There may be delays in sharing personal data between healthcare organisations if Britain leaves the EU without a deal next month, it has been revealed.

NHS England and NHS Improvement have issued guidance on sharing personal data in the event of a no-deal Brexit, urging providers to identify any databases or data flows stored in the EU that are critical to patient care.

In a letter sent out to healthcare organisations on February 21, Dawn Monaghan, head of data sharing and privacy at NHSE, warned it was “imperative” providers contact NHSE or NHSI if they identify any of this data.

The letter cautioned there are “potential issues relating to the use of data” following a no-deal exit from the EU, which may include continued use of personal data and data flows from small suppliers.

The UK is due to leave the European Union on 29 March but no withdrawal agreement has yet been made. If we leave with no deal, then the UK will become a “non-adequate third county” – that is, a country with which the EU has no agreements on standards with, the letter states.

The letter doesn’t specify what data supplies may be affected, but it could be related to large-scale clinical studies; medicine supply; and data analysis, according to Neil Bhatia, an information governance lead and data protection officer in Hampshire.

“At the moment we all work under the same rules with Europe in terms of the way data flows, and because we’re part of the European Union we all have a standard of data quality that we work to,” he told Digital Health.

“But if we were to leave Europe in a no-deal scenario we would then come out of that set of rules. We would be able to transfer data to the European Union because we know their level of security and care when it comes to personal data is of that standard, but the other way round we instantly become a third country.”

In that scenario, European organisations would be legally required under EU Data Protection Law to implement “appropriate safeguards” to continue to work with the UK, likely under the EU standard contractual clauses agreement.

“There will be some sort of transition period, but effectively we have to get an adequacy rating which means we’ve got to negotiate with Europe to show our data protection rules and ask ‘are they good enough that we can say we are both trusted partners when it comes to data’,” Dr Bhatia added.

NHSE and NHSI have established local, regional and national teams to provide “rapid support” to organisations should issues around data sharing and processing arise.

The European Data Protection Board is currently looking at whether data flows from an EU organisation to a non-adequate third country constitute a restricted international transfer, which can only be made if the receiver has signed up to a code of conduct which includes safeguards to protect the rights of individuals, but it’s unlikely the board will have reached a decision by March 29.

Until a decision is made the NHS views the data flows as remaining unrestricted and can continue uninterrupted, according to the letter.

But patients and data suppliers should be assured that the UKs stance on data protection will not change, Dr Bhatia said.

“It’s not as if we become a rogue nation on March 29, we’ve always had very strong data protection laws with our acts and we’ve signed up to the GDPR which has become seamlessly incorporated into UK law anyway, so I don’t think it will be very long before we’ve got a adequacy decision.”

Earlier this month NHS Digital said it will offer support to trusts should Britain leave the EU without an agreement, recommending that trusts assess “whether systems upgrades planned around the Brexit period may need to be rescheduled” and to test “levels of resilience to combat against cyber threat”.

According to the letter, in the lead up to Brexit NHS organisations should:
  • Investigate their reliance on transfers of personal data from the EU to the UK, especially those critical to patient care/would have a serious impact on the system if disrupted
  • Be aware of restrictions on personal data that may have a knock-on effect, as many organisations tend not to separate personal and non-personal data
  • Follow advice from the Department for Digital, Culture, Media and Sport and the Information Commissioner’s Office on data protection in the case of a no-deal Brexit
  • Ensure data and digital assets are protected by completing the annual Data Security and Protection Toolkit assessment

The Department of Health and Social Care issued this guidance in the EU Exit Operational Readiness Guidance in December.