Joint privacy notice for the implementation of reciprocal healthcare arrangements
Updated 30 November 2021
1. Summary of initiative and policy
This privacy notice describes how we collect and use personal information about you, in accordance with data protection law, including the UK General Data Protection Regulation 2016/679 (‘the UK GDPR’) and the Data Protection Act 2018.
The use and collection of data relates to agreements before and after the UK’s exit from the EU.
The UK has agreed reciprocal healthcare arrangements with the EU, Switzerland and the European Economic Area (EEA) European Free Trade Association (EFTA) states through the following agreements:
- the UK-EU Trade and Cooperation Agreement
- the UK-Switzerland Convention on Social Security Coordination
- the UK-EU Withdrawal Agreement
- the UK-Switzerland Citizens’ Rights Agreement
- the UK-EFTA Separation Agreement
- the UK-Gibraltar 1974 Arrangement
The rights and entitlements of UK-insured individuals depends on the agreement, but all agreements provide eligible UK-insured individuals with UK-funded necessary healthcare for temporary stays in the other country, UK-funded comprehensive healthcare for those exporting certain benefits, including state pensions and for certain categories of cross-border workers, and for planned treatment in the other country if the eligibility criteria are met.
You are ‘UK-insured’ if your state healthcare is funded by the UK because you:
-
pay or have paid National Insurance contributions, or
-
are ‘ordinarily resident’ in the UK
UK-insured individuals include:
- S1 holders and their dependants
- UK-issued Global/European Health Insurance Card (GHIC/EHIC) holders
- people travelling for planned treatment using the S2 route
2. Data controller
The Department of Health and Social Care (DHSC) and the NHS Business Services Authority (NHSBSA) are joint controllers for data relating to claims for financial reimbursement for reciprocal healthcare treatment. This means that both organisations are responsible for any personal data that either organisation collects or uses, and we are committed to protecting the privacy and security of your personal information.
3. What personal data we collect
By law, we must process the following information to be able to provide this service:
- your address to enable us to confirm your residency and eligibility
- information to identify you, referred to as ‘personally identifiable information’
- evidence of your nationality or status as a refugee or stateless person, or your dependant status, to allow us to confirm your eligibility under certain agreements
If appropriate, we will ask you for:
- details about the treatment you received and of any charges paid (if you are a UK-insured person)
- details about the treatment you have provided (if you are an NHS treatment facility)
- information to identify your dependent(s)
- details of the international healthcare provider that you have, or are being treated by
- information about your medical condition or planned treatment
- information about your exportable benefit(s), including your state pension
4. How we use your data (purposes)
The processing of personal data by the DHSC is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller pursuant to Article 6 (1) (e) of the UK General Data Protection Regulation (GDPR), namely to assess and respond to claims for financial assistance and healthcare costs.
The processing of personal data by the NHSBSA is necessary for compliance with a legal obligation pursuant to Article 6 (1) (c) of the UK GDPR, namely to process payments for financial reimbursement under the current and contingency reciprocal healthcare.
We are collecting your necessary data to enable us to:
- process and determine eligibility for financial reimbursement of healthcare costs as part of the UK’s reciprocal healthcare arrangements with the EU, other European Economic Area (EEA) States and Switzerland
- make payments to countries and international healthcare providers within the EU, other EEA countries and Switzerland for healthcare treatment
- claim the cost of treatment provided by the UK from countries within the EEA and Switzerland
- provide appropriate healthcare related support and advice related to your enquiry
- analyse data alongside other patient information to understand patterns and trends that will be used to plan and make improvements to NHS services, and/or direct patient care
5. Legal basis for processing personal data
Under GDPR, the lawful bases we rely on for processing this information are:
- (a) we have a legal obligation
- (b) necessary task in the public interest or controller’s official authority
6. Data processors and other recipients of personal data
To enable us to process your request or determine your eligibility for healthcare financial reimbursement we (and our data processors) sometimes need to share your personal data) with other organisations. Where this is necessary, we are required to comply with all aspects of data protection legislation.
Next in this document we have included types of organisations we may need to share personal information to and the reasons for this.
Where necessary, required and within the law, we may share information with:
- third party data providers acting on our behalf, who will make a UK residency check
- the Department for Work and Pensions (DWP) to validate your pension information and make claims, and any third parties acting on their behalf to make payments against your entitlements
- HM Revenue and Customs (HMRC) to validate your S1 entitlement information
- countries within the EU, EEA and Switzerland, to validate your pension information and, if appropriate, make and receive payments
- NHS England and Improvement, NHS Scotland, NHS Wales, HSC in Northern Ireland to authorise your application for planned treatment
- international healthcare providers and administrators who provide your treatment to enable us to validate the information that you provide
- family and representatives of the person whose personal data we hold, and this will be shared if deemed necessary and with the consent of that person or if that person is showing a lack of mental capacity.
- the Government Legal Department to support resolution of cases where legal input is required
- the Gibraltar Health Authority if you live or have treatment in Gibraltar to authorise your application
- the NHSBSA to validate information such as personal details and circumstances
- DHSC legal for cases that involve exceptional circumstances – personal data will be shared where DHSC need to seek legal advice or are setting a legal precedent
To prevent, detect and investigate fraud and errors, we may share your information with:
- NHSBSA Loss and Fraud Prevention Team (for DHSC only)
- international healthcare providers and administrators you are treated by
- local authorities
- credit reference agencies
- bodies performing functions on behalf of the above organisations
- NHS Counter Fraud Authority
- Department of Health and Social Care (DHSC) International Division and Anti-Fraud Unit
- law enforcement organisations, as required by law
To support more effective planning and improvements to NHS services and patient care, we may share our understanding of patterns and trends gained from patient information (in an anonymised format) with:
- NHS commissioners and service providers
- NHS England and Improvement, NHS Scotland, NHS Wales, HSC in Northern Ireland and the Gibraltar Health Authority
- Department of Health and Social Care
- NHS Counter Fraud Authority
7. International data transfers and storage location(s)
Personal data will be stored in a number of repositories in the UK.
8. Retention and disposal policy
In most cases, personal data will be disposed of when it has reached the following retention periods:
- 7 years from when a person’s Provisional Replacement Certificate (PRC) or S2 was processed – to allow for treatment cost claims made to be processed
- 7 years from the date the NHSBSA are notified that the person is no longer entitled to their S1
- 7 years from the date payment is made or a claim for payment of treatment costs is closed
- 24 months from the date of a decision for any rejected applications for PRC, UK GHIC, UK EHIC S1 and S2
For treatment cost claims made near the end of the EHIC or GHIC’s expiry date, claims that are yet to be processed, the NHSBSA will delete a person’s personal data from the systems and files no later than:
- 30 June 2171 if a person applies for a UK EHIC and has EU Settlement Scheme (EUSS) status – this is to allow for approval of applications from people whose entitlement is derived from the original applicant
- 48 months after the expiry of the person’s UK EHIC, if they do not have EUSS status
- 48 months after the expiry of a person’s UK GHIC – this allows claims to be made near the end of card expiry and be processed
- 48 months after the expiry of your UK European Health Insurance Card (EHIC) if you do not have EUSS – this allows for treatment cost claims made near the end of the card expiry to be processed
There may be occasions when records need to be kept for longer. Your personal data will only be retained for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting or reporting requirements.
9. How we keep your data secure
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have also introduced procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
10. Your rights as a data subject
By law, data subjects have a number of rights and this processing does not take away or reduce these rights under the EU General Data Protection Regulation (2016/679) and the UK Data Protection Act 2018 applies.
These rights are:
- the right to get copies of information – individuals have the right to ask for a copy of any information about them that is used
- the right to get information corrected – individuals have the right to ask for any information held about them that they think is inaccurate, to be corrected
- the right to limit how the information is used – individuals have the right to ask for any of the information held about them to be restricted, for example, if they think inaccurate information is being used
- the right to object to the information being used – individuals can ask for any information held about them to not be used – however, this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case
- the right to get information deleted – this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case
The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party – in certain situations.
11. What we ask of you
So that we can keep your personal data reliable and up to date, please:
- give us accurate and current information
- contact us as soon as possible if there are any changes during your relationship with us, such as a new address
All correspondence should be directed to the Overseas Healthcare Services at:
Overseas Healthcare Services
NHS Business Services Authority
Bridge House
152 Pilgrim Street
Newcastle Upon Tyne
NE1 6SN
12. Comments or complaints
Anyone unhappy or wishing to complain about how personal data is used as part of this agreement should contact DHSC [email protected] and the NHSBSA in the first instance or write to both:
12.1 DHSC
Data Protection Officer
1st Floor North
39 Victoria Street
London
SW1H 0EU
12.2 NHSBSA
NHS Business Services Authority
Stella House
Goldcrest Way
Newburn Riverside
Newcastle upon Tyne
NE15 8NY
Anyone who is still not satisfied can complain to the Information Commissioner’s Office. Their postal address is:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
13. Automated decision making or profiling
No decision will be made about individuals solely based on automated decision making (where a decision is taken about them using an electronic system without human involvement) which has a significant impact on them.
14. Changes to this policy
This privacy notice is regularly reviewed and is up to date.