The Data (Use and Access) Bill was introduced to Parliament in October 2024, but what might the implications be for health data? UPD Policy and Engagement Manager Emma Lagerstedt gives an overview.
Background
On 23rd October 2024, the Data (Use and Access) Bill was introduced to Parliament and, at the time of writing, has just had its second reading. It follows earlier efforts to pass cross-sector legislation around data, with previous Conservative governments twice attempting to pass a data bill (see UPD’s summary of the last bill here).
Some of the most controversial aspects of the previous Data Protection and Digital Information Bill have been discarded - such as weakening protections around the use of personal data for party political purposes and giving the Government powers to direct the Information Commissioner’s Office – but many of the core elements of the new Data (Use and Access) Bill have been borrowed from earlier attempts.
The Bill is wide-ranging in scope, covering everything from changes to data protection legislation to smart meter licensing and the registration of births and deaths, but what does it mean for health data?
Information standards for health and social care
Despite the Government press release prominently featuring the benefits to the NHS, and soundbites from ministers in the media in the days leading up to the Bill’s introduction promising clauses on ensuring safeguards for patient data in the Bill, provisions around health are largely absent from the Bill, with one key exception – information standards for health and social care.
The Health and Social Care Act 2012 (HSCA 2012) enabled the Secretary of State for Health and Social Care or NHS England to set ‘information standards’ for health and adult social care services in England. Information standards are documents that contain protocols or specifications relating to processing information. This can include technical standards, data standards or information governance standards. An information standard can mandate that a certain type of information is coded in a certain way or uses certain vocabulary. For instance, one information standard is the use of the NHS number across all patient records to identify patients. The Health and Care Act 2022 (HCA 2022) made further changes to information standards, including making it mandatory for health and social care organisations to comply with them (rather than just ‘have regard to’ them).
Information standards are important because they help ensure that data in the NHS is recorded consistently and accurately, which makes analysis easier and enables important information about a patient to flow between different NHS settings. However, there are two main issues with how these currently work that prevents patient data from being shared and accessed more easily across the system:
- The way the law is currently applied means that suppliers of IT services and products do not need to comply with information standards. As a result, the adoption rate of current information standards by IT providers stands at 56%.[1]
- Even though public and private health and care providers must comply with information standards, the adoption rate for health and care providers is only 42%. In some cases, these organisations use IT systems that are compliant but with certain functionalities turned off.[2]
The new powers in the Bill seeks to address these problems by applying information standards to IT suppliers and strengthening enforcement powers, through enabling the establishment of an accreditation scheme for IT suppliers and giving the Secretary of State the power to issue written notices or publicly censure organisations that fail to comply with information standards.
These changes are particularly important given recently announced plans to create a single patient record in the NHS. To improve interoperability and implement a single patient record across all of the NHS to work well, each IT system will likely need to record and transmit patient information in a uniform way. In addition to paving way for the creation of a single patient record, the changes to information standards are expected to improve the ability and speed of clinicians accessing records for patients under their care, reduce medication errors, reduce duplicate diagnostic tests, and reduce the amount of time spent by healthcare organisations manually cleaning, coding and transferring data.[3]
UPD’s thoughts
UPD broadly welcomes the move towards further integration of health and care records in England, and believes the widespread adoption of information standards in the sector should support the interoperability of IT systems and enable better access and a more seamless flow of data across the system.
However, there are many question marks about implementation, and the Bill as written is a missed opportunity to include provisions to improve the safety and security of patient data.
Information Standards
Whilst the Bill enables the Secretary of State to set standards, it contains no information about which standards will be implemented. NHS England is reportedly “currently developing its plans for which information standards will be implemented”[4] but a lot of uncertainty remains about which information standards will be mandated, when, and how they will be applied. Similarly, there are question marks as to how the enforcement measures provided in the Bill will ensure compliance across the sector. Currently, the information standards issued to health and care providers are mandatory, but compliance remains below 50%. The powers to compel IT suppliers to follow new standards are limited to written notices and public censure, and it is not fully clear what the mechanism for enforcement will be if these fail to deliver the expected results. Additionally, the Government’s impact assessment notes that there is a risk that IT suppliers may leave the English market due to increased burdens placed on them by the legislation and prioritise investing in other markets. This could be particularly problematic in areas where there are a limited number of products in the market and a high reliance on them.
Information standards can relate to information governance, and it is very possible that information standards set out by the Secretary of State in due course will include provisions for information governance and data security as records become increasingly shared throughout but the system. However, the Bill as it stands does not include any details regarding how confidential patient information will be kept safe. We have previously highlighted that plans to increase data sharing and accessibility in the NHS needs to be coupled with a review of data security and information governance arrangements to ensure they are still fit for purpose. In broadcast rounds prior to the introduction of the Bill, Minister of State for Care Stephen Kinnock asserted that the Bill would include “firewalls” around patient data and clear rules for what data can be accessed under what circumstances.[5] Omitting this from the Bill and leaving safeguards to secondary legislation is a missed opportunity to ensure data security is at the heart of the transformation in patient data.
Data Protection
In addition to the clause on information standards in health and social care, the Bill includes various changes to data protection law, some of which may affect health data. In particular, there are several clauses that change or weaken restrictions around processing personal data or give additional powers to the Secretary of State to amend data protection law via secondary legislation (so-called ‘Henry VIII powers’). Others writing about data policy have outlined these changes in more detail (see here, here and here for starters).
These clauses include changes to the legal bases data controllers can rely on for processing personal data, such as giving the Secretary of State powers to create new ‘recognised legitimate interests’ as a legal basis (clause 70) and broadening the definition of scientific research as a legal basis for processing. They also include changes to the re-use of personal data and transparency requirements when re-using data. Clause 71 gives the Secretary of State powers to amend the current list of conditions for allowing the re-use of existing datasets for new purposes, which could theoretically give the Government the power to define any re-use of data as compatible with the original purpose and therefore legal under data protection law, so long as it is considered to be in the ‘public interest’. Further, clause 77 would exempt data controllers from providing information to individuals about re-using their data (including research) for a different purpose if this would be impossible or require “disproportionate effort” (see more from the British Medical Association here).
Many of these changes do not directly impact data privacy rights around health data. For instance, the broadening of the definition of scientific research and changes to ‘legitimate recognised interests’ is not likely to affect health research as health data and health research are already subject to additional safeguards, and our understanding is that these wouldn’t change. However, UPD is concerned about the wide-ranging powers granted by this Bill to the Secretary of State to amend data protection law via secondary legislation, reducing parliamentary scrutiny. When similar powers were included in the previous Data Protection and Digital Information Bill, the House of Lords Delegated Powers and Regulatory Reform Committee argued that the legal bases for processing personal data are so fundamental to data protection law that they “should not be capable of being changed by subordinate legislation”.[6]
Information Commission
The Bill would also abolish the Information Commissioner’s Office (ICO) and transfer its functions to a new Information Commission. These changes would somewhat strengthen the ICO’s enforcement powers by giving it the ability to require more information from data controllers and processors and issue penalty notices. However, a new requirement for the ICO to have regard to “the desirability of promoting innovation” may tilt the balance towards the increased processing of health data for the purposes of ‘innovation’ in ways that undermine data privacy. This could be risky, particularly in the context of increased interest in Artificial Intelligence and the Secretary of State’s ambitions for the analogue-digital shift in the NHS.
Understanding Patient Data plans to seek clarification about plans for implementing the new provisions around information standards including how to ensure patient data is kept safe and secure. We will monitor the progression of the Bill through Parliament and continue to share updates relevant to health data in due course.
[1] Department of Health and Social Care, Impact Assessment - Data (Use and Access) Bill : Open Data Architecture Information Standards,
[2] Ibid.
[3] Department for Science, Innovation and Technology, Impact Assessment - Data (Use and Access) Bill, 23 October, p96
[4] Department of Health and Social Care, Impact Assessment - Data (Use and Access) Bill : Open Data Architecture Information Standards, p42
[5] Times Radio Breakfast, 21st October 2024
[6] House of Lords Delegated Powers and Regulatory Reform Committee, ‘Data Protection and Digital Information Bill, Pedicabs (London) Bill [HL]’, 14 February 2024, HL Paper 60 of session 2023–24, p 2.