NHS Shared Business Services - a joint venture between the Department of Health and Steria - does not have to publish any detail on what NHS information is viewed in India or what data fields can be viewed.
Steria employs 5,000 in India some of whom work on NHS records. It says that its India-based staff do not view any sensitive information, and it makes the valid point that NHS trusts
have had a high n umber of data breaches as mentioned by the Information Commissioner in 2010.
That said, Computerworld UK has learned that there is no fully independent check on what NHS information is viewable or processed in India. Though NHS SBS has checks that are completed and verified on its behalf, it's difficult to police any data breaches in India.
My questions to NHS SBS and its answers:
1. Will SBS’s ambitious savings targets blur the dividing line between what NHS information is viewable or processed in India?
No - NHS SBS’ saving targets are not related to the information accessed in our India offices. The level of information accessible or processed is governed by the application of the NHS Information Governance Assurance Framework and its full requirements.
2. Is it set out in any published reports of SBS or Steria exactly what NHS information is available for viewing or processing in India? What data fields are viewable?
No - the level of access required for our staff is determined by the agreements between NHS SBS and our clients. The levels of access and the amount of data available vary depending on the nature of the work that our administrator needs to carry out. These are exactly the same principles that the NHS use to grant access to data for their employees in Trusts in the UK.
3. How can UK citizens be assured that all of SBS’s activities comply with data protection requirements in respect of transfers of personal data about patients or staff to countries outside of the EEA?
All NHS organisations are legally required to ensure the data they process is kept secure and confidential at all times. NHS Shared Business Services is no different. The data processed by NHS SBS in India does include GP registrations and ophthalmic forms. However these forms do not contain any clinical data. At no time does data leave the UK. It resides on servers hosted in the UK where it can be remotely accessed from India. NHS SBS is independently accredited at Level Two for Information Governance under the NHS Information Governance Assurance Framework.
4. What independent check is there on the NHS information that is viewable or processed in India?
NHS SBS has a number of checks that are completed and verified on our behalf. Primary checks for the use of personal information are completed by our Independent auditors.
In addition, NHS SBS has established an Internal IGAF Board comprising of both representation of NHS SBS and the Department of Health to oversee our application of the Information Governance Assurance framework and ensure that best practice is delivered in our use of all NHS information.
5. Is there documentation available which sets out why SBS’s work in India is lawful under the Data Protection Act?
NHS SBS uses the model contract clauses as outlined within the Data Protection Act 1998 to comply with UK legislation for the processing of data outside of the EEA. These contracts provide the necessary assurance to both NHS SBS and our clients that any information processed in our India locations is done in accordance with current UK legislation.
In addition, our services in India are also independently assessed for compliance against the International Standards for Information security (ISO 27001) and are fully certificated for this.
6. Is there an annual report on SBS? Is there a list of its directors/senior managers and their remuneration?
Yes - NHS SBS Ltd is a private limited company and submits its annual reports to Companies House where they are available to the general public for review.
7. Who decides what is and isn’t “sensitive” medical information?
NHS SBS considers all medical information as sensitive information.
This definition is taken from the Data protection Act 1998, Schedule 3 (8), which stipulates that medical purposes includes the purposes of preventative medicine, medical diagnosis, medical research and provision of care and treatment and the management of healthcare services.
Based on these parameters, we consider that any information which supports these is considered as medical information and we therefore apply the necessary restriction and governance to the use and access of this data.
8. What would you say to the claims by some GPs that name and address information is sensitive if held in the context of a medical services provider, and that patients will provide contact information to health workers that they will not provide to others?
Based on the definitions, the Data Protection Act 1998 considers that any information held or in the possession of an individual, in conjunction with access to other pieces of information can be described as personal identifiable information. Where the second set of data is of a medical nature, then it is acceptable to argue that this can be described as medical information.
Based on this, NHS SBS has ensured that our staff (whether in UK or India) have only the access that they need for the performance of their work. This means that only a limited number of staff (based in the UK ONLY) have access to medical information contained in the GP records or parts of the Ophthalmic forms. No access to medical information is permitted to our India based staff.
9. Why is it important that SBS’s servers are in the UK when those servers can be accessed in India?
Our reasoning for ensuring that all servers are based in the UK is due to the fact that the data held in the UK is more secure. Access to the servers can be controlled more effectively using appropriate IT security (e.g. Encryption to NHS standards).
10. Do you accept that it’s difficult to police or enforce breaches of confidentiality in India?
NHS SBS does accept that there are difficulties in policing and enforcing breaches of confidentiality in any situation. The issue of whether this is in the UK or India plays no part in this argument. UK NHS Trusts continue to have one of the largest number of data breaches as mentioned by the Information Commissioner this year. NHS SBS continues to provide the most robust solutions to minimise the risk of such breaches.