Professional Documents
Culture Documents
Exemplu Transfer Date in Afara UK
Exemplu Transfer Date in Afara UK
1
Contents
1. Purpose
2 Scope
3 Country Status
6 Consent
8. Vital Interests
9. Public Registers
17. References
2
1. Purpose
1.1 The 8th Principle of the Data Protection Act (DPA) states that:
“Personal data shall not be transferred to a country or territory outside the European
Economic Area unless that country or territory ensures an adequate level of protection
for the rights and freedoms of data subjects in relation to the processing of personal
data”
1.3 This policy sets out the rules to be followed by all trust staff when sending patient
identifiable information out of the UK.
2. Scope
2.1 This policy covers any and all requests for sensitive information to be sent overseas
and refers to both manual and electronic information. Whilst this particular DPA
principle is more usually associated with international business, it applies to the NHS
in the following potential situations but this list is not exhaustive:
2.2 This policy covers sensitive data that is held on paper or on Trust laptops or other
removable media and is taken abroad for work purposes by a member of staff.
2.3 This policy excludes sensitive information being taken to another country by a
member of staff whilst on holiday as this is not permitted by the Trust even if the
information is recorded on an encrypted device. (See Encryption Policy)
2.4 This policy includes the use of cloud storage solutions hosted outside Europe.
3
2.4 This policy excludes information that is appropriately anonymised or pseudonymised.
3.1 The European Commission has decided on the adequacy of protection of personal
data The effect of such a decision is that personal data can flow from the 28 EU
countries and three EEA member countries (Norway, Liechtenstein and Iceland) to
that third country without any further safeguard being necessary.
3.2 The Commission has so far recognized Andorra, Argentina, Canada (commercial
organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand,
Switzerland, Uruguay and the US Department of Commerce's Safe Harbour Privacy
Principles as providing adequate protection.
3.3.1 The European Commission considers that personal data sent to the US under the
“Safe Harbor” scheme is adequately protected. When a US company, University,
Hospital, signs up to the Safe Harbor arrangement, they agree to:
3.3.2 It is the responsibility of the staff member sending the data to identify that the recipient
is a member of the Safe Harbor scheme.
3.3.3 This does mean that the US is “Non-Approved” if the recipient of the communication is
not a member of the Safe Harbour scheme.
4.2 For UK personal data, the Act sets out the factors to be taken into account to make
this decision. These relate to
Here is an example:
A consultant travels outside the EEA with a laptop containing personal identifiable data. The
Trust, their employer in the UK, is still the data controller. As long as the information stays
with the employee on the laptop, and the employer has an effective procedure to deal with
security (e.g. encryption) and the other risks of using laptops (including the extra risks of
international travel), it is reasonable to decide that adequate protection exists.
4
4.3 A risk assessment will be required to decide whether there is enough protection for
individuals, in all the circumstances of the transfer. This is known as an assessment
of adequacy. To assess adequacy the following should be considered:
• the extent to which the country has adopted data protection standards in its law;
• whether there is a way to make sure the standards are achieved in practice; and
• whether there is an effective procedure for individuals to enforce their rights or get
compensation if things go wrong.
5.1 In order to meet the requirements of the DPA and of the Information Governance
Toolkit Criteria 8-209, the following must take place:
Task Responsibility of
The Trust must assign responsibility for reviewing information flows to Assigned to Information
identify overseas transfers Governance Manager (IGM)
All identified transfers of personal data to a country outside the United Staff planning to send
Kingdom must be documented and reviewed for compliance with the Data personal data, electronic or
Protection Act and Department of Health guidelines. manual. must be put in
writing to the IGM prior to
transfer
Ensure that the Trust remains up to date and always checks for the Assigned to Information
current safety state of the proprosed country of receipt Governance Manager (IGM)
Where the review of overseas transfers reveals that appropriate contracts Sign off by Trust SIRO or
are not already in place for existing transfers, new contractual terms that Information Governance Group
appropriately cover data protection and place restrictions on further use
must be negotiated with recipient organisations
Transfers of personal data to non-UK countries are regularly reviewed to Assigned to Information
ensure continuing compliance. Governance Manager (IGM)
6. Consent
6.1 The consent issue applies to all personal data that goes abroad to any country
including the EEA. Consent is not required as long as the data is anonymised or
pseudonymised.
5
6.2 Extreme care must be exercised when collating articles for international publications.
If patients have rare conditions, the more detail about them that is published, the more
identifiable they become even without a name being published.
6.3 One of the conditions for processing is that the individual has consented to their
personal data being collected and used in the manner and for the purposes in
question. This is going to be extremely relevant in the case of research data that
includes person identifiable information, emails between clinicians, and the transfer of
medical records. When considering whether consent could be inferred, the question
must be asked is “could the patient/s reasonably expect that this transfer will be taking
place?” If not then formal consent will be required.
6.4 It will be necessary to examine the circumstances of each case to decide whether
consent has been given. In some cases this will be obvious, but in others the
particular circumstances will need to be examined closely to decide whether they
amount to an adequate consent. Consent is not defined in the Data Protection Act.
However, the European Data Protection Directive (to which the Act gives effect)
defines an individual’s consent as:
“…any freely given specific and informed indication of his wishes by which the data
subject signifies his agreement to personal data relating to him being processed”.
6.5 The fact that an individual must “signify” their agreement means that there must be
some active communication between the parties. An individual may “signify”
agreement other than in writing, but the Trust must not infer consent if an individual
does not respond to a communication – for example, from a patient’s failure to return
a form or respond to a leaflet.
A patient who is resident in the Caribbean requests a copy of their medical record and a
CDRom of their radiology images. It could be inferred that by making the request, they have
consented. However unless they are made aware that the trust is unable to guarantee the
security of either the manual or electronic information, the consent is not “informed”
6.6 Consent must also be appropriate to the age and capacity of the individual and to the
particular circumstances of the case. For example, if the Trust intends to continue to
hold or use personal data after the relationship with the patient ends, i.e. after
discharge of the patient, then the consent should cover this. Even when consent has
been given, it will not necessarily last forever. Although in most cases consent will last
for as long as the processing to which it relates continues, it must be recognised that
the individual may be able to withdraw consent, depending on the nature of the
consent given and the circumstances in which you are collecting or using the
information. Withdrawing consent does not affect the validity of anything already done
on the understanding that consent had been given.
6.7 The individual’s consent should be absolutely clear. It should cover the specific
processing details; the type of information (or even the specific information); the
purposes of the processing; and any special aspects that may affect the individual,
such as any disclosures that may be made.
6.8 A particular consent may not be adequate to satisfy the condition for processing
(especially if the individual might have had no real choice about giving it), and even a
6
valid consent may be withdrawn in some circumstances. For these reasons the trust
should not rely exclusively on consent to legitimise its processing. It is better to
concentrate on making sure that individuals are fairly treated rather than on obtaining
consent in isolation.
7.1 Personal data can be transferred overseas where it is necessary for reasons of
substantial public interest. This is a high threshold to meet and it is most likely to be
relevant in areas such as preventing and detecting crime; national security; and
collecting tax. The public interest must be that of the UK and not the third country to
which the personal data is transferred.
8. Vital interests
8.1 Personal data can be transferred overseas without consent where it is necessary to
protect the vital interests of the individual. This relates to matters of life and
death. An example would be:
The Trust could transfer relevant medical records from the UK to another country where an individual
had had a heart attack and their medical history was necessary to decide appropriate treatment.
9. Public registers
9.1 Data can be transferred overseas as part of the personal data on a public register, as
long as the person you transfer to complies with any restrictions on access to or use
of the information in the register. An example would be:
The General Medical Council (GMC) can transfer extracts from its register of medical practitioners to
respond to enquiries from outside the UK, but it is not allowed to transfer the complete register under
this exemption. If the GMC puts conditions on inspecting the register in the UK, the person the extract
is transferred to, and anyone they then pass it on to, must comply with these restrictions.
11.1 Trust staff must be careful when putting extensive staff details on the website, such as
a biography. It is vital that any staff whose details are published have consented to
the publication because of the possibility of a data transfer taking place if the
information is downloaded in a Non-Approved country.
11.2 This would not apply to just name, job title and extension number – this much
information is routine business.
7
12. Cloud Storage
The Trust will not permit the storage of any person identifiable data in a cloud storage
solution hosted outside of the EU or a US destination that is a member of the Safe
Harbor Scheme. To do so would be a breach of Data Protection Principle 8
13.1 If after considering this policy, staff are still not sure about what to do, it is imperative that
they contact the Information AAAAA Manager prior to any data transfer or
data removal.
14.1 This policy will be loaded on the intranet and on the trust website and listed in Focus
magazine.
16.1 Any breach of this policy will be reported on a risk event form and notified to the Trust
SIRO and Caldicott Guardian. Consideration will be given as to whether it
constitutes a Serious Incident. Any breach of this kind will be reported to the
Information Group.
16.2 The IGG will consider each such event on an individual basis to identify the root
cause and to take appropriate steps.
17. References
Data Protection Act 1998
Ministry of Justice Website
8
Appendix 1
Rules to Follow Chart
Transfers of patient identifiable Not permitted at all except: With the exception of Access
information to Non Approved • with the patients informed to Records requests,
Countries listed consent or permission must be sought
• one of the exclusions set out in from the Trust SIRO for each
paras 6 – 9 apply planned transfers in this
category, however in the event
that the information is
anonymised, this authorisation
will not be required.