Question to the Department for Science, Innovation & Technology:

To ask the Secretary of State for Science, Innovation and Technology, whether she has had recent discussions with the Information Commissioner’s Office on the adequacy of the guidance provided on their website for (a) identifying and (b) reporting breaches of data protection law related to personal health data.

The UK’s data protection legislation requires all organisations to process personal data lawfully, fairly, transparently and securely. There are stricter conditions and safeguards in relation to processing of personal data relating to people’s health.

The Data Protection and Digital Information (no. 2) Bill does not remove or amend these foundational principles. Instead, it builds on the existing elements of the legislation to make it more ambitious and innovation-friendly, while still underpinned by secure and trustworthy data standards.

The ICO already has published guidance for organisations on the use of special category data, but it has recently been made aware of concerns linked to the inappropriate sharing of personal health data, including the HIV status of individuals. It is currently engaging with the organisations involved to understand these issues further. It has indicated that it will take the necessary steps to ensure that it supports and advises relevant organisations about sharing sensitive information, and that it is clear in its guidance about identifying and reporting breaches linked to health data.