The digital technology industry is increasingly global, so customers in UK healthcare are likely to follow those in other sectors in looking for solutions and suppliers based outside the UK.
There is, however, caution among NHS customers about sharing personal data and, in particular, patient information, with entities based overseas. So iIs it possible to ensure legal compliance while still achieving maximum benefit from best available IT solutions?
The Data Protection Act 1998
The collection and use of personal data is governed by the Data Protection Act 1998, which implements an EU-wide Data Protection Directive into UK law.
Under the Act, a ‘data controller’ is the party who determines the purpose and manner in which personal data is processed (in other words, the party who has the discretion to make decisions about how and why personal data is used).
In an NHS IT context, if the data is only used for the purposes of delivering services to an NHS customer, most often the NHS customer is a data controller and the supplier a data processor.
It is the data controller who is responsible for meeting all obligations imposed by the Act and who remains accountable to the Information Commissioner’s Office and, indeed, to data subjects.
It follows therefore that in many instances, the NHS customer is subject to all statutory obligations under the Act, whilst the information technology supplier is not.
However, in practice, customers should be looking for compliant transfer solutions, and ought to seek contractual obligations from suppliers (often with uncapped liability) reflecting the customer’s obligations under the Act.
The Act itself contains eight principles of good information handling and it is principle 8 which specifically addresses international transfers of personal data.
Demystifying principle 8
The Act does not of itself prevent processing and transfer of personal data outside the UK. Instead, principle 8 requires personal data not to be transferred outside of the EEA to third countries "unless adequate safeguards are in place to ensure the protection for rights and freedoms of data subjects in relation to the processing of their personal data".
Countries outside the EEA will, of course, include many of the popular destinations for basing services or solutions in information technology – in particular the US, India, and the fast growing economies of Asia.
The key bit of this provision described above is “adequate safeguards”. Fortunately, the Information Commissioner’s Office and the European Commission have issued guidance on the methods for ensuring compliance.
Model contract clauses
Model contract clauses are a standard set of clauses approved by the EC as providing adequate safeguards for personal data processed outside of the EEA. They are a permitted derogation from principle 8 – but only if they are used in their un-amended form.
The type of model clauses differ according to whether transfers are to be made data controller to data controller or data controller to data processor.
In controller to processor guise, the model clauses impose obligations on both the party exporting the personal data (usually the data controller) and the party importing the data (likely to be the overseas entity; for instance a sub-contractor in India).
They entitle a data subject to directly enforce its rights under the clauses against the data controller. Use of the model clauses is particularly attractive as it simultaneously satisfies principle 7 (regarding security measures) and principle 8.
The US – EU Safe Harbor Framework scheme involves a set of principles similar to the eight data protection principles.
Eligible US organisations can self-certify that they provide adequate protection for personal data transferred to them in the US from the EEA.
However, since former CIA employee Edward Snowden leaked classified information from the US National Security Agency that revealed it has numerous global surveillance programmes in place, there has been growing concern that this scheme was being used as a loophole to transfer personal data to the US.
Earlier this month, the Court of Justice of the European Union struck down the US – EU Safe Harbor Framework and now a lot of organisations are wondering about the best way to get data from the EU to the US.
The first thing to say is that this decision is only of concern if you are one of the 4,400 or so US companies that had registered as participants in the Safe Harbor scheme or if you are one of the customers that sends data to the US under this scheme.
The next thing is that, in the short term, data controllers will need to pick another transfer solution, and the most immediate solution for many data controllers is likely to be use of the model contract clauses.
Thirdly, the ICO and EC have both issued statements on the ruling. The ICO acknowledged that it will take data controllers “some time” to review how data is transferred to the US in line with the law, and that it will be considering the judgment in detail.
The EC’s working party 29 recently confirmed that, while further use of Safe Harbor is unlawful, the impact on other mechanisms of achieving compliance, including use of model clauses, still requires further analysis.
In effect, data controllers have been granted a grace period (until the end of January 2016) before they face enforcement action for failing to implement the model clauses – or other methods.
Ensuring adequate protection by carrying out DIY assessments or creating bespoke contract clauses both require the data controllers to carry the risk of ensuring adequate protection is in place.
DIY assessment entails potentially significant risk, expenditure and time. Given that the EC has already approved the model clauses as providing adequate protection, undertaking an independent assessment should hold little appeal for parties under pressure to complete a deal and for NHS customers reluctant to take on additional risk.
Binding corporate rules are agreements that apply internally to large international group companies but require an application to be made to the EC for approval before they can be used.
The EC has also made findings of adequacy in relation to certain countries such as Canada, Israel, Jersey, New Zealand and Switzerland.
However, this list is short and the countries included tend not to feature heavily on the list of most popular overseas IT outsourcing destinations. In reality therefore, it comes as little surprise that these options are rarely adopted.
Are there any simpler solutions?
In the wider context, it is often worth taking a step back and considering whether the data being transferred actually needs to contain personally identifiable information.
If it can be anonymised or even pseudo-anonymised to remove personal identifiers, this no longer constitutes personal data and therefore the Act would not apply.
Another method is to obtain patient consent to the transfer (note this does not mean that the whole Act ceases to apply – only principle 8!).
While this sounds like a simple solution, in reality it is problematic, not least because consent must be freely given, specific and informed. Also, the patient should have the opportunity to withhold consent without adverse consequences and be free to subsequently withdraw consent. Such consent is unlikely to be freely given in a care setting, for example.
What about patient confidentiality?
The procedures, law and rules governing patient confidentiality are derived from several sources, notably Department of Health and NHS England guidelines, the Human Rights Act, common law confidentiality as well as the Act.
The DH guidelines provide very limited scope for the disclosure of patient data without the patient's consent; with the provision of healthcare purposes a notable exception.
On the other hand, none of these sources explicitly prohibit international transfers of personal data. The question of whether disclosure of patient information to vendors of clinical information systems is actually permitted is a complex one; and one that, to our knowledge, has yet to be directly and definitively addressed by the courts.
In practice, the model clauses are often the preferred method of ensuring adequate protection is in place and our prediction is that their place as the most popular method of ensuring compliance will be reinforced by the European Court’s recent decision.
Until legislative reform is introduced, NHS organisations will continue to have bear all statutory responsibility for protecting their patients’ data whilst simultaneously attempting to capitalise on financial and other benefits offered by international suppliers’ solutions.
About the authors: Andrew Rankin is an associate and Chris Air is a solicitor at DAC Beachcroft LLP. Andrew and Chris specialise in advising public sector and private sector clients in all aspects of buying, supplying, delivering and using digital technology in healthcare.