Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what assessment he has made of the potential impact of the US CLOUD Act on the security of NHS patient data held or processed by US-based companies; and whether his Department has sought independent legal advice on whether contractual protections can override valid requests from US federal authorities.

NHS England takes seriously its responsibility to handle health and care data lawfully, proportionately, ethically, and in confidence.

There is no overseas processing of any type of data under contracts, and access to data and systems outside of the United Kingdom is not permitted. Data is held in UK data centres and doesn’t leave the UK, with data access subject to UK law, regulations, and best practice.

These measures collectively ensure that National Health Service data remains under UK jurisdiction and all processing of patient information will be within the UK only.