On 11th June, the Data (Use and Access) Bill completed its passage through Parliament and will soon become law. Our Policy and Engagement Manager Emma Lagerstedt explains what this means (and doesn’t mean) for health data.
They say the third time’s the charm, and after two failed attempts under previous governments, Parliament has now passed comprehensive cross-sector data legislation. The Government claims the Data (Use and Access) Bill will “unlock the secure and effective use of data for the public interest”. While much of the public debate focused on artificial intelligence (AI), copyright and digital ID, the Bill also has important implications for health and care data.
Paving the way for a single patient record
The Bill supports plans to create a single patient record and make it accessible through the NHS App. As we’ve previously outlined, it gives new powers to set information standards that health and care services – and more importantly, their IT suppliers – will have to follow. Information standards are the legal requirements that ensure health and care data can be captured consistently and exchanged digitally. They define how data is collected, shared, and managed. Think of them as a common language for health information.
Under existing law, the Health Secretary has the power to set mandatory standards for health and social care organisations. However, because suppliers of IT services and products – including providers of electronic patient records – are not required to comply, and health and care providers are not fully compliant, these new powers will strengthen enforcement and apply standards to IT suppliers. This should make it easier for different systems to work together and for information to flow across services.
This should make it easier for different systems to work together and for information to flow between providers. However, the Bill itself does not set these standards. It gives the Government the power to create them in the future without having to pass a new Act of Parliament – what is sometimes called ‘enabling legislation’. This means we don’t yet know exactly what will be required of either suppliers or providers.
With the recent publication of the report from NHS England/Department of Health and Social Care’s national engagement on data recommending ‘proceeding at pace’ with the creation of a single patient record and the recent Spending Review including a £10bn investment to deliver the technical infrastructure, it appears we are inching closer to finally having one nation-wide record for health and care services.
Sharing data outside of the UK for research
Though the Data (Use and Access) Bill only applies to the United Kingdom, it may have knock-on effects for data sharing and transfers with European countries, due to something called data adequacy. The European Union can make a formal decision to recognise that another country provides an ‘essentially equivalent’ level of data protection as the EU, and the UK is currently assessed as being adequate. This means that data between the UK and EU can flow freely without extra precautions.
The continued free flow of data between the UK and EU is key to medical research and innovation, for instance for conducting clinical trials and sharing data between regulators of medicines and medical devices. In addition to medical research, loss of data adequacy status would also weaken the ability of governments on both sides of the Channel to address cross-border public health threats like infectious diseases. Organisations like the British Medical Association (BMA) have raised concerns that any changes to the UK’s data adequacy status would jeopardise medical research and ‘far outweigh’ any benefits of the Bill.
The previous Data Protection and Data Information Bill – which contained many similar provision to the Data (Use and Access) Bill – faced criticism over concerns that its relaxation of rules around data protection and redefinition of the term ‘personal data’ would put the UK’s data adequacy at risk. With these changes removed from the Data (Use and Access) Bill, the chance of the UK’s adequacy decision being at risk is lower, but European civil society organisations have expressed concerns about provisions in the Bill and urged the European Commission to re-evaluate the UK’s adequacy status. The deadline for the EU to make a decision about the UK’s data adequacy status has been postponed by six months until December 2025 to allow for scrutiny of the Bill, and UPD will keep this under review.
Mind the gap: What’s not in the Bill
Let’s talk about what’s not in the Bill. The Bill does not include any changes to provisions around the security and privacy of patient data, despite initial Government comments to the contrary (with Minister Stephen Kinnock promising “firewalls” around patient data and clear rules for what data can be accessed under what circumstances). Various attempts by members of the House of Lords and backbenchers in the Commons to insert clauses about data privacy and third-party access to NHS data were unsuccessful, with amendments rarely being subject to substantive debate. In parliamentary debates, some MPs raised questions about the private sector accessing NHS data, leading Minister Chris Bryant MP to state that the NHS and patient data were ‘not for sale, end of story’.
Some MPs – including the Chair of the Science and Technology Committee, Chi Onwurah MP – raised concerns that the Bill widens the definition of scientific research, arguing that organisations could rely on the new provisions to process personal data including patient data for purely private gain and call it scientific research. In response, the Government has stated that in their view, the Bill does not widen the definition of research, and that the processing of identifiable health data is covered elsewhere under data protection law and has special protections in place.
What’s next?
The debate around this new law highlights how important it is to put privacy, security, and trust at the heart of decisions about how patient data is used — especially as new services like the Health Data Research Service are developed that may provide access to de-identified data from the Single Patient Record, including GP data, for research.
Understanding Patient Data will keep monitoring what happens next, including any future regulations, to help make sure transparency and public trust come first.
Find out more
For more detail about the Data (Use and Access) Bill and its predecessors, have a look at UPD’s previous articles: