Question to the Department of Health and Social Care:

To ask the Secretary of State for Health, what data protection measures are in place when sending patient data to a country that does not appear on the European Commission's list of countries recognised as providing adequate protection.

All National Health Service organisations are expected to comply with their existing obligations for data protection. Organisations that consider sending data overseas must follow existing information governance guidance that includes a comprehensive assessment of the risks and mitigations possible. Such risk considerations should be undertaken on a case by case basis by the NHS organisation concerned and may vary according to the data and overseas locations involved. Use of the standard contract clauses provided by the Information Commissioner should also be made, with appropriate data assurance checks implemented.