The purpose of the Bill is to put on to a statutory footing the office of the National Data Guardian for Health and Social Care, and to promote the provision of advice and guidance about the processing of health and adult social care data in England. It would be remiss of me not to mention the work of my hon. Friend Jo Churchill: she has worked hard for a long time to establish the position of the National Data Guardian for Health and Social Care, and her perseverance and tenacity have ensured that we are on track to deliver it.
I thank the Minister and shadow Minister for their help and support with the Bill—and special thanks, of course, go to Dame Fiona Caldicott, who has pioneered the work on ensuring that the NHS handles data properly. She has been very helpful to me in the preparation of the Bill.
Clause 1 creates the Office of the National Data Guardian for Health and Social Care, referred to in the Bill as the “Data Guardian”. It makes general provisions about the Data Guardian’s functions and the way in which they are to be carried out. Subsection (2) empowers the Data Guardian to publish guidance about the processing of health and adult social care data in England. I should like to make it clear that it also covers public health data.
Subsection (3) imposes a duty on certain organisations and individuals to have regard to the National Data Guardian’s published guidance. Comment has been made as to why the Secretary of State is not included in the list. However, the Department of Health and Social Care is already included in the definition of those who have to have regard to the National Data Guardian’s advice, so it would be superfluous to include the Secretary of State.
Subsections (4), (5) and (6) cover requirements in relation to the Data Guardian’s published guidance. Those subsections are intended to keep the guidance relevant over time and, if necessary, updated to reflect new evidence. It has been suggested that subsection (5) should add an obligation that organisations and individuals that process health and social care data should provide the Data Guardian with appropriate information. I argue that that would create a duplication of the remit of regulators that already exist in those sectors. The Data Guardian’s role is as an advocate for the patient and the public, to build and maintain public trust. The role is as much about supporting individuals and organisations to get it right first time as it is about commenting, advising and providing guidance. It is not the intention of this Bill to create another regulator, but that the National Data Guardian should work with the Information Commissioner’s Office and the Care Quality Commission.
It has also been suggested that subsection (6) should add a duty that all data controllers and their data processors must publish their response to all advice issued. That would be extremely burdensome on those organisations and individuals, and it would be toothless without sanctions. Accountability should be assessed through actions, not written responses; the existing regulators would be able to assess the adherence to guidance and would cite the National Data Guardian during any investigation.
Clause 1(7) allows the Data Guardian to give informal advice, assistance and information to anyone, as long as it is about or relates to the processing of health and adult social care data in England. Clause 1(8) gives the Data Guardian flexibility in how far any particular piece of advice, assistance, information or guidance may be extended. The effect is to clarify that the Data Guardian can publish guidance and give advice on specific topics or themes, and can target it to certain organisations, individuals or sectors as appropriate. Clause 1(9) provides that the duty to have regard to the Data Guardian’s published guidance applies only in so far as the guidance is relevant to the functions or services of the body or person.
Clause 1(10) introduces schedule 1 to the Bill. As clause 1 and schedule 1 are being debated together, I will make some brief comments on schedule 1. The schedule makes further provision for the establishment, maintenance and operation of the Office of the Data Guardian. It sets out the Data Guardian’s terms of appointment and covers a broad range of matters related to the Office of the Data Guardian. It includes its constitution, its financial and reporting framework, and how members of staff and advisers are reported and remunerated. I draw the Committee’s attention to paragraph 15 of schedule 1, which provides that the Secretary of State must pay to the Data Guardian the amount that he considers appropriate for the purpose of enabling the Data Guardian to carry out his or her functions.
The Committee will be aware that there was some debate about the cost during the money resolution debate. I thank hon. Members who are here today and those who took part in the debate. I want to make clear that, although the estimated cost is £725,000 per year, that is only an additional £225,000 per year and relates to putting the Data Guardian on a statutory footing. As the Committee will know, there is already a Data Guardian, which costs £500,000; we are just putting this on a statutory footing and saying it is the right thing to do.