I thank the shadow Minister for making the point that £5,000 is woefully inadequate. The financial penalties—significant ones on a sliding scale commensurate with the wealth of the individuals or organisations concerned—should be set out, but I believe that people should go to prison for such data breaches. Organisations should be clearly held accountable. It should be made clear to them that, should such breaches occur, requests from them will not be looked on favourably. There should be a clear penalty. Currently, those penalties simply do not exist.
How do we explain to the public the small risks and how we will address them? One significant risk has not been covered: the powers of NHS England to direct the Health and Social Care Information Centre to collect information when it is considered “necessary or expedient”. That could include full identifiable, confidential data. Will the Minister address one point on that? I have been told that NHS England has, in meetings with senior researchers, discussed the fact that, in the next releases of care data, it plans to include free text. Free text takes us into an altogether different area, so will the Minister give categorical reassurances on it? I support the principle of a default opt-in, but might not support it if the data included free text. Free text is deeply and intensely personal data and is not coded, and the public need specific reassurances on it.