The purpose of the Bill is to put on to a statutory footing the office of the National Data Guardian for Health and Social Care, and to promote the provision of advice and guidance about the processing of health and adult social care data in England. It would be remiss of me not to mention the work of my hon. Friend Jo Churchill: she has worked hard for a long time to establish the position of the National Data Guardian for Health and Social Care, and her perseverance and tenacity have ensured that we are on track to deliver it.
I thank the Minister and shadow Minister for their help and support with the Bill—and special thanks, of course, go to Dame Fiona Caldicott, who has pioneered the work on ensuring that the NHS handles data properly. She has been very helpful to me in the preparation of the Bill.
Clause 1 creates the Office of the National Data Guardian for Health and Social Care, referred to in the Bill as the “Data Guardian”. It makes general provisions about the Data Guardian’s functions and the way in which they are to be carried out. Subsection (2) empowers the Data Guardian to publish guidance about the processing of health and adult social care data in England. I should like to make it clear that it also covers public health data.
Subsection (3) imposes a duty on certain organisations and individuals to have regard to the National Data Guardian’s published guidance. Comment has been made as to why the Secretary of State is not included in the list. However, the Department of Health and Social Care is already included in the definition of those who have to have regard to the National Data Guardian’s advice, so it would be superfluous to include the Secretary of State.
Subsections (4), (5) and (6) cover requirements in relation to the Data Guardian’s published guidance. Those subsections are intended to keep the guidance relevant over time and, if necessary, updated to reflect new evidence. It has been suggested that subsection (5) should add an obligation that organisations and individuals that process health and social care data should provide the Data Guardian with appropriate information. I argue that that would create a duplication of the remit of regulators that already exist in those sectors. The Data Guardian’s role is as an advocate for the patient and the public, to build and maintain public trust. The role is as much about supporting individuals and organisations to get it right first time as it is about commenting, advising and providing guidance. It is not the intention of this Bill to create another regulator, but that the National Data Guardian should work with the Information Commissioner’s Office and the Care Quality Commission.
It has also been suggested that subsection (6) should add a duty that all data controllers and their data processors must publish their response to all advice issued. That would be extremely burdensome on those organisations and individuals, and it would be toothless without sanctions. Accountability should be assessed through actions, not written responses; the existing regulators would be able to assess the adherence to guidance and would cite the National Data Guardian during any investigation.
Clause 1(7) allows the Data Guardian to give informal advice, assistance and information to anyone, as long as it is about or relates to the processing of health and adult social care data in England. Clause 1(8) gives the Data Guardian flexibility in how far any particular piece of advice, assistance, information or guidance may be extended. The effect is to clarify that the Data Guardian can publish guidance and give advice on specific topics or themes, and can target it to certain organisations, individuals or sectors as appropriate. Clause 1(9) provides that the duty to have regard to the Data Guardian’s published guidance applies only in so far as the guidance is relevant to the functions or services of the body or person.
Clause 1(10) introduces schedule 1 to the Bill. As clause 1 and schedule 1 are being debated together, I will make some brief comments on schedule 1. The schedule makes further provision for the establishment, maintenance and operation of the Office of the Data Guardian. It sets out the Data Guardian’s terms of appointment and covers a broad range of matters related to the Office of the Data Guardian. It includes its constitution, its financial and reporting framework, and how members of staff and advisers are reported and remunerated. I draw the Committee’s attention to paragraph 15 of schedule 1, which provides that the Secretary of State must pay to the Data Guardian the amount that he considers appropriate for the purpose of enabling the Data Guardian to carry out his or her functions.
The Committee will be aware that there was some debate about the cost during the money resolution debate. I thank hon. Members who are here today and those who took part in the debate. I want to make clear that, although the estimated cost is £725,000 per year, that is only an additional £225,000 per year and relates to putting the Data Guardian on a statutory footing. As the Committee will know, there is already a Data Guardian, which costs £500,000; we are just putting this on a statutory footing and saying it is the right thing to do.
I congratulate my hon. Friend on having got his Bill so far. On the costs, the Data Guardian will basically be indemnified for the costs incurred, yet I see that the Data Guardian will have enormous flexibility to publish and give as much guidance or advice as they wish. Surely the Data Guardian could, by giving a lot more advice and guidance over which there is no control, result in significantly increased costs for the public sector?
I am grateful for my hon. Friend’s intervention and the fact that he is on the Committee; I know that all Committees welcome his membership.
The reason why we have a Data Guardian is to provide safeguarding and to make sure that the data is handled properly. Those costs can only be estimated; as my hon. Friend says, they could be more or less, depending on the requirements. That is exactly why we need a guardian. I would like the costs to be minimal, because that means that we are handling the guardian properly. But if there needs to be more, because there is a requirement to do more, there will be more cost.
Does my hon. Friend know of any case where a regulator given powers by Parliament has chosen to reduce the amount of powers that are used? Surely, the natural thing is for regulators to increase their activity, using the powers to the maximum and thereby increasing the costs.
I agree, but what we are not doing today is creating a regulator; I would not be likely to propose a Bill to create a regulator. The Data Guardian already exists and it is not a regulator—I specifically said that in my opening remarks. Although it is probably true that regulators do that, that is not what I expect to happen with the National Data Guardian.
It is a pleasure, as always, to serve under your chairmanship, Dame Cheryl. I congratulate the hon. Member for Wellingborough on his notable success in getting the Bill to this stage, and I thank him for his candour during the debate on the money resolution and for his acknowledgment of his good fortune in getting the Bill to this stage ahead of others.
As I mentioned when we debated the money resolution of the Bill, Labour Members welcome the decision to put the National Data Guardian for Health and Social Care on a statutory footing. On that basis, we agree with the thrust of the Bill. I am sure that colleagues will be relieved that I do not intend to speak for too long, but I have one or two comments and observations about clause 1—and about clause 2, which we will discuss a little later. I hope that the Minister will be able to respond to the points made by the hon. Member for Wellingborough, some of which I was going to make anyway.
I mentioned when the money resolution was debated that although the use of data has the potential to improve our health services and treatments beyond recognition, we know from past experience that use of data in the NHS and in wider society can prove controversial and carries high levels of suspicion among patients. We hope that the establishment of the Data Guardian on a statutory footing can give patients confidence that their medical information will be treated in the correct manner. I note from the comments of the hon. Member for Wellingborough that there seems to be an omission from clause 1 as it stands, as there does not seem to be an opportunity for the National Data Guardian to give advice to the Secretary of State himself, although he considers that duty to be covered elsewhere and that such as an addition would be superfluous.
There seems to be a discrepancy that leaves the Data Guardian in an inferior position to either the existing Confidentiality Advisory Group or the Health Research Authority. I would be grateful to know if that was the intention of the legislation. The power to appoint the Data Guardian rests entirely with the Secretary of State, seemingly without any qualification. Is it envisaged that the Health Committee might get an opportunity to comment on such appointments? Recent appointments in the health sector have proven controversial, so it would be appropriate for the Select Committee to comment.
Our second query relates to public health commissioned through local authorities. Given the heavy use of data in public health, it is surprising that that does not seem to be covered by the Bill. Given all the public health activity undertaken by non-public bodies in recent years, I would welcome comments from the Minister and from the hon. Member for Wellingborough about whether the Bill is intended to cover health in the broader sense.
There is also a query about other forms of data that are more directly within the NHS, such as the cancer registry, which resides in Public Health England. It uses data collected by the NHS that could affect the direct care of patients. I would welcome confirmation of whether the Data Guardian is intended to cover that data, too.
The hon. Member for Wellingborough touched on clause 1 (6), which I would like to explore in a little more detail. Labour Members might have expected it to include an obligation for data controllers not only to have regard to advice, but to publish their response to that advice. That expectation is not unrealistic, given that the responses to question 5 of the Government’s consultation were overwhelmingly supportive of such a provision.
In question 5 of the consultation, the Government propose that
“organisations holding health and care data which could be used to identify individuals should be required to publish all materials demonstrating how they have responded to advice from the national data guardian.”
In their response to the consultation, the Government said:
“Responses were supportive of the proposal that the national data guardian should be given formal advice giving powers.”
That would certainly provide reassurances that the National Data Guardian will have real authority and act as an independent voice for patients, but without such statutory backing it is foreseeable that its independence and authority could be undermined. Without a requirement for organisations that receive advice to provide evidence of their response in a way that can be easily disseminated, there is no way we can be sure that the Data Guardian will be effective in doing the important job required by the Bill.
Members will recognise that the requirement for bodies to “have regard” to advice does not always mean that they take action in respect of that advice. An obvious example of that is, of course, the National Institute for Health and Care Excellence guidelines, which we know CCGs often ignore—seemingly with total impunity. I am sure Members do not want a repeat of that with this Bill, so I ask the hon. Gentleman and the Minister to respond on that point in a little more detail. I take the point that providing such responses might be burdensome on authorities controlling data, but I do not think that that cuts the mustard, given our concern about whether this measure will give the Data Guardian sufficient authority and teeth to deal with the issues under discussion.
My final point on clause 1 relates to data sharing and the lack of a positive obligation for bodies to provide that information. For the National Data Guardian to take a view on a particular data issue, it must first know that there is an issue on which to take a view—an unknown unknown, as we say. Could we have a published register of data sharing arrangements to which NHS bodies could sign up and submit a copy of their agreements? That would provide the Data Guardian with a single point of reference from which it could note any new agreements outwith the norm; that is exactly what the Government committed to doing with the current public service delivery data sharing codes of practice currently laid before Parliament.
There is a danger that the Data Guardian will become involved only after an issue has already reached the public’s attention, and possibly after an inappropriate use of data that might already have affected thousands of patients. A positive obligation to shared data arrangements with the Data Guardian might reduce the risk of such an eventuality. I look forward to hearing from the Minister and the hon. Gentleman on those points.
For the sake of our protocols, I should say that I had arranged for the windows to be opened because it is rather warm in this Committee room, but I am perfectly happy if people wish to remove their jackets.
Thank you, Dame Cheryl. I want to raise two small points. The first is slightly to tease the hon. Member for Wellingborough: I cannot imagine another Bill making its way through the House of Commons and the House of Lords about which he would be so casual when it came to the amount it might eventually cost. I normally think of him as the most robust challenger of any public expenditure, but I note that in the order of magnitude he is drifting by about 50%. When there is a Labour Government, I look forward to him applying exactly the same logic to all Labour legislation.
My serious point is about how this Bill relates to Members of Parliament, who are probably the single body of people not covered by the Bill, but who might be tangentially affected by it. People often come to us with complaints about their local health board—in my case, in Wales—or about their general practitioner or the provision of care in a care home, through the local authority or some private sector deliverer. We often have highly confidential information stored, almost as if we were a GP or a doctor; certainly to that degree of information. For that matter, that is also sometimes information that has been provided by other authorities such as the police.
Particularly in the light of recent developments on the general data protection regulation, it is obviously important that we ensure that we are abiding within the law and adopting best practice, but it would be a terrible shame if we ended up being unable to keep records relating to people who, to all intents and purposes, have come to us as constituents—almost as patients—and who would be rather surprised if we were to destroy the information we have kept about them. When they turn up seven years later, they expect us to remember every single case we have ever dealt with, or for that matter that our predecessor dealt with. I fully understand why it is right that when a Member of Parliament changes, things start all over again, but it would be crazy to adopt any kind of standard procedure of deleting, for every Parliament or every two or three years, material that could be important to the patient—the client, patient, customer, or constituent, however we want to term them.
Another important element of this relates primarily to the safety of our staff. Sometimes we deal with people who have major psychotic episodes during their life, or have mental health problems. I am not saying that just because someone has a mental health problem, it means they will be problematic, but it may be that when there are repeat visits to an MP’s office, it is useful to have kept the information for several years about the person who has come in through the door. Thus, for instance, if our staff have changed, the new staff will be aware of the potential problems that might exist in relation to an individual.
I hope that the Data Guardian will be able to provide advice to Members of Parliament as well. I know that is not in the Bill and is not its primary purpose, but it would be a mistake if the guardian were to operate in a way that did not take any cognisance of the relationship that Members of Parliament have with local health boards, and with the health service and care provision in general.
It is a pleasure to serve under your chairmanship, Dame Cheryl, and an absolute pleasure to respond to the Bill of my hon. Friend the Member for Wellingborough. I congratulate him on bringing this important reform forward and thank him for working so constructively with the Government to put the National Data Guardian on a statutory footing.
This is an important reform. As the shadow Minister mentioned, the public are rightly concerned about information and data that is held on them and the extent to which that is shared. The new National Data Guardian will do much to reassure people that the environment in which data is held and managed is one that respects their privacy, while at the same time ensuring that appropriate safeguarding can be achieved. Given the culture that exists within our health services, the comfort with which organisations can respond to the advice given by the National Data Guardian will make for a much more effective system to support the public.
I confirm the Government’s support for and commitment to the Bill. We very much wish it to succeed. We see real benefits to all individuals in ensuring that we share health and care data in a safe, secure and legal way. The Bill will go a long way to increasing public trust in the appropriate and effective use of health and care data. The National Data Guardian has already established herself as an independent and authoritative voice for the patient and service user in how their data is used in the health and adult social care system.
Let me address some of the points that have been raised. Clearly, my hon. Friends will be concerned about the potential costs, as we would be as Conservatives. The estimates we have established as a result of the impact assessment provide for some extra expenditure, and that is for additional staffing so that the published guidance has a legal status—that will be a natural outcome of putting the Data Guardian on a legal footing. There will be some additional costs, and we have been generous in our estimates for them.
The shadow Minister asked a number of questions about other agencies that might be covered by the Bill, and as my hon. Friend the Member for Wellingborough said, the Bill as drafted covers public health. Provisions in the Bill will extend to local authority functions with respect to adult social care, but not to children because they are covered by a different legal framework.
The hon. Member for Rhondda raised some good points to which we could ask the National Data Guardian to have regard. He is right to say that we as Members of Parliament often take up health and social care issues on behalf of our constituents, and nothing is intended to get in the way of that. Indeed, it could be helpful to us if the National Data Guardian gave instructions to those bodies about their obligation to be open and transparent. I am sure that the hon. Gentleman, and other hon. Members, have often found that the spirit of openness that we expect when we challenge something is not always respected. In that culture of openness, and with respect for privacy and safety, we support the Bill.
I am grateful for the support from the Minister and the shadow Minister, and I wish to pick up on a couple of points. The appointment will be down to the Secretary of State, but I absolutely expect it to go to the Health and Social Care Committee—I think that is understood. A point was raised about advice and having written reports on what is being done, but the argument against that is that we want to see action. There is some confusion—the Data Guardian is not a regulator, and therefore that is not its role. All organisations are covered by a regulator and will take into account what the National Data Guardian says. That is why I do not think that such a provision would work.
I understand what the hon. Gentleman is saying, but it was clear in the Government consultation, and the response to it, that there was an intention for the body to have a few more teeth. Why did that change course?
The problem is that we could easily say that we need to have a regulator, but that is not what the Data Guardian does. We do not want to come along afterwards and say what has gone wrong; we want to get this right at the beginning and work with the different holders of data. It is a different approach. The comparison I think of is when I was involved with combating modern-day slavery. We now have a commissioner for that whose job is not to regulate but to expose and say what is going well or badly, and that helps. There could be pressure on an organisation—for instance, if it gets really bad publicity it will do something about it, but equally the commissioner will show where things are going well. We do not want to move towards a regulator or have lots of enforcement powers because that is totally different to what we have already established with Dame Fiona. Each hospital has a Caldicott guardian in it, so we are basically putting something that works on a statutory footing for the future.
I am pleased by the conversion of the hon. Member for Rhondda to concerns about cost, and I shall remind him of that if there is ever a Labour Government in future—
Well, I am sure there will be a Labour Government sometime in the next century.
The hon. Gentleman makes a very important point about MPs and data provided by our constituents. Although I do not think it is particularly relevant to this, I do think all Members are wrestling with what the new regulations mean. Medical practitioners have to hold information for a very long time. I have very detailed medical information from some of my constituents, and serious issues might arise if we were forced to destroy such information. Perhaps the National Data Guardian could give some advice on that point. I get very frustrated when I have to deal with the local hospital, if I do not get a consent form. That is clearly a delaying factor and definitely needs to be cleared up.