As the date for Brexit draws closer, just one in 20 NHS trusts have published their Data Security and Protection Toolkit self-assessment, it has been revealed.

NHS England and NHS Digital asked healthcare leaders to ensure their mandatory self-assessments are completed to “quickly identify and address any vulnerabilities” before the UK is due to leave the EU on March 29.

But NHS Digital figures published earlier this month reveal just 13 of the 233 NHS trusts have published their toolkit self-assessment – that’s just 5%.

NHS England and NHS Digital are also yet to publish their assessment.

The self-assessments are mandatory to complete by the end of March.

It comes after a letter sent out to NHS organisations on February 21 in which Dawn Monaghan, head of data sharing and privacy at NHSE, warned it was “imperative” providers contact NHSE or NHSI if they identify any concerns associated with data sharing with EU countries.

The letter cautioned there are “potential issues relating to the use of data” following a no-deal exit from the EU, which may include continued use of personal data and data flows from small suppliers.

Though there are no intentions to begin restricting data flows between the EU and the UK, there may be delays if “appropriate safeguards” are not put in place in the event of a no-deal.

On Tuesday Prime Minister Theresa May’s withdrawal agreement was defeated by 149 votes, as the EU’s chief negotiator warned a risk of a “disorderly” Brexit has never been higher.

MPs narrowly voted 312 to 308 to reject a no-deal Brexit under any circumstances, then later voting 321 to 278 for a motion which stated the UK shouldn’t leave the EU on March 29 without a deal, but could leave with no-deal at any other time.

Today MPs will be asked to vote on another motion on whether to ask the EU for an extension to Article 50.

The length of the extension depends on whether MPs back the prime minister’s existing withdrawal agreement by 20 March.

In the event of a no-deal the UK will become a “non-adequate third county” – that is, a country with which the EU has no agreements on standards with, the letter states.

NHSE and NHSI have established local, regional and national teams to provide “rapid support” to organisations should issues around data sharing and processing arise.

The European Data Protection Board is currently looking at whether data flows from an EU organisation to a non-adequate third country constitute a restricted international transfer, which can only be made if the receiver has signed up to a code of conduct which includes safeguards to protect the rights of individuals, but it’s unlikely the board will have reached a decision by March 29.

In February NHS Digital said it will offer support to trusts should Britain leave the EU without an agreement, recommending that trusts assess “whether systems upgrades planned around the Brexit period may need to be rescheduled” and to test “levels of resilience to combat against cyber threat”.


According to the letter, in the lead up to Brexit NHS organisations should:
  • Investigate their reliance on transfers of personal data from the EU to the UK, especially those critical to patient care/would have a serious impact on the system if disrupted
  • Be aware of restrictions on personal data that may have a knock-on effect, as many organisations tend not to separate personal and non-personal data
  • Follow advice from the Department for Digital, Culture, Media and Sport and the Information Commissioner’s Office on data protection in the case of a no-deal Brexit
  • Ensure data and digital assets are protected by completing the annual Data Security and Protection Toolkit assessment

The Department of Health and Social Care issued this guidance in the EU Exit Operational Readiness Guidance in December.