The government has reached an agreement on the UK’s future relationship with the EU. The UK-EU Trade and Cooperation Agreement includes a provision that allows for the continued free flow of personal data to the UK from the EU, the European Economic Area and the European Free Trade Association states (EEA and EFTA) until adequacy decisions are adopted, and for no longer than six months. This interim solution staves off a cliff-edge scenario that could have severely impacted the NHS and the health research community. However, as welcome as this news is, it is only a temporary solution.
If a data adequacy agreement is not secured within six months, costly and burdensome alternative transfer mechanisms will need to be put in place for personal data to continue to flow. Future data-sharing rules will determine how aspects of cross-border health and social care are delivered and accessed. They will also govern how health data is shared for medical care and research purposes.
This briefing reviews the most recent government guidance and provides a checklist outlining the actions that NHS data protection officers can take to protect access to EU data for patient care and research. This includes continuing to establish alternative mechanisms for data transfers and reviewing data protection, storage, and audit processes to mitigate against any disruption to personal data flows in the future.
- Future data-sharing rules will determine how aspects of cross-border health and social care are delivered and accessed. They will also govern how health data is shared for medical care and research purposes.
- The UK has also deemed the EU and EEA, EFTA states to be adequate to allow for data flows from the UK on a transitional basis. Furthermore, 11 of the 12 third countries deemed adequate by the EU have informed the UK that they will maintain unrestricted personal data flows with the UK.
- Together these agreements mean that sharing health data between the UK and the EU and EEA EFTA states can continue unchanged until adequacy decisions are adopted, and for no longer than six months.
- If a data adequacy agreement is not secured within six months, costly and burdensome alternative transfer mechanisms will need to be put in place for personal data to continue to flow.
- The Government and Information Commissioner Office advice remains to maintain, or to continue to put in place, alternative transfer mechanisms to mitigate against any disruption to personal data flows in the future.
A data adequacy decision from the European Commission for the UK and Gibraltar is expected by June 2021 at the latest.
The UK-EU Trade and Cooperation Agreement came into force on 1 January 2021, at which point the UK became a third country. In the agreement, the UK and EU both commit to uphold high standards of data protection (part six, title II, 176). However, the agreement does not deal with the question of whether the European Commission deems the UK data protection regime to be ‘adequate.’ The UK data adequacy decision is a separate process to the trade deal and has been under consideration by the Commission throughout 2020. A decision was not reached by the end of the transition period on 31 December 2020.
In normal circumstances, the absence of an adequacy decision would require alternative transfer mechanisms to be in place in order to share personal data from the EU and EEA EFTA states to the UK. However, the UK-EU Trade and Cooperation Agreement includes an interim solution to allow EU and EAA EFTA States to continue to transfer personal data. This temporary agreement avoids the NHS, its supplier, providers, and researchers having to rely on additional transfer mechanisms such as standard contractual clauses.
The agreement provides that from 1 January 2021, for an interim period of four months (extendable to six months) a ‘transmission’ of personal data from the EEA to the UK shall not be considered as transfer to a third country under EU law. The UK has also deemed the EU and EEA EFTA states to be adequate to allow for data flows leaving the UK on a transitional basis. Furthermore, 11 of the 12 third countries deemed adequate by the EU have informed the UK that they will maintain unrestricted personal data flows with the UK. Together, these agreements mean that sharing health data between the UK and the EU and EEA EFTA states can continue unchanged until adequacy decisions are adopted, and for no longer than six months.
For the interim period, the UK has agreed that it will not change its data protection laws from the form they take as of 31 December 2020. This means the UK cannot develop an independent data transfer regime or establish new international data flow deals without European Commission approval during the interim period. If the UK breaches any of these pre-conditions, the interim period will automatically come to an end.
Notwithstanding future challenges, the interim agreement is a welcome stop gap for an overworked NHS facing a second strain of COVID-19 and winter pressures. The interim period is intended to allow time for the EU and UK to reach a data adequacy decision.
What happens next
We await a data adequacy decision from the European Commission for the UK and Gibraltar. It is not guaranteed that the EU will deem the UK data adequate within the six months of the interim agreement, but the likelihood has increased now that a trade deal has been reached.
However, the UK should expect future legal challenges. Some privacy experts are questioning whether the six-month moratorium on the UK’s third-country status is legal under EU law, though constitutional law experts say the temporary arrangement is mostly likely compatible with EU law. A legal challenge to test the assumption is possible, though any case would be quickly overtaken by events if the UK and EU reach an adequacy agreement before the courts get involved.
If the EU does grant the UK a data adequacy agreement, privacy activists are likely to bring a legal challenge against the decision. They have long argued that the UK’s approach to surveillance and security, which legalises significant intervention for national security reasons, is incompatible with fundamental privacy rights under European law. Activists will also be encouraged by the July 2020 ruling of Court of Justice of the European Union against the EU’s adequacy decision for the United States, as well the court's ruling against the UK's Investigatory Powers Act in October 2020.
Data adequacy is therefore not a foregone conclusion. Notwithstanding the need to secure an agreement and then defend likely legal challenges, data adequacy decisions are granted for a period of four years, at which time a renewal decision will be required.
Therefore, given that data adequacy will continue to be plagued by uncertainty, it remains important for NHS organisations to maintain preparedness to mitigate against any disruptions to personal data flows in the future.
How to prepare
Firstly, organisations and staff should continue to handle personal data as they currently do, until adequacy decisions are adopted, and for no longer than the six-month interim period.
For future planning and risk management, the government and Information Commissioner Office advice remains to maintain, or to continue to put in place, alternative transfer mechanisms to mitigate against any disruption to personal data flows in the future. The following checklist covers the top four critical actions for NHS organisations to take based on the latest government guidance:
- Data transfers – Identify your personal data flows from the EU/EEA. Work with your EU-based counterparts to put in place alternative transfer mechanisms to allow these data flows to continue in a ‘no adequacy’ scenario.
- Data storage – Identify where your data is stored by EEA-based processors. For example, cloud storage providers in the EU. Engage with them to gain written assurances that data will continue to flow back to the UK in a no adequacy scenario.
- Data audit – Conduct an audit of all your personal datasets, ensuring information is up to date and relevant metadata is held, including geographical origin of the data and the legal basis for transfer. This should help you to comply with the data provisions set out in the Withdrawal Agreement, where EU GDPR may continue to apply to some of your datasets.
- Data protection – Ensure you are compliant with UK GDPR. Although the UK is no longer regulated domestically by the EU GDPR since 31 December 2020, the same regulation is retained in domestic law. The UK GDPR will sit alongside an amended version of the Data Protection Act 2018.
As there is not any formal adequacy decision in place, Article 71(1) of the Withdrawal Agreement applies from the 1 January 2021. This requires NHS organisations to continue to comply with the EU (not UK) GDPR, in its form as of 31 December 2020, in relation to the personal data of non-UK data subjects. This ‘legacy data’ includes data transferred to the UK prior to the end of the transition period, or subsequently on the basis of the Withdrawal Agreement. In the short term it is unlikely to make much practical difference to the requirements for NHS data controllers and processors, as the UK is required not to change its laws as a precondition of the interim period for transfers.
However, differences in UK and frozen EU data law are likely to come about over time. This may mean that NHS organisations need to be able to distinguish between different categories of data so that they can treat different sets or items of data under different rules: some under UK domestic law, and some under frozen EU data law. NHS organisations may need to introduce new systems or compliance models to remain compliant once any substantive differences emerge between these regimes. This is subject to change and further guidance is available on the government website.
Where you can find out more
Given the uncertainty around the UK data adequacy decision, data preparedness planning has to remain iterative. The NHS Confederation will continue to liaise and work with the government to achieve a data adequacy decision in the interests of the NHS. We will continue to monitor developments and analyse implications for health and care, including guidance from NHS England and NHS Improvement. Subscribe to our regular Brexit Bulletin to stay up to date.
On 28 October 2020, the government sent the latest version of its data preparedness guidance followed by FAQs on 23 December 2020. If you are a data protection officer and have not received a copy of this guidance, please contact firstname.lastname@example.org
On 30 December, Health Minister Edward Argar MP wrote to the health and social care sector about the UK–EU Trade and Co-operation Agreement and the government's preparations for 1 January 2021. Keith Willett, National Director for Emergency Planning and Incident Response, letter on the outcome of the UK negotiations with the EU and key messages for NHS organisations.
The Information Commissioner’s Office has also published a suite of guidance on data protection and the end of the transition period.