By Hamza Drabu, Darryn Hale & Sophie Devlin


Published 29 July 2021


In the latest of our series of briefings on the Health and Care Bill (“the Bill”), we look at the implications from a data and information perspective. This has to be considered alongside the government’s data strategy in order to fully understand the future for this particular space.

The relevant provisions in the Bill largely amend and expand what is currently in place in respect of using information across the health and social care sector, albeit with important implications particularly in respect of:

  • Information standards,
  • Information sharing and
  • New enforcement powers for the Secretary of State relating to private providers.

It is worth noting at the outset that the Bill refers to ‘information’ in general terms, and we have done the same in this article. ‘Information’ clearly encompasses a range of different things, ranging from fully anonymised information, to which data protection obligations do not apply, through to pseudonymised and fully identifiable data, in respect of both of which data protection would apply. Accordingly, how the proposals of the Bill will actually apply in practice will be inextricably dependent on the type of information concerned on a case-by-case basis, and we suggest bearing this in mind both when considering this article but also the Bill more generally. 

Information standards

The Secretary of State and NHS England already have powers to issue ‘information standards’, to which any bodies using NHS data or information must have regard. However, while the Bill maintains those powers, it proposes a number of changes to how the standards will apply in practice.

  • The standards themselves must set out who they apply to; it will no longer be the case that they apply universally as a default.
  • Compliance with the requirements of the standards will be mandatory as opposed to the current position, by which bodies ‘must have regard to them’. The current position leaves it open to organisations to decide not to comply with them if they can show they took account of them but decided to do things differently nonetheless. This compliance aspect is particularly important to private providers of NHS services, in light of the Bill’s proposals in relation to enforcement (see below). 
  • The Secretary of State will also have the power to require any persons to whom the standards apply to provide him with information, records or documents in order to monitor their compliance with the standards.

This presents a real strengthening of the powers available to the Secretary of State in particular, but also NHS England, in respect of ensuring compliance with what they consider to be minimum standards for use of NHS data and information. The fact that the standards themselves will specify who they apply to and the fact that they then must comply with them, rather than simply take it into account, should simplify matters considerably. There are, however, questions about how the Secretary of State will go about exercising what are, in effect, regulatory functions relating to enforcement of compliance, particularly as there could be significant crossover with the work of the Information Commissioner. We consider this in further detail below. 

Power to require disclosure of information

The Health and Social Care Act 2012 imposes a duty on commissioners and providers of NHS services to share information about a patient where doing so is in their best interests, and likely to facilitate the provision of care or treatment to them. This is, however, subject to that disclosure being in accordance with the data protection legislation and common law duty of confidentiality. It is widely recognised, however, that commissioners and providers alike need access to much broader information to ensure that not only are they delivering the best care on an individual patient level but also planning and/or delivering their services in accordance with local population needs, best practice and available resources. 

In order to address those broader issues, the Bill includes a power for any health or social care body to require the disclosure of anonymised information from another such body and/or, intriguingly, any private providers who are delivering publicly commissioned health or social care services. The power is subject to the restriction that it can only be exercised in respect of purposes relating to the health or social care body’s specific functions, and the Bill makes provision for Regulations which will set out specific exceptions to the general ambit of the power. 

This is a very interesting proposal particularly from a practical perspective. Matters such as how such requests will be made, what information will be sought and whether they are routinely complied with are all to be watched carefully. There are specific enforcement provisions relating to private providers in the Bill, and these also apply to complying with such requests for anonymised information, so there is considerable peril in a private provider failing to accede to any requests they receive. 

It is also worth noting that the Bill confers an additional power on NHS Digital to require any information it considers necessary or expedient in order to discharge its functions from private providers. Taken together with the powers discussed above for health and social care bodies, it is readily apparent that the Bill seeks to take a proactive step in opening up traditional information sharing barriers where it is often held in silos, and to release the value of information to those who need it, for the benefit of the health and social care sector more generally. 

Social care

When looking at the health and social care sector in the round, there is often a concern about the level of information that might, for example, inform capacity planning between the various organisations providing health and social care services to patients, and this information is often critical to inform and guide decisions. The Bill seeks to specifically address that in the social care sector, by affording the Secretary of State a direct power to require information from adult social care providers, including private providers, where it is necessary in connection with the health or adult social care sector. Information provided in response to such a request will be taken not to have breached any duty of confidence owed to it, and private providers are at risk of the enforcement powers discussed in the next section should they fail to provide any information sought from them. 

This is certainly a start in terms of collating relevant information which would better enable planning and delivery of social care services. However, it is noteworthy that the approach proposed by the Bill is a centralised one with the Secretary of State (at least in the first instance) as the figurehead and recipient of the information, which does not necessarily address the difficulties caused by the fragmented way in which social care is delivered and the lack of a consistent approach to information sharing between them. The Secretary of State does have the power under the Bill to make arrangements with a third party to exercise his functions in respect of social care information, including making payments to them in order to do so. It will be interesting to see whether this option is taken up, and if so by whom. 


As we have mentioned above in this article, the Bill allows for Regulations to be implemented which confer powers on the Secretary of State to issue monetary penalties against private providers (not public bodies) for non-compliance with the information-related aspects of the Bill. This includes the compliance with information standards as well as any requests from health or social care bodies and/or NHS Digital requiring the provision of information. The Regulations must include a provision requiring the Secretary of State to provide notice of intent of any monetary penalty, as well as establishing the criteria by which the extent of the penalty will be determined. Any provider potentially on the receiving end of a penalty will be given an opportunity to make representations about it, before it is imposed. 

This is undoubtedly one of the most interesting areas of the Bill from an information perspective, putting the Secretary of State front and centre of, in effect, regulating private providers' compliance with the relevant requirements. The fact that such a power exists at all will clearly be of concern to private providers, but that anxiety will certainly be compounded by the fact that they could be facing dual regulation insofar as any non-compliance relates to personal data (i.e. identifiable information) as that would also enable the ICO to take action against them. It will certainly be interesting to see how the regulations address this, as well as the approach to penalties more generally. 

Information systems relating to human medicines

The final area of note in the Bill which is worthy of brief consideration is that it allows for Regulations to be made which provide for NHS Digital to operate an information system (or systems) relating to the safety, quality and efficacy of human medicines, and/or the improvement of clinical decision-making relating to human medicines. The Regulations may establish what information must, or could, be entered into or retained in that system, and impose a requirement to provide relevant information to NHS Digital, as well as setting out how the information contained in the system is used or disclosed.


It is fair to say that through a combination of the data strategy and the Bill a fairly dizzying array of changes have been proposed in relation to the use of information in the health and social care sectors. On the face of it at least, there could be a fairly radical shake up but, on the other hand, will they actually all amount to practical and real change? Only time will tell in that regard and, over the coming months, we will be looking to delve further and deeper into the future for NHS and social care data, and what we think things will actually look like in the future.