A Department of Health document reveals that a review
has been underway into the possibility of allowing sensitive NHS
patient data to be processed overseas, Computer Weekly has
learned.
GPs are concerned that if patient records are sent abroad there
is a risk their contents could be revealed.
The disclosure comes only days after the
government's statement on two missing CDs that contained the
personal details of all families in the UK with a child under
16. It has been described as the UK's worst IT security
breach.
The document seen by Computer Weekly said in August 2007 that
the review into the possibility of patient data being processed
overseas was "current" and that further guidance would be issued.
The document has not been updated.
The paper was issued to health service organisations by NHS
Connecting for Health, which runs part of the £12.4bn National
Programme for IT [NPfIT]. It gives advice to NHS organisations that
are registering staff and clinicians for smartcard access to
NPfIT systems.
It says, "Organisations should be aware of a current review into
the possibility of NHS patient data being processed overseas by
approved organisations." It adds that the review is "considering
the requirements for, and implications of, such possible
arrangements".
The
Information Commissioner's Office, which seeks to protect
personal data from accidental or malign disclosure, said it was
unaware of the review.
David Smith, Deputy Information Commissioner, said, "The
importance of protecting people's financial records has hit the
headlines, but health records often contain even more sensitive
personal information. Security is imperative and as we have seen -
any system is only as secure as its weakest link. Processing
people's personal information abroad is lawful, but the buck stops
here.
"UK organisations that outsource personal data processing abroad
remain legally responsible for maintaining the data securely under
the UK Data Protection Act.
"Regardless of whether information is processed in the UK or
abroad, the data controller in the UK is ultimately responsible.
Two weeks ago we took
enforcement action against the Foreign and Commonwealth Office
because an overseas company, VFS, which was contracted by UKVisas,
had failed to adequately protect people's personal
details."
While the review into the possibility of NHS patient data going
abroad continues, NHS organisations are being asked not to register
any personnel working outside the NHS, for example those employed
by independent healthcare organisations, which may transfer patient
data overseas.
"Further guidance on the processing/transfer of data overseas
will be provided in due course," said the document.
Dunstable GP Mary Hawking, a commentator on the NPfIT, said she
was surprised that the possibility of processing patient data
abroad was being considered.
She said: "I cannot see any good reason for even considering it,
and in any case, would it not be in breach of the Data Protection
Act? Surely putting NHS data, of any sort, in a foreign legal
framework involves a risk to confidentiality? What is the business
case for sending NHS data abroad - or even for spending NHS
resources on the review?"
Paul Thornton, a GP with a special interest in matters of
patient confidentiality, said there is lack of clarity of who will
be data controller of data that is entered into the NPfIT summary
care record. He said he was concerned that patient data may be
processed overseas, in countries where officialdom places less
importance on data protection than the UK.
Richard Thomas, the Information Commissioner, says that nine out
of ten people are concerned that organisations do not treat their
personal information properly.
Spokespeople for the Department of Health and NHS Connecting for
Health denied that there is a review into the possibility of NHS
patient data being processed overseas. A spokeswoman for the
Department of Health said, "Patient data is not currently sent
abroad. There is no review, and there are no considerations
relating to the National Programme for IT for patient data to be
processed abroad in future. NHS organisations are legally
responsible for complying with data protection laws and patient
records can never be put at risk in compliance with these
laws."
And a spokesman for NHS Connecting for Health answered simply
"no" when asked if the possibility is being considered of having
patient data being processed abroad. It is unclear, however,
whether the spokespeople at the Department of Health and NHS
Connecting for Health have seen the document referred to in this
article.