Dawn Monaghan, Head of Data Sharing and Privacy (NHS England), Head of Strategic IG (NHS Digital) and Director Information Governance Alliance, and Keith Willett, EU Exit Strategic Commander and Medical Director for Acute Care & Emergency Preparedness, have written to NHS organisations to provide guidance on the actions that NHS organisations need to take in order to ensure continuity of access to, processing and sharing of personal data as part of the Government’s contingency preparations for a ‘No Deal’ Exit from the European Union (EU).

The guidance sets out the potential implications for personal data when the UK leaves the EU, what can be done to prepare and how to put in place appropriate safeguards. You can actively prepare from now in readiness for leaving the EU on the 29 March 2019 and solutions can be put in place once the UK is no longer a member of the EU.

Practical guidance, in the form of Frequently Asked Questions, is available below. 

Frequently asked questions on Data Protection in a no deal EU Exit

Guidance is also available on the ICO website. 

What is personal data?

“Personal data” is defined in the General Data Protection Regulation (GDPR) as: “information relating to an identified or identifiable natural person”, as outlined in the ICO’s guidance. 

Which organisations are affected by ‘no deal’ on data protection?

Many public, private and voluntary organisations that handle personal data will be affected and should make themselves aware of the implications of exit.

All organisations are responsible for their arrangements for the continued protection and exchange of personal data.

What are the implications for sharing personal data if the UK leaves the EU without a deal and how can we prepare?

We are aware of concerns in the health and social care system about how to ensure that personal data continues to flow with the European Economic Area (EEA) post exit. However, there are preparations you can undertake now in readiness for leaving the EU on 29 March 2019. Guidance is available on the ICO website.

What will change when the UK leaves the EU?

If we leave without a deal, there will be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 will remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it.

In recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would continue to allow the free flow of personal data from the UK to the EEA. This is because data controllers within the EEA, i.e. EU states plus Norway, Iceland and Liechtenstein, are covered by the GDPR.

However, you will need to take action to ensure EEA organisations are able to continue to send you personal data. 

Does my organisation need to do anything now?

It is important for all organisations, as a priority, to review whether they would be affected by assessing their data flows. For those that would be affected, early action is strongly advised as changes may take some time to implement.

Inbound personal data flows from the EEA may be affected. We recommend that you identify inbound personal data flows, which are data transfers from any EEA organisation to your organisation.

We would recommend that you contact these EEA organisations to discuss and put in place the relevant appropriate safeguards. Please note that these safeguards can be implemented now.

If your organisation is affected, you should review the technical notice issued by the UK government and ICO guidance now, and encourage organisations in the EEA that you exchange personal data with to do the same.

Organisations should also identify any EU databases, networks or information systems that you currently have access to, and rely on, and consider if you need to develop alternative arrangements to continue receiving the data in a no deal scenario. 

What is an adequacy decision?

A transfer of personal data to a ‘Third Country’ (countries that are not within the EEA) may take place where the European Commission has decided that the third country ensures an adequate level of protection so that a transfer of personal data does not require any specific authorisation. 

Will we have an adequacy decision when the UK leaves the EU?

We do not expect the European Commission to have provided the UK with an adequacy decision by 29 March 2019. 

Which data flows may be affected when we exit the EU?

Outbound flows of personal data

Outbound personal data flows (from the UK to the EEA) will be able to continue from the UK to the EEA and other adequate countries (countries that have received an adequacy decision) once the UK has left the EU. This is because the UK is putting in place a statutory instrument (SI) that will allow the free flow of personal data from the UK to the EEA.

The US government and the ICO have published guidance for how personal data can continue to flow from the UK to the US under the Privacy Shield in a no deal scenario. UK organisations will continue to be able to transfer personal data to US organisations participating in the Privacy Shield provided those organisations have updated their public commitment to comply with the Privacy Shield to expressly state that those commitments apply to transfers of personal data from the UK.

Rules on transfers of personal data to countries that are currently non-adequate third countries will not change.

Inbound flows of personal data

Inbound personal data flows (from the EEA to UK) may be affected. Once the UK has left the EU on 29 March 2019 its status under GDPR is that of a ‘Third Country’. The UK will not be considered adequate until the European Commission has undertaken an assessment of our data protection legislation. This means that data controllers and data processors within EEA jurisdictions are restricted from sharing personal data in the absence of an alternative legal basis, such as one of the standard contractual clauses approved by the European Commission. The European Data Protection Board (EPDB) has issued an information note for commercial and public organisations in EEA countries on what instruments can be used when transferring personal data to the UK.

In the absence of an adequacy decision can we still receive personal data?

If a third country does not have adequacy decisions from the European Commission, EEA organisations can put in place appropriate safeguards so that there is a legal basis to transfer personal data. 

What is an appropriate safeguard?

The most common safeguard used to transfer personal data to third countries are standard contractual clauses. You can find out about these, and how to implement them, on the ICO website.

In some circumstances you may wish to consider using a different appropriate safeguard in Article 46 of the GDPR – for instance, for sharing between public sector bodies you may wish to consider using a legally enforceable contract. In other circumstances you may wish to rely on one of the derogations in Article 49. Information about these can be found on the ICO website. 

How do I use standard contractual clauses?

Standard contractual clauses (SCC) are pre-approved by the European Commission and can be inserted into new, or existing, agreements to provide a legal basis for transferring personal data from the EEA to a non-adequate third country. In a ‘no deal’ scenario they are expected to be widely relied upon for EEA to UK data transfers.

Further advice, and guidance, on SCCs is available on the ICO website. This includes an interactive tool to help businesses understand and complete SCCs for personal data transfers. Please make sure to check all final products with your own legal team. 

How can EEA data processors ensure themselves of adequacy?

Separate guidance about transfers of personal data from processors based in the EEA will be published shortly. 

What will happen to the patient records of UK citizens who have been living in the EEA who return to the UK post exit?

General practitioners (GPs) in the UK can request a copy of a patient’s medical records from an EEA GP on behalf of their patient. 

Are there any Cyber Security issues?

In order to ensure that your data and digital assets are adequately protected it is imperative that your annual Data Security and Protection Toolkit assessment is completed. This self-audit of compliance with the 10 Data Security Standards is mandatory to complete by the end of March 2019. Completing it early will enable health and adult social care providers to more quickly identify and address any vulnerabilities.

If you identify any data flows, databases or data stored in the EEA which are critical to patient care?

It is imperative that you let NHS England and Improvement know by contacting your regional EU Exit inbox. These inboxes will either be able to provide the appropriate advice or escalate concerns to the EU Exit Co-ordination Centre. Contact details for the regional EU Exit leads are set out below.

If you identify data flows, databases or data stored in the EEA which if withdrawn or disrupted would have a serious impact upon your organisation what should you do?

It is imperative you let NHS England and Improvement know by contacting the regional EU Exit leads as set out below.

Our national EU exit coordination centre is based at Quarry House, Leeds, and we have also established regional coordination centres, which will operate as the single point of contact for each region. Please contact them to flag issues and raise queries as follows:

Region Email Account
North East
North West
East of England
South East
South West

What additional assistance will be made available by NHS England and Improvement?

Local teams will support any issues that may arise from EU Exit. Any issues can be escalated to the regional teams as required and where issues impact across the health and care system at a national level these will be escalated to the EU Exit National Co-ordination Centre who will coordinate flows and responses as required.

Will we still be able to send and receive personal data to the Channel Islands and the Isle of Man?

Yes – we will still be able to send personal data to the Channel Islands and the Isle of Man because the UK is putting in place a statutory instrument (SI) that will allow the free flow of personal data to EEA countries and other countries that have received an adequacy decision from the European Commission. This includes both the Channel Islands and the Isle of Man. The UK will also still be able to receive personal data from the Channel Islands and the Isle of Man because all three have passed time limited measures which will enable the flow of personal data to the UK until December 2020.

Does this guidance apply to personal data flows for health and care research purposes?

Yes, the guidance has broad applicability to all circumstances in which personal data flows between the EEA and UK.