Question to the Department of Health and Social Care:

To ask Her Majesty's Government what plans they have to carry out a Data Protection Impact Assessment on the rights and freedoms of the people whose health data is collected by the NHS; and whether any such data is protected against access by intelligence services.

Under the General Data Protection Regulations 2016, data controllers are under a legal obligation to complete Data Protection Impact Assessments (DPIAs) particularly where it involves high risk processing. All National Health Service organisations processing patient data as data controllers are therefore required to complete DPIAs and where necessary, to consult with key stakeholders to ensure risks to privacy are identified and mitigated as far as possible. It would be inappropriate for the Government to undertake a DPIA in relation to the health data held by those organisations. It is the responsibility of each of these organisations to protect the confidentiality of patients and to ensure that there is a legal basis for the disclosure of any personal information.