Just one in 20 trusts has completed pre-Brexit data check

In the event of a no-deal Brexit, the UK will become a “third country” under data sharing standards. There is a risk some flows of personal data from the EU could be restricted until a formal agreement is made.

This could include information such as radiology imaging or payroll and HR files, for which NHS organisations often use external companies for processing.

In light of this, NHS organisations have been required to complete and publish a self-audit of compliance with 10 data security standards by the end of March. A toolkit for doing this was first made available by NHS Digital in April 2018. 

According to an update published by NHS Digital on 4 March, just 13 of 233 NHS trusts had completed and published their assessment.

However, several national bodies, including NHS England, NHS Improvement and NHS Digital, are also still yet to finish their assessment. 

Although there is no intention to begin restricting data flows from the UK to the EU or vice versa, a letter from NHS England and NHS Improvement has warned there is a “possibility that some smaller suppliers may not realise that these flows are unrestricted and would cease flows”.

It warned: “There are potential issues relating to the use of data following a ‘no-deal’ EU exit, which could include issues with the onward use of personal data where it is not disaggregated and with data flows, particularly from small suppliers.

“These issues are not insurmountable and can be addressed with appropriate prior action.”

Although organisations have until the end of the month to complete the assessment, the letter added that “completing it early will enable health and adult social care providers to more quickly identify and address any vulnerabilities”.

The European Data Protection Board is currently deliberating whether flows can continue unrestricted, which would remove the risk, but NHS Digital said it does not expect a final decision on this before 29 March.

The letter added: “Data controllers should identify what flows they have and speak to suppliers to assure the flow will continue. If no assurance is received, the data controller needs to assess the risk to patient care. If the flow is critical to patient care, as a last resort you should consider repatriation of the data.”