NHS Digital and NHS England: Data Protection

(asked on 7th March 2023) - View Source

Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what steps his Department is taking to help ensure (a) NHS Digital and (b) NHS England are compliant with their data protection obligations; and if he will make a statement.


Answered by
Will Quince Portrait
Will Quince
This question was answered on 17th March 2023

NHS Digital functions legally transferred to NHS England on 1 February 2023. NHS England is consequently responsible for ensuring it meets its obligations to protect people’s data. Data protection law will continue to apply. This means there must always be a valid, lawful basis for the collection and processing of personal information including special category information within federated data platforms and any other NHS England IT system, as defined under data protection legislation. Data protection impact assessments must be carried out and privacy notices published which explain what data is collected, analysed and shared and for what purposes.

NHS England must have regard to statutory guidance issued by the Secretary of State for Health and Social Care under the power in section 274A of the Health and Social Care Act 2012, which sets out measures that the Secretary of State expects NHS England to take to protect confidential information. The draft guidance has been published on GOV.UK, and the finalised guidance will be published shortly, and kept under review.

NHS England is legally required to report annually to Parliament on how well it has discharged its data functions. NHS England also makes an annual Data Security and Protection submission which demonstrates how they meet data protection obligations.

Reticulating Splines