NHS Digital and the Home Office: the relationship
The outgoing head of the UK’s Health and Social Care Information Centre (“NHS Digital”) claims to have repeatedly been pressured by the Home Office to provide them with the personal data of immigrant patients. In an interview with the Health Service Journal earlier this month, Kingsley Manning stated that upon his appointment, in 2013, he discovered that patient personal data had been passing from NHS Digital to the Home office since 2005. Manning also stated that approximately 10 000 persons were being traced through NHS Digital annually. This, interestingly, includes the period during which Theresa May was Home Secretary (2010 – 2016).
Manning voiced his concerns regarding the sharing (transfer) of patient personal data and he also expressed to the Home Office the need to understand the legal basis for such patient personal data transfer requests. The Home Office addressed Manning’s concern by responding that they were entitled to the patient personal data for purposes of tracing immigrants as this data was paid for by the taxpayers and therefore belonged to the public. Manning has since notified the Secretary of State of his resignation as head of NHS Digital, which will take effect on 31 May 2017. Prior to his resignation, Manning had requested a review to establish the legal basis of the data transfer and the request was met with “enormous reluctance from both the Home Office and the Department of Health”. Manning’s review of the data transfer system was undertaken by Professor Maria Goddard of the Centre for Health Economics at York University but was never published.
The legally non-binding MoU
The interview with Manning and the Health Service Journal took place following the publication of a Memorandum of Understanding (“MoU”) between the Health and Social Care Information Centre (NHS Digital), the Home Office and the Department of health, which came into force in England on 1 January 2017. With the signature of the MoU, the requirement of a legal basis for accessing patient personal data was introduced. Although the MoU is legally non-binding, it facilitates the procedure through which the Home Office may make information requests to NHS Digital to “establish if they hold certain non-clinical information in relation to immigration offenders, and if so, for that information to be provided to the Home Office”. The Home office will then use the personal data to support its “strategic priorities”.
According to the MoU, the personal data which the Home Office can request from NHS digital with regard to an immigrant offender will be dealt with on a case-by-case basis and may include non-clinical data such as names, date of birth, last known address, nationality, CID person ID and the area code of the data subject’s primary healthcare service provider (i.e. their general practitioner).
The justification and a legal basis
The justification for the data disclosure is set out in clause 7 of the MoU. Clause 7.4 provides the specific circumstances under which the Home Office may process the personal data requests, which circumstances include: i) where the information is necessary for the detection and/or prevention of crime; ii) where it is a matter of public policy; iii) where all other avenues for collecting the personal data have been exhausted (as a last resort); and iv) if permitted under Health and Social Care Act 2012. Clause 3.1 of the MoU provides that a legal basis is required in order for NHS Digital to make the requested disclosures to the Home Office. Although clauses 3 makes specific provision for the requirement of a clear legal basis, clause 7.4 is, however, subject to clause 7.5. Clause 7.5 arguably amounts to a circumvention of the requirements set out under clause 7.4 as it states that “notwithstanding the preceding provisions”, NHS Digital may be required to provide the Home Office with the requested data where it is established that: i) NHS Digital is the only source of the data; or ii) it is in the interests of safety of the welfare of an individual.
What happens to the rights of the data subjects?
The data transfer mechanism has generally undergone heavy criticism, with some British publications reporting that it has “led to the government being accused of ‘out-Trumping Donald Trump’”. Other concerns which have been raised include that this may lead to patients losing trust in the NHS and being reluctant to seek medical attention because of the fear that their details will land in the hands of the Home Office. The system is also in danger of being viewed as “placing political objectives ahead of doctor-patient confidentiality”.
What also needs to be considered is that the MoU does not provide for patients to be informed of the possibility that their personal data may be shared with the Home Office. In addition to requiring a legal basis for all disclosures, clause 3 of the MoU requires all disclosures to comply with the requirements of the Data Protection Act 1998. The cornerstone of most data protection laws, including the UK’s Data Protection Act 1998, is the data subject’s right to be informed of any processing of its personal data by or on behalf of a data controller (section 7 (1)). Since the MoU is silent in this regard, the question which then has to follow is: does this place NHS in a position to contravene its data controller’s legislated duty to inform the subject of all data processing? Perhaps these considerations were dealt with under the unpublished report commissioned by Manning.
What this means going forward
From a legal and data protection perspective, it remains to be seen how the MoU will be used in practice to regulate this data transfer system, particularly: i) how the requirement for the Home Office to establish a legal basis will be met; ii) how much weight will be given to the rights of the data subjects versus the Home Office’s “strategic priorities” and how many requests will fall into the broad net of the “catch all” provision encapsulated in clause 7.5.