Question to the Department of Health and Social Care:

To ask Her Majesty's Government what plans they have to consult key stakeholders and external experts on future Data Protection Impact Assessments for the management, storage and handling of NHS controlled data.

Under the General Data Protection Regulations 2016, data controllers are under a legal obligation to complete Data Protection Impact Assessments (DPIAs) particularly where it involves high risk processing. All National Health Service organisations processing patient data as data controllers are therefore required to complete DPIAs and where necessary, to consult with key stakeholders to ensure risks to privacy are identified and mitigated as far as possible.

A DPIA for the NHS COVID-19 Data Store has been completed and is published on the NHS England website. The data held in the Data Store has gone through a process of pseudonymisation. Identifiable data is not held or made available to users and nor are they permitted to remove the data from the controlled area.