Part of the reason why Caredata has become such a hot topic is the revelation that patient-level data was sold to actuaries, for a study into which factors are meaningful when assessing premiums. And that when this was revealed, no-one appears quite clear who approved it, and under what rules. There is now some significant debate as to whether this sale was wrong, whether it was permissible under the rules at the time, whether it would be permissible now (ie, under the Caredata rules as planned for the now-delayed spring 2014 launch) and whether it will be permissible under the hypothetical rules Jeremy Hunt is proposing in the aftermath of Friday's announcement of new legislation.
The problem seems to be a governance structure that is so complex that actual responsibility and accountability has been diffused to the point of invisibility. There is a complex mesh of advisor groups, boards and executives --- has anyone seen a diagram? --- but, when an actual case is challenged, no-one appears able to point to who took the decision, and under what rules. Even if the people who agreed the release of the IFoA can be identified, it's not at all clear what rules they were operating under and whether those rules were followed. The failure of the HSCIC to produce a code of practice exacerbates this.
The governance should have three clear components.
First, there should be a set of rules setting down the purposes for which data can be released, and in what form. The rules are owned by a group of people, with a named chairman, who sign off successive releases of the document. If the rules are found to be inadequate, either because they do not cover some case or because public opinion challenges the contents, that group of people are tasked with re-writing it. Those people are appointed by a minister who is democratically accountable to parliament (or, more probably, a select committee); it is likely that the process and policy for these appointments would be the subject of secondary legislation or the schedule to primary legislation. This is strategy.
Secondly, there should be another group of people who consider requests for access and evaluate them in the context of the rules. These decisions should be uncontentious, and if there is disagreement between reasonably informed people then that is more likely to reflect a problem with the rules than anything else. These people will probably need to be employees of the agency handing the data as the decisions will need to be made relatively quickly, but as they wield relatively little power this is not of itself dangerous. This is tactics.
And finally, there needs to be oversight that the decisions are being made correctly and that the process is fit for purpose. This could be done by a select committee directly, is more commonly done by appointing a retired judge or similar to act as a regulator. This person does not make decisions or policy, but confirms that the process is being followed, samples decisions to check in detail, and reports annually. This is audit. For all the fact that the legislation has many problems and there has been a lot of dispute, the role of the Interception of Communications Commissioner is a good model.
One committee, named and appointed by a minister who is democratically accountable, sets detailed policy. A second committee executes it. A commissioner checks the process is being followed.
That way, when things go wrong, people can be held to account. Democratically.