Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what assessment he has made of the effectiveness of NHS England in upholding (a) article 5 and (b) article 6 of the UK's General Data Protection Regulation.

The Department requires all health and care organisations, including NHS England, to annually assess themselves against the standards set out in the Data Security and Protection Toolkit (DSPT). The DSPT measures health and care organisations’ data protection and security capability and preparedness. The requirement to comply with Articles 5 and 6 of the UK General Data Protection Regulation (GDPR) are embedded in the standards required by the DSPT.

NHS England has consistently met the requirements of the DSPT, including its most recent assessment in June 2024.

In addition, NHS England provides a safe haven for National Health Service data in accordance with the Department’s statutory guidance, NHS England’s protection of patient data. The guidance ensures that NHS England acts as a safe and effective guardian of information collected from the NHS and adult social care services.

As part of its compliance with Article 5 of the UK GDPR, NHS England ensures transparency in its use of personal data by publishing data protection impact assessments and a monthly data uses register that details all external data sharing agreements.