Data adequacy and Brexit: practical implications for the NHS

At the end of the Brexit transition period on 31 December 2020, the UK will become a ‘third country’ for data protection purposes. This means that the European General Data Protection Regulation (GDPR) will restrict the transfer of personal data to the UK unless the data is protected in another way. For example, via a data adequacy agreement, which provides blanket agreement for data to flow from the European Economic Area (EAA) to a specified third country.

The UK is currently seeking a data adequacy decision from the European Commission so that the free flow of personal data between the EU and UK and Gibraltar can be maintained. However, if a data adequacy agreement is not secured by the end of the transition period, the NHS, its providers, suppliers, and UK patients will be directly impacted and NHS data protection officers will need to take mitigating action to avoid potential disruption.

This briefing reviews the most recent government guidance and provides a checklist that outlines the actions that NHS data protection officers can take to protect access to EU data for patient care and research. This includes establishing alternative mechanisms for data transfers and reviewing data protection, storage, and audit processes.

Key points

During the Brexit transition period, the UK will continue to be regulated domestically by the European General Data Protection Regulation (GDPR). This means no changes to current data protection practices have been necessary during 2020.

At the end of the transition period, the UK will become a third country for data protection purposes. The GDPR restricts transfers of personal data to third countries unless personal data is protected in another way, such as a data adequacy agreement.

The UK data adequacy decision, which is currently being assessed by the EU, will determine how aspects of cross-border health and social care are delivered, how patients access care, and will also govern how health data is shared for medical care and research purposes from 2021. Without an agreement, there could be changes to many aspects of our cooperation with the EU on health, including:

• access to data for reciprocal healthcare arrangements
• protection of public health security
• continuity for medical research and innovation
• cross-border information flows

With time running out to secure a national data adequacy agreement by the end of the transition period, the adjustment for the NHS and wider health sector will be significant and could affect the health and wellbeing of patients and citizens at a time when organisations are already working to manage a second wave of COVID-19 and winter pressures.

On 28 October 2020, DHSC circulated data preparedness guidance to NHS data protection officers to help them take mitigating action against potential disruption and prepare for any eventuality at the end of the transition period.

Background

The Brexit transition period will end on 31 December 2020, at which point the UK will become a third country. The European Commission has the power to determine whether a third country has an adequate level of data protection. The effect of an adequacy decision is that personal data can be sent from an EEA state to a third country without any further safeguard being necessary. If data adequacy is secured by the end of the transition period, this will allow for the free flow of personal data from the EU/ EEA to the UK to continue uninterrupted.

However, in the event that the European Commission has not recognised the UK as adequate by the end of the transition period, the transfer of personal data from the EEA to the UK will be restricted from 1 January 2021. The NHS will need to put in place alternative transfer mechanisms for personal data to continue to flow legally and uninterrupted from the EU/EEA to the UK.

The UK has legislated so that personal data can flow freely, on a transitional basis, from the UK to the EEA, including to the EU and EEA institutions. This means that sharing health data from the UK to the EU will be possible post-exit. The restrictions would only apply for the transfer of data from the EU to the UK. Furthermore, 11 of the 12 third countries deemed adequate by the EU have informed the UK that they will maintain unrestricted personal data flows with the UK.

With time running out to secure a national data adequacy agreement, the adjustment for the NHS and health sector more widely will be significant and could affect the health and wellbeing of patients and citizens. This is at the same time as organisations and staff are working to manage a second wave of COVID-19 infections and winter pressures. It is therefore important for the NHS that mitigating actions are taken now to ensure that contingency plans are in place should a data adequacy agreement not be reached. The EU is aiming to deliver their decision on UK data adequacy before the end of the transition period.

Practical implications for the NHS

Data adequacy determines how aspects of cross-border health and social care are delivered, how patients access care, and governs how health data is shared for medical care and research purposes. Without a data adequacy agreement at the end of the transition period, there could be changes to many aspects of our cooperation with the EU on health:

• Access to reciprocal healthcare arrangements – With new requirements, there could be additional burdens for health providers required to establish alternative data sharing mechanisms and handle new, complex admin and funding processes.
• Protecting public health security – The UK may be unable to receive critical information and updates from the EU, such as early warnings about health threats via data-sharing platforms and alert systems, to which the UK may retain access as a third country.
• Continuity for medical research and innovation – The UK may be unable to receive EU data, which risks disrupting UK research and testing of new treatments so that patients can benefit as soon as these become available.
• Other cross-border information flows – Any transfer of personal data from the EU to the UK, whether for patient care, research or international collaboration, could be affected. Establishing and managing alternative data sharing mechanisms could be burdensome and delay delivery.

Ultimately, if the EU has not deemed the UK to be adequate by the end of the transition period, health and social care organisations will need to have alternative transfer mechanisms in place for personal data to continue to flow legally and uninterrupted from the EU/EEA to the UK. Without an alternative mechanism for sharing EU data for reciprocal healthcare arrangements, public health security and medical research and innovation with be severely restricted.

On 28 October 2020, the DHSC circulated data preparedness guidance for health and social care organisations to NHS data protection officers. This guidance sets out what NHS organisations need to do now to prepare for any eventuality at the end of the transition period. The guidance provides practical advice on when to use and how to establish alternative transfer mechanisms, including:

• standard contractual clauses
• administrative arrangements
• legally binding instruments
• custom contractual clauses
• derogations for specific situations.

It also provides advice on how to work with data processors based in the EEA, how to apply Withdrawal Agreement provisions and ensure data protection compliance in order to manage potential service disruption.

The supporting appendix is a template supplier letter and standard contractual clause addendum that can be used by health and social care providers to establish alternative data sharing mechanisms. Standard contractual clauses are the recommended alternative transfer mechanisms for the majority of NHS data sharing scenarios. However, standard contractual measures may need to be strengthened via supplementary measures as outlined in the European Data Protection Board’s guidance.

How to prepare

The following checklist covers the top four critical actions for NHS organisations to take before the end of the transition period, based on what is expected to change from 1 January 2021 and the latest government guidance.

• Data transfers – Identify your personal data flows from the EU/EEA. Work with your EU-based counterparts to put in place alternative transfer mechanisms to allow these data flows to continue in a ‘no adequacy’ scenario.
• Data storage – Identify where your data is stored by EEA-based processors. For example, cloud storage providers in the EU. Engage with them to gain written assurances that data will continue to flow back to the UK in a no adequacy scenario.
• Data audit – Conduct an audit of all your personal datasets, ensuring information is up to date and relevant metadata is held, including geographical origin of the data and the legal basis for transfer. This should help you to comply with the data provisions set out in the Withdrawal Agreement, where EU GDPR may continue to apply to some of your datasets.
• Data protection – Ensure you are compliant with UK GDPR. Although the UK will no longer be regulated domestically by the EU GDPR after the 31 December 2020, the same regulation will be retained in domestic law at the end of the transition period. The UK GDPR will sit alongside an amended version of the Data Protection Act 2018.

On 10 November 2020, the European Data Protection Board published new guidance on standard contractual clauses outlining supplementary measures to address deficiencies with the clauses identified in the SCHREMS II ruling. These supplementary measures, to be used in conjunction with standard contractual clause, provide a secure and internationally recognised alternative data transfer mechanism. We recommend that data protection officers review this guidance in detail in order to best prepare for a potential non-adequacy scenario. The guidance outlines the steps to follow to establish standard contractual clauses, potential sources of information, and some examples of supplementary measures that could be put in place.

Example scenario

As an NHS trust and data controller, you have undertaken the top four critical actions. During the review of your data flows you identify that you have personal datasets, specifically patient medical records, which are stored and processed in the Netherlands, an EEA country.

The EEA-based processor uses a cloud IT service that stores and processes your data, including personal data, outside the UK. At the end of the transition period, this will become a restricted transfer under the UK GDPR.

What you need to do as an NHS organisation:

• Assess the risks to the continuation of critical service delivery should the flow of this personal data be disrupted. This will inform decisions about what, if any, mitigating actions should be taken in the event that the risk of disruption is considered too high. For example, a scenario where you are unable to download UK patient records from your cloud service, which is stored in EEA data storage, would be high risk and high impact.
• Engage with your EEA data storage suppliers as early as possible and ask for written assurances that they will continue to flow data back to the UK following the end of the transition period. If you have identified risk of disruption to your data flow as high, the government recommends that you establish alternative data sharing mechanisms. Standard contractual clauses with supplementary measures as required are the recommended alternative data sharing mechanism for most NHS data flows.

If your supplier refuses to sign the standard contractual clause it is important to remind them that their data protection regulators will expect them to enter into the standard contractual clauses before transferring any personal data to a non-adequate country. If they do not do this, they risk being in breach of the GDPR. The European Data Protection Board has issued guidance on this position, which you may find helpful when engaging with suppliers.

Without alternative transfer mechanisms in place, in a non-adequacy scenario you will not be able to access these personal datasets, despite it being NHS-owned data, because they are stored in the EEA.

Where you can find out more

Given the uncertainty around the UK data adequacy decision, data preparedness planning for the end of Brexit transition has to remain iterative. The NHS Confederation will continue to liaise and work with the government to achieve data adequacy decisions in the interests of the NHS and to provide further guidance on how the NHS should prepare for the loss of access to EU databases and the implementation of Northern Ireland Protocol. We will continue to monitor developments and analyse implications for health and care, including guidance from NHS England and NHS Improvement.

The government is expected to continue to update and publish guidance on what providers and commissioners of healthcare services can do to prepare for 1 January 2021. On 28 October 2020, the government sent the latest version of its data preparedness guidance, titled Guidance for Health and Social Care Organisations: End of Transition Period Data Preparedness. If you are a data protection officer and have not received a copy of this guidance, please contact rosie.richards@nhsconfed.org