Question to the Department of Health and Social Care:

To ask His Majesty's Government, following the database hack by Qilin in June, what assessment they have made of the use of single databases for storage of information in the NHS; and what risks they have identified.

The data leaked following the cyber-attack on Synnovis is still being investigated by Synnovis. This involves interrogation to identify the personal data that has been affected. The complexity of the investigation means it will take time for Synnovis to clarify and identify which individuals and organisations have been impacted and the nature of the data.

We understand that the data leaked in the Synnovis cyber-attack was not taken from a single database but was a partial copy of content from Synnovis’s administrative working drives.

When any databases which contain personal data are established by an organisation, the organisation has its own legal responsibilities as a controller of the data to ensure data protection by design and default in the design and development of a database, and to carry out a data protection impact assessment (DPIA) under UK General Data Protection Regulation. A DPIA includes an assessment of any risks to individuals, and how these risks are mitigated.