No-deal Brexit could cause delay is data sharing with EU, NHS is warned


2019-02-28 21:34:00 digitalhealth


There may be delays in sharing personal data between healthcare organisations if Britain leaves the EU without a deal next month, it as been revealed. NHS England and NHS Improvement have issued guidance on sharing personal data in the event of a no-deal Brexit, urging providers to identify any databases or data flows stored in the EU that are critical to patient care. In a letter sent out to healthcare organisations on February 21, Dawn Monaghan, head of data sharing and privacy at NHSE, warned it was “imperative” providers contact NHSE or NHSI if they identify any of this data. The letter cautioned there are “potential issues relating to the use of data” following a no-deal exit from the EU, which may include continued use of personal data and data flows from small suppliers. The UK is due to leave the European Union on 29 March but no withdrawal agreement has yet been made. If we leave with no deal, then the UK will become a “non-adequate third county” – that is, a country with which the EU has no agreements on standards with, the letter states. The letter doesn’t specify what data supplies may be affected, but it could be related to large-scale clinical studies; medicine supply; and data analysis, according to Neil Bhatia, an information governance lead and data protection officer in Hampshire. “At the moment we all work under the same rules with Europe in terms of the way data flows, and because we’re part of the European Union we all have a standard of data quality that we work to,” he told Digital Health. “But if we were to leave Europe in a no-deal scenario we would then come out of that set of rules. We would be able to transfer data to the European Union because we know their level of security and care when it comes to personal data is of that standard, but the other way round we instantly become a third country.” In that scenario, European organisations would be legally required under EU Data Protection Law to implement “appropriate safeguards” to continue to work with the UK, likely under the EU standard contractual clauses agreement. “There will be some sort of transition period, but effectively we have to get an adequacy rating which means we’ve got to negotiate with Europe to show our data protection rules and ask ‘are they good enough that we can say we are both trusted partners when it comes to data’,” Dr Bhatia added. NHSE and NHSI have established local, regional and national teams to provide “rapid support” to organisations should issues around data sharing and processing arise. The European Data Protection Board is currently looking at whether data flows from an EU organisation to a non-adequate third country constitute a restricted international transfer, which can only be made if the receiver has signed up to a code of conduct which includes safeguards to protect the rights of individuals, but it’s unlikely the board will have reached a decision by March 29. Until a decision is made the NHS views the data flows as remaining unrestricted and can continue uninterrupted, according to the letter. But patients and data suppliers should be assured that the UKs stance on data protection will not change, Dr Bhatia said. “It’s not as if we become a rogue nation on March 29, we’ve always had very strong data protection laws with our acts and we’ve signed up to the GDPR which has become seamlessly incorporated into UK law anyway, so I don’t think it will be very long before we’ve got a adequacy decision.” Earlier this month NHS Digital said it will offer support to trusts should Britain leave the EU without an agreement, recommending that trusts assess “whether systems upgrades planned around the Brexit period may need to be rescheduled” and to test “levels of resilience to combat against cyber threat”.
据披露,如果英国下个月没有达成协议就退出欧盟,医疗机构之间共享个人数据可能会出现延迟。 NHS 英格兰和 NHS 改进部门发布了有关在英国退欧后共享个人数据的指导意见,敦促供应商识别欧盟存储的对患者护理至关重要的任何数据库或数据流。 在2月21日发给医疗机构的一封信中, NHSE 数据共享和隐私主管道恩•莫纳汉( Dawn Monagan )警告称,如果 NHSE 或 NHSI 识别出任何此类数据,那么“强制性”提供商必须联系 NHSE 或 NHSI 。 信中警告称,在退出欧盟后,存在“与数据使用有关的潜在问题”,可能包括继续使用个人数据和来自小供应商的数据流。 英国将于3月29日离开欧盟,但尚未达成撤军协议。如果我们不能达成协议,那么英国将成为一个“不适当的第三国”——即欧盟与其没有就标准达成协议的国家。 汉普郡信息治理主管和数据保护官员尼尔•巴蒂亚( Neil Bhatia )表示,这封信没有具体说明哪些数据供应可能受到影响,但可能与大规模临床研究、药品供应和数据分析有关。 “目前,我们都在与欧洲在数据流动方式方面遵循同样的规则,而且因为我们是欧盟的一部分,我们都有一个我们工作的数据质量标准,”他告诉 Digital Health 。 “但如果我们要在一种不协议的情况下离开欧洲,我们就会走出这套规则。我们将能够将数据转移到欧盟,因为我们知道他们在个人数据方面的安全和谨慎程度符合这一标准,但另一方面,我们立即成为第三国。” 在这种情况下,欧盟数据保护法( EU Data Protection Law )将依法要求欧洲组织实施“适当保障措施”,以继续与英国合作,很可能是根据欧盟标准合同条款协议。 “将会有一些过渡期,但实际上我们必须获得足够的评级,这意味着我们必须与欧洲进行谈判,以展示我们的数据保护规则,并询问‘在数据方面,他们是否足够好,我们可以说我们都是值得信赖的合作伙伴’,” Bhatia 博士补充道。 NHSE 和 NHSI 建立了本地、区域和国家团队,以便在数据共享和处理出现问题时向组织提供“快速支持”。 欧洲数据保护委员会( European Data Protection Board )目前正在研究,从欧盟组织流向不充分的第三国的数据是否构成限制的国际转移,只有在接收方签署了包括保护个人权利的保障措施在内的行为守则的情况下,才能进行这种转移。但董事会不太可能在3月29日前做出决定。 根据这封信,在做出决定之前, NHS 将数据流视为不受限制的,可以不间断地持续下去。 但是病人和数据供应商应该确保英国在数据保护方面的立场不会改变, Bhatia 博士说。 “这并不像我们在3月29日成为一个流氓国家,我们的行为始终有非常强大的数据保护法律,我们已经签署了 GDPR ,它已经被无缝地纳入英国法律,所以我认为这将不会很久之前我们有一个充分的决定。” 本月早些时候, NHS Digital 表示,如果英国在没有达成协议的情况下离开欧盟,它将向信托公司提供支持。该公司建议信托公司评估“英国退欧期间计划的系统升级是否可能需要重新安排时间”,并测试“对抗网络威胁的适应能力”。