Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, if he will take steps to ensure that NHS patients who consent to have their data shared with UK medical institutions for research and development will not have their data shared overseas.

Research studies in which patients choose to share their data must adhere to strict legal and ethical standards, including compliance with the United Kingdom’s General Data Protection Regulation (UK GDPR) and the common law duty of confidentiality. As part of this, participants must be fully informed about how their data will be used, including with whom it might be shared, so they can make an informed decision about their participation.

The National Health Service and major UK research institutions are increasingly adopting secure data environments for data access, with researchers accessing data through secure online portals rather than it being directly shared with them. Each NHS and research organisation has its own processes when sharing data that ensure that they comply with legal requirements. Consent materials would explain the circumstances where data may be made available outside of the UK.

NHS England, for example, enters into formal data sharing agreements where it is sharing information with researchers, which specifies the geographical area within which data processing is permitted. Where data processing occurs outside the UK, additional conditions must be fulfilled to ensure researchers put in place adequate organisational and technical controls, and comply with their legal responsibilities in relation to overseas transfers that are required under UK GDPR.

NHS England undertakes routine audits of data sharing agreements to ensure that high standards are consistently maintained.