Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what recourse is available for patients whose data may not have been processed or controlled in a safe and secure fashion because the data was held by companies who were not compliant with the Digital Technology Assessment Criteria after April 2022.

The Digital Technology Assessment Criteria requires National Health Service organisations to ensure that information governance arrangements are appropriate for technologies that are deployed within the NHS.

The organisations deploying and providing the technology are required to determine the data controller and processor arrangements, communicate this through a Privacy Notice, put in place a Data Processing Agreement and ensure the adequacy of security measures.

If patients are concerned that their data has not been handled in accordance with legislation and/or NHS standards then they are able to raise a complaint with their NHS service provider and subsequently the Parliamentary and Health Service Ombudsman. Patients are also able to make a complaint to the Information Commissioner’s Office, as the regulator for data protection and information rights law. Any recourse would be situation-dependent.