Question to the Department for Science, Innovation & Technology:

To ask the Secretary of State for Science, Innovation and Technology, if the Information Commissioner’s Office will publish guidance for (a) employers, (b) health and social care settings and (c) police forces on sharing data about a person's HIV status.

The UK’s data protection legislation requires all organisations to process personal data lawfully, fairly, transparently and securely. There are stricter conditions and safeguards in relation to processing of personal data relating to people’s health.

The Data Protection and Digital Information (no. 2) Bill does not remove or amend these foundational principles. Instead, it builds on the existing elements of the legislation to make it more ambitious and innovation-friendly, while still underpinned by secure and trustworthy data standards.

The ICO already has published guidance for organisations on the use of special category data, but it has recently been made aware of concerns linked to the inappropriate sharing of personal health data, including the HIV status of individuals. It is currently engaging with the organisations involved to understand these issues further. It has indicated that it will take the necessary steps to ensure that it supports and advises relevant organisations about sharing sensitive information, and that it is clear in its guidance about identifying and reporting breaches linked to health data.