Roger Godsiff – 2014 Parliamentary Question to the Department of Health
The below Parliamentary question was asked by Roger Godsiff on 2014-06-17.
To ask the Secretary of State for Health, what steps he has taken to ensure that patient data extracted under care.data shared with countries inside the European Economic Area cannot be shared outside that area.
Dr Daniel Poulter
The Data Protection Act (1998) allows personal data to be transferred to countries within the European Economic Area (EEA) on the same basis as transferring data within the United Kingdom. Personal data can only be sent to a country or territory outside the EEA if an adequate level of protection for the rights and freedoms of individuals when processing their personal data is ensured.
Every application for information will be considered by the Health and Social Care Information Centre (HSCIC), in line with the Data Protection Act, taking account of their location if it is outside the UK.
Recipients of data from the HSCIC must agree to certain terms and conditions of use, i.e. a data sharing contract, before any data is disclosed. Those terms and conditions include measures intended to safeguard the use of information that may identify individuals, including:
– limiting the use of information to a specific purpose, which must also be both legitimate, compatible and shared only for the benefit of the health and social care system;
– prohibiting onward disclosure of information to an additional organisation;
– ensuring the security of the data once it is in the possession of another organisation that applied successfully for the data; and
– the right of HSCIC to audit where it is suspected the terms and conditions have not been complied with.
The HSCIC announced on 17 June 2014 that a new, strengthened audit function will monitor adherence to data sharing agreements and halt the flow of data if there are any concerns exposed. This will include scrutiny of how the data is being used and stored by those receiving it. This will also monitor that data has been deleted when an agreement comes to the end. Any failure on the part of data users to abide by their agreements will entail no further release of data to them.
