Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, in what circumstances NHS patient information is transferred outside of the NHS; what the protocols are for the transfer of such (a) aggregate anonymised and (b) personal information; what steps are taken to supervise such transfers of information (i) in general, (ii) to a private sector company and (iii) to an entity outside of UK legal jurisdiction.

Confidential patient information is not transferred outside of the National Health Service unless there are strong legitimate and appropriate reasons to do so. Aggregated data may be made publicly available by organisations through their publication schemes as required under the Freedom of Information Act 2000.

Any data transfer to the public or private sector, inside or outside the United Kingdom, aggregated or personal information, is subject to strict process and procedure and the legal obligations set out in privacy legislation including the Data Protection Act 2018 and the obligations set out by the National Data Guardian and the Common Law Duty of Confidentiality. In addition, from 1 January 2021, the UK General Data Protection Regulation (GDPR) applies in the UK in place of the GDPR.

Any use of NHS data that is not already in the public domain must have an explicit aim to improve the health and wellbeing of citizens or to improve how the NHS operates. This would include, for instance, research by universities, clinical audits and clinical trials by pharmaceutical companies.