The government is reportedly reviewing whether sensitive information about NHS patients could be sent overseas for processing.
A leaked internal NHS Connecting for Health (CfH) document, published by Computer Weekly magazine, reveals a review is under way into whether patient data could be processed by “approved organisations” abroad.
The DH said in a statement on oversees processing of data: “There are no considerations relating to the National Programme for IT for patient data to be processed abroad”.
According to the magazine, the NHS CfH document reads: “Organisations should be aware of a current review into the possibility of NHS patient data being processed overseas by approved organisations. The review is considering the requirements for and implications of such possible arrangements.”
The Press Association reported the Information Commissioner’s Office (ICO) saying it would be contacting NHS Connecting for Health to check that its position had not changed.
Health professionals have previously expressed concerns that processing data overseas might create a risk to confidentiality – particularly if records are sent to countries with a different culture of data protection.
As EHI previously reported last year, Richard Granger, chief executive of CfH, backed these concerns at the India Leadership Forum in March 2006.
At the time, he was quoted as saying: “One of the constraints, I think, of the large Indian players is that regulatory frameworks don’t exist for the processing of personal data. Organisations which process data here offshore are doing so without involving the customers. In the UK for example, the maximum penalty for data abuse is £5,000, which is completely inadequate. And very little legal framework exists between countries for the same.
“The extent to which you can move data around will constrain the outsourcing/- offshoring. At the NHS we have not crossed the line in terms of data being processed offshore; data will not go outside the European Union until there is a regulatory framework in place. The absence of an established methodology across the industry will affect not just the Indian companies but any extra territorial delivery.”
A petition on the 10 Downing Street website against sending NHS work to India came to an end in July, and received 7,790 signatures. Another petition is currently open to save medical secretaries.
Petition creator, Liz Hughes, wrote: “This is totally unacceptable and because of the language barrier will cause major problems especially when it affects life and death situations. Please please support this and put a stop to it – before it costs someone’s life!”
In its response, the government said: “There is a range of information governance issues to be considered by NHS organisations intending to outsource services including potential differences in legal systems, patient confidentiality, information security management, records management and risk management.
“The Department of Health is working to develop guidance to assist NHS organisations, which will also determine whether proposed outsourcing arrangements are acceptable and identify the level of contract management and information assurance controls necessary.”
British organisations that send personal data abroad for processing remain legally responsible under the UK Data Protection Act for ensuring it is secure.
Deputy information commissioner David Smith said: “The importance of protecting people’s financial records has hit the headlines but health records often contain even more sensitive personal information.
“Security is imperative and, as we have seen, any system is only as secure as its weakest link. Processing people’s personal information abroad is lawful, but the buck stops here.”
Joe Fernandez