Will patient data go overseas?

A Department of Health document reveals that a review has been underway into the possibility of allowing sensitive NHS patient data to be processed overseas, we have learned.

Some GPs are concerned that if patient records are sent abroad there is a risk their contents could be revealed.

The disclosure comes only days after the government’s statement on two missing CDs that contained the personal details of all families in the UK with a child under 16. It has been described as the UK’s worst IT security breach.

The document seen by Computer Weekly said in August 2007 that the review into the possibility of patient data being processed overseas was “current” and that further guidance would be issued. The document has not been updated.

The paper was issued to health service organisations by NHS Connecting for Health, which runs part of the £12.4bn National Programme for IT [NPfIT]. It gives advice to NHS organisations that are registering staff and clinicians for smartcard access to NPfIT systems.

It says:

“Organisations should be aware of a current review into the possibility of NHS patient data being processed overseas by approved organisations.”

It adds that the review is “considering the requirements for, and implications of, such possible arrangements”.

The Information Commissioner’s Office, which seeks to protect personal data from accidental or malign disclosure, said it was unaware of the review.

David Smith, Deputy Information Commissioner, said:

“The importance of protecting people’s financial records has hit the headlines but health records often contain even more sensitive personal information. Security is imperative and as we have seen – any system is only as secure as its weakest link. Processing people’s personal information abroad is lawful, but the buck stops here.

“UK organisations that outsource personal data processing abroad remain legally responsible for maintaining the data securely under the UK Data Protection Act.

“Regardless of whether information is processed in the UK or abroad, the data controller in the UK is ultimately responsible. Two weeks ago we took enforcement action against the Foreign and Commonwealth Office because an overseas company, VFS, which was contracted by UKVisas, had failed to adequately protect people’s personal details.”

While the review into the possibility of NHS patient data going abroad continues, NHS organisations are being asked not to register any personnel working outside the NHS, for example those employed by independent healthcare organisations, which may transfer patient data overseas.

“Further guidance on the processing/transfer of data overseas will be provided in due course,” said the document.

GP Mary Hawking, a commentator on the NPfIT, said she was surprised that the possibility of processing patient data abroad was being considered.

She said:

“I can’t see any good reason for even considering it, and in any case, wouldn’t it be in breach of the Data Protection Act? Surely putting NHS data, of any sort, in a foreign legal framework involves a risk to confidentiality? What is the business case for sending NHS data abroad – or even for spending NHS resources on the review?”

Paul Thornton, a GP with a special interest in matters of patient confidentiality, said there is lack of clarity of who will be data controller of data that is entered into the NPfIT summary care record. He said he was concerned that patient data may be processed overseas, in countries where officialdom places less importance on data protection than the UK.

Richard Thomas, the Information Commissioner, says that nine out of ten people are concerned that organisations do not treat their personal information properly.

Spokespeople for the Department of Health and NHS Connecting for Health denied that there is a review into the possibility of NHS patient data being processed overseas. A spokeswoman for the Department of Health said:

“Patient data is not currently sent abroad. There is no review, and there are no considerations relating to the National Programme for IT for patient data to be processed abroad in future. NHS organisations are legally responsible for complying with data protection laws and patient records can never be put at risk in compliance with these laws.”

And a spokesman for NHS Connecting for Health answered simply “no” when asked if consideration was being given to processing patient data abroad. It is unclear, however, that the spokespeople at the Department of Health and NHS Connecting for Health have seen the document referred to in this article.

Data Protection Act 1998 over sending data overseas

The Act restricts the transfer of personal data outside the EU. There are to be no restrictions on the free flow of personal data between countries in the European Economic Area (which consists of Norway, Iceland and Liechtenstein, as well as the 27 EU Member States). However, personal data may only be transferred to other third countries if those countries ensure an “adequate level of protection for the rights and freedoms of data subjects”.


HMRC’s missing Child Benefit CDs – what went wrong and lessons for NPfIT and ID cards

Department of Health guidance on patient confidentiality

Foreign and Commonwealth Office in data protection trouble