Will patient data go overseas?

A Department of Health document reveals that a review has been underway into the possibility of allowing sensitive NHS patient data to be processed overseas, we have learned.

Some GPs are concerned that if patient records are sent abroad there is a risk their contents could be revealed.

The disclosure comes only days after the government’s statement on two missing CDs that contained the personal details of all families in the UK with a child under 16. It has been described as the UK’s worst IT security breach.

The document seen by Computer Weekly said in August 2007 that the review into the possibility of patient data being processed overseas was “current” and that further guidance would be issued. The document has not been updated.

The paper was issued to health service organisations by NHS Connecting for Health, which runs part of the £12.4bn National Programme for IT [NPfIT]. It gives advice to NHS organisations that are registering staff and clinicians for smartcard access to NPfIT systems.

It says:

“Organisations should be aware of a current review into the possibility of NHS patient data being processed overseas by approved organisations.”

It adds that the review is “considering the requirements for, and implications of, such possible arrangements”.

The Information Commissioner’s Office, which seeks to protect personal data from accidental or malign disclosure, said it was unaware of the review.

David Smith, Deputy Information Commissioner, said:

“The importance of protecting people’s financial records has hit the headlines but health records often contain even more sensitive personal information. Security is imperative and as we have seen – any system is only as secure as its weakest link. Processing people’s personal information abroad is lawful, but the buck stops here.

“UK organisations that outsource personal data processing abroad remain legally responsible for maintaining the data securely under the UK Data Protection Act.

“Regardless of whether information is processed in the UK or abroad, the data controller in the UK is ultimately responsible. Two weeks ago we took enforcement action against the Foreign and Commonwealth Office because an overseas company, VFS, which was contracted by UKVisas, had failed to adequately protect people’s personal details.”

While the review into the possibility of NHS patient data going abroad continues, NHS organisations are being asked not to register any personnel working outside the NHS, for example those employed by independent healthcare organisations, which may transfer patient data overseas.

“Further guidance on the processing/transfer of data overseas will be provided in due course,” said the document.

GP Mary Hawking, a commentator on the NPfIT, said she was surprised that the possibility of processing patient data abroad was being considered.

She said:

“I can’t see any good reason for even considering it, and in any case, wouldn’t it be in breach of the Data Protection Act? Surely putting NHS data, of any sort, in a foreign legal framework involves a risk to confidentiality? What is the business case for sending NHS data abroad – or even for spending NHS resources on the review?”

Paul Thornton, a GP with a special interest in matters of patient confidentiality, said there is lack of clarity of who will be data controller of data that is entered into the NPfIT summary care record. He said he was concerned that patient data may be processed overseas, in countries where officialdom places less importance on data protection than the UK.

Richard Thomas, the Information Commissioner, says that nine out of ten people are concerned that organisations do not treat their personal information properly.

Spokespeople for the Department of Health and NHS Connecting for Health denied that there is a review into the possibility of NHS patient data being processed overseas. A spokeswoman for the Department of Health said:

“Patient data is not currently sent abroad. There is no review, and there are no considerations relating to the National Programme for IT for patient data to be processed abroad in future. NHS organisations are legally responsible for complying with data protection laws and patient records can never be put at risk in compliance with these laws.”

And a spokesman for NHS Connecting for Health answered simply “no” when asked if consideration was being given to processing patient data abroad. It is unclear, however, that the spokespeople at the Department of Health and NHS Connecting for Health have seen the document referred to in this article.

Data Protection Act 1998 over sending data overseas

The Act restricts the transfer of personal data outside the EU. There are to be no restrictions on the free flow of personal data between countries in the European Economic Area (which consists of Norway, Iceland and Liechtenstein, as well as the 27 EU Member States). However, personal data may only be transferred to other third countries if those countries ensure an “adequate level of protection for the rights and freedoms of data subjects”.


HMRC’s missing Child Benefit CDs – what went wrong and lessons for NPfIT and ID cards

Department of Health guidance on patient confidentiality

Foreign and Commonwealth Office in data protection trouble

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I note the comments in the media and your blog of matters relating to the NHT IT programme.

In regard to the ownership of patient data, surely this is similar to the patient’s own body. Apart from extreme conditions, the patient has ultimate ownership of his body, hence the ultimate owner of data is the patient.

Your comments on radio regarding scanning of records by an overseas agency, say in India, to produce pdf files is not only worrying but in many cases unnecessary. Examining the file of records of our mother, who died in hospital in 2004, such items as history sheets and healthcare records have their main object of providing a continuum of data to the following shift.

Reports such as haematology and biochemistry lend themselves to pdf format. However, since these are machine based output rather than narrative, it should be possible to arrange this at the generating point.

The relative balance in our mother’s case for a stay of 38 days: narrative contemporaneous records 276, others 237.

However, there will be a need for a stay summary report upon discharge consisting of set and flexible narrative format completed by the clinicians and generated as a pdf output.

Regarding the use of a national database vs. regional databases and the data traffic flows, the vast majority will be within region. For those instances where an inhabitant of Durham becomes ill on holiday and is hospitalised in say Cornwall, remote access of the regional database for Durham must be accessible. Where I live, should I walk some 500mts to the west I am in Wales, where the planned IT system does not apply.

As a one time Senior Management Consultant, who had 8 years with a member firm of the MCA, the comments of Sir John Pattison are apposite, especially in respect of the independent assessment. In 2002, I would have recommended PA Management Consultants to undertake an options assessment, “what is, what could, what should”. The use of Accenture at that stage would have been flawed in that they would have been salivating at the prospect of substantial fee incomes.

Maybe, just maybe, Messrs. Brown and Johnson could have the courage to declare a moratorium whilst a detailed and appropriate review be undertaken.

Michael J. Forbes

There are now 27 EU member states.

Thanks for pointing out the number of EU member states - I've corrected the blog entry. Tony Collins