It is looking increasingly likely that the NHS will need to comply with new, European data protection laws, as the Brexit timetable becomes clearer.
Prime Minister Theresa May announced on 2 October that the government will incorporate all existing EU laws into UK law and then trigger Article 50 by April 2017.
Once Article 50 is triggered, the UK will have two years to exit the EU, during which time the General Data Protection Regulation will have to be applied, since it is due to come into effect on 25 May 2018.
Sarah Collen, senior policy manager for the NHS Confederation’s European Office, said it is hard to predict the politics but she mused that the GDPR would be similar in UK law.
“I think the regulation reflects some of the main concerns of the UK government”, she commented. “My personal opinion is that it will probably be rolled over into national law”.
The GDPR includes a greater focus on accountability and enhanced processes around consent. Infringements will carry a maximum charge of €20 million, or 4% of a company or organisation's yearly turnover.
It would also mean mandatory data privacy assessments at the start of any relevant activity, obligatory data protection officers in public authorities and changes to the legal basis upon which the public sector can use personal data.
Andrew Harvey, head of information governance at Western Sussex Hospitals NHS Foundation Trust, said May’s announcement might not affect the situation significantly, as “we’ll either need to enact what is already out there, or create something that is almost exactly the same anyway”.
“I think it’s going to make very little difference, because we’ve got to have that parity with the rest of Europe.”
However, Elizabeth Denham, in her first speech as the UK information commissioner, said on 29 September that “the referendum result has thrown our data protection plans into a state of flux”.
She continued that there would need to be a legal basis for data to flow between Europe and the UK, but acknowledged that it is for the government to decide to specific outlines of a post Brexit data protection law.
Sam Smith, co-ordinator at privacy campaign group medConfidential, echoed this view when he stated: “I suspect in practice GDPR will continue because we want to sell services into Europe and they will go you have to have GDPR equivalency”.
A spokeswoman from Open Rights Group, a digital campaign organisation, said such NHS data could be affected if a post Article 50 UK government does not take forward the GPDR rules.
“If the UK repeals European laws and chooses not to enshrine the same protections in UK law, it could affect NHS data held by UK or non-EU companies. Depending on how the UK decides to legislate, this data may not be subject to the same protections as data held in EU countries.”
The current law governing NHS data is the UK Data Protection Act 1998 which states “personal data shall not be transferred outside the European Economic Area unless there is adequate protection”.
Data flows from NHS Digital are sometimes allowed to be stored outside the UK, based on a case by case basis.
For Collen, the “big question mark” is around medical research as European law manages the regulatory environment, data protection and clinical trials. She added, we “don’t want to be disconnected from that and data protection is one of those key enablers for the digital connection with the rest of Europe”.
On a commercial front, May’s slight clarification on what Brexit actually means was welcome. Steve Bromham, director and consultant at cloud computing and cyber security company Save9, said May’s announcement was “quite comforting” as people will not have to set up new contracts to move their hosting provision or data services.
The Commons health select committee has announced that it will be holding an inquiry into what Brexit means for health and care.