ‘…information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable’.

34. The ICO is currently developing new guidance on privacy enhancing technologies anonymisation and pseudonymisation [4] and has published a call for views on the first chapter. Reference to this and particularly the section ‘What is anonymous information’ may assist in establishing what exactly is meant by the term ‘anonymised information’ for the purposes of the Bill. The ICO also previously published the anonymisation code of practice in 2012.

35. Finally, the committee should consider the definition of ‘data concerning health’ as per Article 4 (15) of the UK GDPR which means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

Article 36(4) UK GDPR Prior Consultation

36. I will take this opportunity to highlight the obligations for legislative consultation under Article 36(4) of the UK GDPR. Consultation prior to processing is necessary where a data protection impact assessment under Article 35 of the UK GDPR indicates that processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. [5]

37. Specifically, I refer to Part 2, Collection of information from private health care providers and Collection of information about adult social care and also the Medicines and Medical Devices Act 2021. Further detail on what the processing would entail has been requested and I understand this will be included in secondary legislation.

38. My invitation to collaborate should afford the opportunity to keep abreast of any processing which requires consultation. However, my office would need to be informed in a timely manner of any formal consultation submission to ensure there is sufficient opportunity for input.

Enforcement

39. Part 2, new Section 7B (Information Systems) sets out the offence of disclosing information in contravention of the Regulations. In certain circumstances there may be a breach of Section 170 of the Data Protection Act 2018 (Unlawful Obtaining of Personal Data) and potentially a personal data breach where notification to the Commissioner is required (Section 67 of the Data Protection Act 2018). As such, it would be advisable to include reference to the legislation specifically. It is also important to confirm how this accords with the regulatory powers of the Information Commissioner when personal data is obtained or disclosed.

40. Reference is also made to Offences of unlawful disclosure at Part 4 Clause 108 relating to breaches of the prohibition on disclosure of HSSIB material. I question how this will align with obligations under the Freedom of Information Act 2000, specifically when a request for information is received in respect of ‘protected material’.

41. Part 4, Clause 117, Obligations of confidence etc., specifically clause 117(2), confirms that ‘nothing in this Part operates to require or authorise a disclosure of information which would contravene the data protection legislation (but, for the purposes of this subsection, in determining whether a disclosure required or authorised by or under this Part would do so, take the requirement or authorisation into account)’. This appears to make the decision as to whether a contravention has occurred a subjective assessment based upon the nature of the requirement or authorisation. However, the requirements of the relevant data protection legislation would determine this. Again, I highlight my role as the regulator for contraventions of data protection legislation.

42. The Bill allows the Secretary of State to regulate compliance with the requirements. However, if non-compliance relates to personal data then the Information Commissioner would also be entitled to take action. It is not clear how this will work in practice and whether this will result in dual penalties on some occasions. I therefore stress the importance of aligning the content of requirements and authorities with existing data protection law where relevant.

43. I welcome further engagement between my office and the Department for Health and Social Care to determine how this will work in practice and how the enforcement scope proposed in the Bill accords with the data protection regulatory framework.

Supplementary comments

44. Duty to have regard to the wider effect of decisions is a recurring phrase throughout the Bill. A reminder to have regard to the effect of decisions on data protection or on individual’s personal data and compliance with data protection law would be useful in any guidance.

45. I note Part 2, Clause 85, Section 7A(8) provides for data protection legislation restrictions overriding any other restrictions on disclosure and welcome this.

Conclusion

46. I submit this evidence on the basis of the information I have before me currently in the Bill. I trust this general overview assists and highlights the key considerations in terms of data protection law and the impact existing obligations may have under the proposals. I look forward to engaging with the committee further on the matters raised and would be pleased to respond to any queries you have.

Elizabeth Denham
Information Commissioner
18 October 2021