Dawn Monaghan, Head of Data Sharing and Privacy (NHSX) and Keith Willett, EU Exit Strategic Commander and Medical Director for Acute Care & Emergency Preparedness, have written to NHS organisations to provide guidance on the actions that NHS organisations need to take in order to ensure continuity of access to, processing and sharing of personal data as part of the Government’s contingency preparations for a ‘No Deal’ Exit from the European Union (EU).
The guidance sets out the potential implications for personal data when the UK leaves the EU, what can be done to prepare and how to put in place appropriate safeguards. You can actively prepare from now in readiness for leaving the EU, and solutions can be put in place once the UK is no longer a member of the EU. Guidance for primary care contractors has also been issued on 10 April 2019, as well as a document containing frequently asked questions on Data Protection in a no deal EU Exit for primary care contractors.
The government has agreed with the European Union (EU) a further extension of the Article 50 period to 31 October 2019. The legal default in UK and EU law remains that, until a deal is agreed and ratified, there is still a possibility of a no deal exit at the end of the extension period on 31 October. Organisations should still continue to put in place arrangements for the continued protection and exchange of personal data until an ‘adequacy’ decision is reached (see FAQs).
Practical guidance, in the form of Frequently Asked Questions, is available below.
Frequently asked questions on Data Protection in a no deal EU Exit
The key objective for EU exit preparations is to ensure personal data flows from the EEA to the UK continue to flow and where applicable appropriate mitigation measures are put in place prior to the point of exit. The Government has been clear that the UK will be leaving the EU on 31 October whatever the circumstances.
Guidance is also available on the ICO website.
What is personal data?
“Personal data” is defined in the General Data Protection Regulation (GDPR) as: “information relating to an identified or identifiable natural person”, as outlined in the ICO’s guidance.
Which organisations are affected by ‘no deal’ on data protection?
Many public, private and voluntary organisations that handle personal data will be affected and should make themselves aware of the implications of exit.
All organisations are responsible for their arrangements for the continued protection and exchange of personal data.
What are the implications for sharing personal data if the UK leaves the EU without a deal and how can we prepare?
We are aware of concerns in the health and social care system about how to ensure that personal data continues to flow with the European Economic Area (EEA) post exit. However, there are preparations you can undertake now in readiness for leaving the EU. Guidance is available on the ICO website.
What will change when the UK leaves the EU?
If we leave without a deal, there will be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 will remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it.
In recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would continue to allow the free flow of personal data from the UK to the EEA. This is because data controllers within the EEA, i.e. EU states plus Norway, Iceland and Liechtenstein, are covered by the GDPR.
However, you will need to take action to ensure EEA organisations are able to continue to send you personal data.
Does my organisation need to do anything now?
It is important for all organisations, as a priority, to review whether they would be affected by assessing their data flows. For those that would be affected, early action is strongly advised as changes may take some time to implement.
Inbound personal data flows from the EEA may be affected. We recommend that you identify inbound personal data flows, which are data transfers from any EEA organisation to your organisation.
We would recommend that you contact these EEA organisations to discuss and put in place the relevant appropriate safeguards. Please note that these safeguards can be implemented now.
If your organisation is affected, you should review the guidance issued by the UK government and ICO guidance now, and encourage organisations in the EEA that you exchange personal data with to do the same.
Organisations should also identify any EU databases, networks or information systems that you currently have access to, and rely on, and consider if you need to develop alternative arrangements to continue receiving the data in a no deal scenario.
What should Data Protection Officers (DPOs) be doing to prepare?
You should continue to reinforce preparedness by identifying any data flows and putting in place mitigation where necessary prior to the date that the UK leaves the EU.
This should include:
- Data Protection Impact Assessments (DPIA) – Complete by consulting with the relevant lead officers within your organisation to manage any risks identified with restricted transfers of personal data outside of the EEA.
- Privacy Notices – Ensure this information is up-to-date and any changes are clearly cascaded to those data subjects who are affected.
- Data Security Protection (DSP) toolkit – This should have been completed at the end of March 2019. You need to ensure you demonstrate the highest standards of information management.
- Protocols and Data Sharing Templates – Ensure that these are up to date.
- Standard Contractual Clauses (SCC) – implement as appropriate to ensure the free flow of data into your organisation.
- Check where data is stored – In the event that you have data stored in the EEA, you should contact your supplier organisation – including cloud service providers – to seek reassurances from them that they will continue to provide data services to you and that your data will continue to flow to your data controller. Major suppliers, such as Microsoft, have provided these reassurances to organisations but you may want to seek your own reassurance for your organisation.
What is an adequacy decision?
A transfer of personal data to a ‘Third Country’ (countries that are not within the EEA) may take place where the European Commission has decided that the third country ensures an adequate level of protection so that a transfer of personal data does not require any specific authorisation.
Will we have an adequacy decision when the UK leaves the EU?
We do not expect the European Commission to have provided the UK with an adequacy decision at the time the UK leaves the EU. Until an ‘adequacy decision’ is reached you will still need appropriate safeguards in place to ensure personal dataflows from the EEA continue uninterrupted.
Which data flows may be affected when the UK leaves the EU?
If your organisation processes data within the UK then it is business as usual.
If your organisation processes data outside the UK, you will need to consider the data flow diagram below.
Outbound flows of personal data
Outbound personal data flows will be able to continue from the UK to the EEA and other adequate countries (countries that have received an adequacy decision) once the UK has left the EU. This is because the UK is putting in place a statutory instrument (SI) that will allow the free flow of personal data from the UK to the EEA.
Inbound flows of personal data
Inbound personal data flows may be affected. Once the UK has left the EU its status under GDPR is that of a ‘Third Country’. The UK will not be considered adequate until the European Commission has undertaken an assessment of our data protection legislation. This means that data controllers and data processors within EEA jurisdictions are restricted from sharing personal data in the absence of an alternative legal basis, such as one of the standard contractual clauses approved by the European Commission. The European Data Protection Board (EPDB) has issued an information note for commercial and public organisations in EEA countries on what instruments can be used when transferring personal data to the UK.
Will dataflows to the USA be affected when we exit the EU?
Outbound flows of personal data from the UK to the USA
The US government and the ICO have published guidance on how personal data can continue to flow from the UK to the US under the Privacy Shield in a no deal scenario. UK organisations will continue to be able to transfer personal data to US organisations participating in the Privacy Shield provided those organisations have updated their public commitment to comply with the Privacy Shield to expressly state that those commitments apply to transfers of personal data from the UK.
If a US organisation hasn’t signed up for the Privacy Shield scheme, you would then need to consider another safeguard e.g. a Standard Contractual Clause (SCC) or Binding Corporate Rules (BCR’s). Further information is available on the ICO website under international transfers.
Inbound flows of personal data from the USA to the UK
Inbound flows of personal data will not be affected by the UK leaving the EEA.
Will we still be able to send and receive personal data to the Channel Islands and the Isle of Man?
Yes – we will still be able to send personal data to the Channel Islands and the Isle of Man because the UK has put in place a statutory instrument (SI) that will allow the free flow of personal data to EEA countries and other countries that have received an adequacy decision from the European Commission. This includes both the Channel Islands and the Isle of Man. The UK will also still be able to receive personal data from the Channel Islands and the Isle of Man because all three have passed time limited measures which will enable the flow of personal data to the UK until December 2020.
Will personal data flows to third countries be affected?
Rules on transfers of personal data to from the UK to countries that are third countries will not change.
What do I need to do if I have data stored off-shore in the EEA?
In the event that you have data stored in the EEA, you should contact your supplier organisation – including cloud service providers – to seek reassurances from them that they will continue to provide data services to you and that your data will continue to flow to your data controller.
Major suppliers, such as Microsoft, have provided these reassurances to organisations but you may want to seek your own reassurance for your organisation.
In the absence of an adequacy decision can we still receive personal data?
If a third country does not have adequacy decisions from the European Commission, EEA organisations can put in place appropriate safeguards so that there is a legal basis to transfer personal data.
What is an appropriate safeguard?
The most common safeguard used to transfer personal data to third countries are standard contractual clauses. You can find out about these, and how to implement them, on the ICO website.
In some circumstances you may wish to consider using a different appropriate safeguard in Article 46 of the GDPR – for instance, for sharing between public sector bodies you may wish to consider using a legally enforceable contract. In other circumstances you may wish to rely on one of the derogations in Article 49. Information about these can be found on the ICO website.
How do I use standard contractual clauses?
A Standard Contractual Clause (SCC) should be used when transferring personal data from an EEA Data Controller who is a private organisation to a UK Data Controller or between a Data Processor who is a private organisation based in the EEA and a UK data controller.
They are pre-approved by the European Commission and can be inserted into new, or existing, agreements to provide a legal basis for transferring personal data from the EEA to a non-adequate third country. In a ‘no deal’ scenario or where the UK leaves the EU but has no adequacy agreement in place they are expected to be widely relied upon for EEA to UK data transfers. Practical steps to consider in implementing a SCC are below:
- Identify each of the business areas in your organisation that process personal data (e.g. HR, Finance and front-line operations)
- For each business area outline the key arrangements in place that involve personal data received from or sent to a third party
- Identify details (where available) of the third party location (UK or another country)
- For each business area identified, review and note the specific data transfer arrangements involved from the EEA to the UK e.g. is it controller to controller, controller to processor or processor to controller
- Use the interactive tool on the ICO website to determine which of the EEA to UK data transfers identified may benefit from a SCC.
The ICO website carries further advice and guidance on SCCs. Please make sure to check all final products with legal advice.
What practical steps should be considered in implementing a Standard Contractual Clause (SCC) when transferring personal data from EEA to the UK?
How to set up a Legally Binding and Enforceable Instrument
A Legally Binding and Enforceable Instrument (LBEI) should be used when transferring data from an EEA data controller who is a public organisation to a UK data controller or between a data processor who is a public organisation based in the EEA and a UK data controller.
An LBEI allows the transfer of personal data between public bodies or authorities. It is a bespoke written agreement between the public bodies which must include the appropriate safeguards to protect the privacy of data subjects and the provisions for providing enforceable and effective rights if the data subjects rights are breached.
To ensure the LBEI is enforceable for both public bodies/authorities, it is recommended to seek legal advice.
Further information can be found on the ICO website.
When would I need to use a Derogation?
Derogations are used for specific situations falling outside business as usual e.g. the transfer of data necessary for important reasons of public interest. A condition for the use of derogations is that the data transfer is necessary for a certain purpose and a necessity test should be applied to assess the possible use of derogations under GDPR. The European Data Protection Board (EDPB) have published guidance on derogations and the ICO have further useful guidance.
What will happen to the patient records of UK citizens who have been living in the EEA who return to the UK post exit?
If the patient would like to repatriate their medical records then they will need to make a subject access request (SAR) in the EEA country in which they were resident to obtain a copy of their medical record from their EEA healthcare provider and bring this back to the UK. This will need to be passed to the UK GP to update their records. The original medical record will be retained by their EEA healthcare provider in accordance with local guidance. It will be the patient’s responsibility to provide translation of the records if required.
Does this guidance apply to personal data flows for health and care research purposes?
Yes, the guidance has broad applicability to all circumstances in which personal data flows between the EEA and UK.
Are there any Cyber Security issues?
In order to ensure that your data and digital assets are adequately protected it is imperative that your annual Data Security and Protection Toolkit assessment is completed. This self-audit of compliance with the 10 Data Security Standards is mandatory and should have been completed by the end of March 2019. Completing this will enable health and adult social care providers to more quickly identify and address any vulnerabilities.
If you identify data flows, databases or data stored in the EEA which if withdrawn or disrupted would have a serious impact upon your organisation what should you do?
It is imperative you let NHS England and Improvement know by contacting the regional EU Exit leads as set out below.
Our national EU exit coordination centre is based at Quarry House, Leeds, and we have also established regional coordination centres, which will operate as the single point of contact for each region. Please contact them to flag issues and raise queries as follows:
|East of England||England.firstname.lastname@example.org|