Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what steps his Department is taking to ensure that GP websites using third party contractors for online appointment booking forms uphold patient privacy and security in data sharing.

All organisations that have access to National Health Service patient data must use the Data Security and Protection Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly. The toolkit is available at the following link:

https://www.dsptoolkit.nhs.uk/

Third party organisations that use an IT system to make general practitioner appointments for patients must use a system which has been assured by NHS England, for example, through the usage of a Supplier Conformance Assessment List and clinical testing of the system before it is given permission to move to live usage. These checks help us to assure that patient data is managed within General Data Protection Regulation and that systems meet NHS security standards.

There are strong protections in law to ensure that health and care information is used in a safe, secure and legal way. The privacy and confidentiality of people’s health and care data is championed by the National Data Guardian who provides independent advice on the use of such data and holds the Caldicott Principles which provide a framework for the safe and respectful use of data. In addition, every health and care organisation is required to appoint a Caldicott Guardian from within their organisation to advise on the protection of people’s health and care data and ensure it is used properly.