Policy paper

Memorandum of Understanding between the government of the United Kingdom of Great Britain and Northern Ireland and the government of Ireland concerning Common Travel Area healthcare arrangements (in recognition of residency-based health systems)

Updated 23 February 2022

This was published under the 2019 to 2022 Johnson Conservative government

The government of the United Kingdom of Great Britain and Northern Ireland ("the United Kingdom") and the government of Ireland;

Recognising their shared commitment to the protection of the Common Travel Area (CTA) and associated reciprocal rights and privileges as a legitimate and fundamental public policy, and recognising healthcare arrangements as a component of this;

Acknowledging the Memorandum of Understanding of 8 May 2019 reaffirming the CTA arrangements and the associated reciprocal rights and privileges enjoyed by British and Irish citizens in each other's state, in particular the right for citizens residing in either state to access emergency, routine and planned publicly funded health services in each other's state, on the same basis as citizens of that state;

Reaffirming that reciprocal healthcare provision between the United Kingdom and Ireland for British and Irish citizens is an enduring element of the CTA;

Acknowledging that the CTA is a naturally evolving arrangement and that reciprocal healthcare provision will similarly evolve with time;

Acknowledging the context of the United Kingdom ceasing to be a member of the European Union and desiring to put reciprocal arrangements in place under the auspices of the CTA for when the United Kingdom's participation in the EU Social Security Coordination arrangements ends on 31 December 2020;

Recognising that reciprocal protection will be afforded, as provided for under Title III (coordination of social security systems) of the Agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union, for persons in scope of those provisions;

Recognising that healthcare in the United Kingdom and in Ireland is available to residents irrespective of citizenship;

Recognising that reciprocal healthcare arrangements support residents who move temporarily between the United Kingdom and Ireland and support co-operation between the United Kingdom and Irish healthcare systems, for the benefit of all patients;

Desiring to that end that residents of the United Kingdom and Ireland should enjoy ease of access to healthcare in the other state;

Recognising the importance of economic and social linkages between Northern Ireland and Ireland and supporting North/South cooperation as provided for in the Belfast ("Good Friday") Agreement, in particular healthcare cooperation between Ireland and the Northern Ireland Executive and/or healthcare providers on either side of the border;

Acknowledging the value of existing and future North/South and East/West arrangements directly negotiated between health authorities and healthcare providers for the provision of healthcare outside these reciprocal arrangements;

Recognising that mechanisms enabling patients within the CTA to access certain planned specialised services in the other state predate the EU Social Security Coordination arrangements;

Acknowledging that whether a person from one state is eligible to be referred to the other state to receive planned healthcare under these reciprocal arrangements is a matter for the referring state to decide;

Recognising the importance of cross-border travel to the daily lives of people living on both sides of the border and desiring that these reciprocal arrangements do not put barriers on such travel such as the requirement to apply for specific documentation to access healthcare under these arrangements;

Acknowledging that in the United Kingdom responsibility for elements of healthcare is devolved, so implementation of elements of these reciprocal arrangements will be led by England, Scotland, Wales and Northern Ireland;

Recognising that Irish data controllers remain bound by the General Data Protection Regulation (EU) 2016/679 of 27 April 2016 after 31 December 2020 and may only transfer personal data to the United Kingdom in accordance with the Regulation after that date;

Acknowledging that these reciprocal arrangements do not confer any right of entry to either state but operate in line with each state's domestic immigration system;

Have jointly decided:

1. Interpretation

For the purposes of this Memorandum of Understanding:

a) the following definitions apply:

"Certificate of authorisation" means a certificate issued by or on behalf of a Participant that specifies the treatment or treatments a person is authorised to access in the other state;

"Commencement day" means 11:00 pm on 31 December 2020;

"Eligible person" means a person resident in a Participant state which is not the treating state;

"Eligibility document" means one or more document(s), which indicates a person's eligibility for healthcare in the other state as set out in Annex A. Each Participant at its discretion may accept additional documents that are not listed in the annex as an alternative such indicator;

"Frontier worker" means an eligible person pursuing an activity as an employed or self-employed person in a Participant state who resides in the other state to which the person returns as a rule daily or at least once a week;

"Healthcare" means healthcare provided under the healthcare legislation of the United Kingdom or Ireland, as the case may be;

"Participant" means:

(i) the United Kingdom of Great Britain and Northern Ireland ("the United Kingdom");

and

(ii) Ireland;

(together, "the Participants");

"Planned healthcare" means healthcare arranged by way of a referral under a scheme operated by a Participantby which it authorises a person to access treatment in the other state;

"Posted worker" means an eligible person:

(i) who is employed in a Participant state by an employer with a place of business there and who is sent to the other state to perform work on that employer's behalf, or

(ii) who is normally self-employed in a Participant state and who goes to pursue a similar activity in the other state;

"Stay" means temporary residence. For the avoidance of doubt, a stay may be of less than 24 hours' duration;

"Treating state" means the Participant providing healthcare;

b) A person is resident in the United Kingdom if they are ordinarily resident for healthcare purposes under the legislation of the United Kingdom and a person is resident in Ireland if they are ordinarily resident for healthcare under the law of Ireland.

2. Planned healthcare arrangements

1) The Participants will facilitate the provision of planned healthcare in accordance with this paragraph.

2) Each Participant will determine on what basis a person resident in their state is eligible to be referred for planned healthcare in the other state.

3) Each Participant will determine their application process for authorising planned healthcare.

4) The treating state may decline to accept a person for treatment where there are extenuating reasons, such as major constraints on the availability of the treatment in the treating state.

5) The treating state will afford the authorised treatment in accordance with these provisions.

6) A person accessing planned healthcare in the treating state will have the same access to treatment, based on clinical priority and subject to any waiting lists for the treatment, as a resident of the treating state.

7) Any co-payments or other charges for which a resident would be liable under the law of the treating state will not be payable by a person referred for planned healthcare but will be reimbursed by the other Participant in accordance with paragraph 6.

8) Before providing treatment the treating state will require that a certificate of authorisation is produced. In exceptional cases, where treatment is required to be given as a matter of urgency, this requirement may be waived and a certificate of authorisation may be produced after the treatment has commenced.

3. Necessary healthcare arrangements

1) Each Participant will afford necessary healthcare, on the same terms as would apply to a resident of that state, to an eligible person during a stay by the person in the Participant's state. A student will be treated as on a stay for the duration of the student's course of study and a posted worker will be treated as on a stay for the duration of the posting or for up to 12 months, whichever is the shorter.

2) Healthcare will be afforded in accordance with this paragraph where:

a) the healthcare is medically necessary, in the opinion of the healthcare provider, having regard to the nature of the healthcare and the expected length of the stay; b) the person did not travel to the treating state for the purpose of receiving that healthcare, unless:

(i) the person is a passenger or member of the crew on air, sea or land transport and the healthcare became medically necessary during the transportation, or (ii) a UK or Irish ambulance takes the person to the state under a cross-border ambulance cooperation agreement;

c) in a case where the healthcare is listed in Annex B, the person obtained agreement in advance from the institution providing the healthcare; d) a valid eligibility document is produced in respect of the person; and e) where in-patient hospitalisation is medically necessary, and the institution providing the healthcare so requires, a further valid eligibility document is produced in respect of the person; save that the institution may not so require where to do so would delay necessary healthcare.

3) For the purpose of this paragraph, where the eligible person is under 18 years of age and is travelling with an eligible person over 18 years of age on whom the former is dependant, sub-paragraphs (d) and (e) apply only in respect of the latter not the former.

4) For the avoidance of doubt, necessary healthcare may include routine healthcare that the healthcare provider providing the healthcare deems medically necessary, having regard to the nature of the healthcare and the expected length of the stay, in order to manage a long-term condition or pregnancy.

5) Any co-payments or other charges for public hospital services (including secondary and tertiary healthcare) under this paragraph for which a person would be liable under the law of the treating state will not be payable by the person but will be reimbursed by the other Participant in accordance with paragraph 6. For the avoidance of doubt, such healthcare includes (without limitation) accident and emergency services and inpatient services.

4. Repayment of a sum recovered or secured for necessary healthcare

Where an eligible person has paid any sum for necessary healthcare under paragraph 3, that sum will be repaid to the person by the other Participant, save for any co-payments or other charges for which the person is liable under that paragraph. Each Participant will determine their own application process for such repayment. The treating state will furnish the other Participant with all necessary information for these purposes, upon request.

5. Frontier workers

1) Each Participant will afford healthcare, on the same terms as those that would apply to a resident of that Participant's state, to a frontier worker whose status as a frontier worker is confirmed as per part 3 in Annex A.

2) A frontier worker who is pursuing an activity in Ireland may apply for means-tested healthcare on the same terms as those that would apply to a resident of Ireland.

6. Reimbursement

1) Where a Participant provides planned healthcare under paragraph 2 or necessary healthcare under paragraph 3, the other Participant will reimburse the costs of that healthcare, including (as provided for in those paragraphs) any co-payments or charges for which a person would be liable under the law of the treating state.

2) The costs payable under this paragraph in respect of the healthcare provided will not exceed the amount the institution providing the healthcare would assess as the costs of that healthcare if it had been provided to a resident of the treating state.

3) The reimbursement of costs will be determined and made in accordance with the principles set out in Annex C and the method and administrative arrangements decided between the Participants.

7. Transfer of personal data

The Participants will use their best endeavours to ensure that the relevant data controllers share such data as is necessary and proportionate to operate these arrangements and to provide the benefits in kind provided for in them. In recognition that Ireland, as a Member State of the European Union, is subject to the provisions of the General Data Protection Regulation (EU) 2016/679 of 27 April 2016 (GDPR), and that such data may include personal data, the Participants will use their best endeavours to ensure that the relevant data controllers enter into the "administrative arrangements" annexed in draft to these arrangements as Annex D in the absence of a decision of the European Commission that the UK offers an adequate level of data protection.

8. Exchange of information

Each Participant will inform the other of the principal point of contact who will facilitate the provision of information that may be required in giving effect to the arrangements set out in this Memorandum of Understanding.

9. Commencement of arrangements

1) These arrangements will come into effect at commencement day, save as provided for in sub-paragraph 2 or as otherwise decided between the Participants.

2) In the event that, before these arrangements come into effect, an agreement is concluded between the United Kingdom and the European Union which concerns matters covered by this Memorandum of Understanding, the Participants will review the provisions of this Memorandum of Understanding to ensure that the arrangements continue to be fully appropriate to achieving the objectives set out in the recitals above. These arrangements will take effect as decided by an exchange of letters, which will also set out any amendments decided between the Participants. However, in the event that the exchange of letters does not take place before commencement day due to the said review remaining ongoing, these arrangements will come into effect at commencement day to the extent necessary to ensure that the persons intended to benefit from the services for which provision is made in these arrangements may avail of those services to the extent that they are not already required to be provided in accordance with the said agreement between the United Kingdom and the European Union.

10. Duration of arrangements

This Memorandum of Understanding will remain in effect for an indefinite period. The government of the United Kingdom or the government of Ireland may terminate it at any time by giving 6 months' notice in writing to the other Participant.

11. Transitional arrangements

1) The Participants will continue to apply these arrangements for a period of not less than 6 months in respect of any persons in the course of treatment or whose planned healthcare has been authorised when the arrangements cease to have effect.

2) In the event that notice is given under paragraph 10, the Participants will continue to work together during and beyond the notice period to facilitate the continued availability of critical specialised services such as organ transplants.

12. Commitments of Ireland

The Participants acknowledge that these arrangements are subject to and without prejudice to Ireland's obligations as a Member State of the EU/EEA and will not apply to or affect any rights and obligations arising under the Agreement on the European Economic Area.

13. Governance

1) The Participants will maintain such administrative arrangements as are necessary to give effect to this Memorandum of Understanding.

2) Officials from the Participants will continue, as they do now, to cooperate with and provide assistance to each other as necessary.

3) At least once a year the Participants will review the operation of these arrangements.

4) Any question to be resolved as to the operation of these arrangements will be resolved by discussion between the Participants.

Annex A: eligibility documentation

Part 1: documents which evidence the eligibility of a UK resident

1) UK issued EHIC, PRC, or UK equivalent document.

2) UK photocard driving licence, or old-style driving licence.

3) UK biometric residence permit.

4) Northern Ireland voter's card.

5) Northern Ireland medical card.

In each case above the document presented must be current and in date. Where the document does not incorporate a photo, additional photo ID may be requested by the healthcare provider.

6) Any 2 of the following with proof of address and alongside photo ID:

  • utility bill (gas, electric, satellite TV, landline phone bill) issued within the last 6 months
  • local authority council tax bill for the current council tax year
  • bank, building society or credit union statement or passbook dated within the last 6 months
  • original mortgage statement from a FSA-regulated lender issued for the last full year
  • solicitor's letter within the last 6 months confirming recent house purchase or land registry confirmation of address
  • council or housing association rent card or tenancy agreement for the current year
  • HMRC self-assessment letter or tax demand dated within the current financial year
  • electoral register entry
  • NHS medical card or letter of confirmation from GP's practice of registration with the surgery

Part 2: documents which evidence the eligibility of an Irish resident

1) Irish issued EHIC or TRC.

2) Irish photocard driving licence.

3) Irish Residence Permit (IRP).

4) Irish medical card or GP visit card.

In each case above the document presented must be current and in date. Where the document does not incorporate a photo, additional photo ID may be requested by the healthcare provider.

5) Any 2 documents showing a person's Irish address (for example bank statement or utility bill) issued within the previous 6 months and alongside photo ID.

Part 3: documents for long term visitors

Where the person is on a visit of a long-term duration, such as students and posted workers, the healthcare provider may require additional documentation to be produced for certain treatments to evidence the duration of the visit, for example a letter from a college or other educational institution confirming the holder is enrolled in a course of study and the duration of the course.

Part 4: documents which confirm status as a frontier worker

1) Proof of residence in the other state.

2) Evidence of employment or self-employment such as a letter from employer or pay slips for a given period (employee) or most recent copy of Income Tax Assessment Notice from the Revenue Commissioners or HM Revenue and Customs (self-employed).

3) A frontier worker may also be required to be able to demonstrate their commute to and from the place of employment.

Annex B: healthcare for which advance agreement must be obtained

  1. Kidney dialysis

  2. Oxygen therapy

  3. Special asthma treatment

  4. Echocardiography in the case of autoimmune diseases

  5. Chemotherapy

Annex C: reimbursement principles

Part 1: planned healthcare

1) Reimbursement will be on the basis of the actual cost[footnote 1] of the treatment given.

2) The healthcare provider will provide the competent health board of the other state with an estimate of the anticipated cost of treatment, based on their applicable tariffs.

3) After treatment has been completed the competent authority will submit reimbursement claims to the authorising state within 12 months of the end of the calendar half-year (i.e. by the end of June or December) during which they were notified of the expenditure by domestic healthcare commissioners.

4) Claims will be paid by the end of the 18th month following which they were submitted to the authorising state, unless the claim or part of the claim was disputed.

5) Where a claim is disputed, every effort will be made by the Participants to resolve the dispute by the end of the 36th month following the claim being submitted.

Part 2: necessary healthcare

6) Reimbursement will be on the basis of a formula, to be agreed between the Participants, which reflects the estimated costs of necessary healthcare for the cohorts entitled under these arrangements.

7) The formula will be based on publicly available datasets, which will be agreed by both Participants.

8) The Participants will exchange these datasets on an annual basis and no later than the end of each calendar year.

9) The formula will be adjusted to reflect the inclusion of students and posted workers.

10) The formula will include the cost of patient charges and co-payments for public hospital services (including secondary and tertiary healthcare).

11) The Participants will agree the outputs of the formula(e) calculations on an annual basis.

12) A balancing lump sum will be paid annually by the Participant with the greater liability for that year.

13) The lump sum will be paid prior to the end of each calendar year.

14) The formula will be reviewed and renewed or updated every 3 years or more frequently by consent, for instance if new improved datasets become available or if a change in the methodology is required to improve the accuracy of the estimated costs.

Annex D: draft administrative arrangements

Data sharing administrative arrangements

Reciprocal healthcare arrangements between the government of the United Kingdom of Great Britain and Northern Ireland and the government of Ireland in the context of the Common Travel Area.

Draft administrative arrangement under Article 46(3)(b) of the GDPR for the transfer of personal data between the Health Service Executive (Ireland) and the Department of Health and Social Care and the NHS Business Services Authority (United Kingdom) relating to the Common Travel Area Healthcare Arrangements.

Each a "Participant" to this arrangement and together the "Participants".

The Participants

-acting in good faith and having no reason to believe that existing applicable legal requirements in their respective jurisdictions prevent them from doing so,

-recognising the importance of the protection of personal data and of having robust data protection regimes in place and having satisfied themselves that such protections are in place,

-having regard to Article 46(3)(b) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("General Data Protection Regulation" or "GDPR"),

-having regard also to the necessity to meet the data protection principles in Article 5 and to have a legal basis under Article 6 for the processing of personal data and also under Article 9 where the processing involves a special category of personal data as is the case under this arrangement,

-having regard to the relevant legal framework for the protection of personal data in the jurisdiction of the Participants and acknowledging the importance of dialogue between the National Data Protection Supervisory Authorities in each jurisdiction,

  • having regard also to (i) the European Data Protection Board Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies Version 1.0 Adopted on 18 January 2020 and (ii) the Court of Justice of the European Union Judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (July 2020),

  • noting the need to share personal data to operate the Reciprocal Healthcare arrangements entered into by the Department of Health and Social Care of the United Kingdom of Great Britain and Northern Ireland and the Department of Health of Ireland on the specified date,

-have reached the following understanding:

-that controllers transferring personal data for the lawful purposes of reciprocal healthcare arrangements between the two countries will do so in accordance with the terms the of administrative arrangement ("the Arrangement") under Article 46(3)(b) of the General Data Protection Regulation set out hereunder.

For the avoidance of doubt, the Department of Health and Social Care is the data controller as regards the Secretary of State for Health and Social Care.

For the United Kingdom, the Department of Health and Social Care and the NHS Business Services Authority are the joint data controllers for the purposes of processing data transferred pursuant to this arrangement.

For Ireland, the Health Service Executive is the data controller.

The terms of the Arrangement are as follows:

I. Purpose and cope

  1. This Arrangement is limited to transfers by controllers of personal data (including personal data of the type specified in Article 9 and Article 10 of the General Data Protection Regulation) necessary and proportionate for the lawful purposes of reciprocal healthcare arrangements between the two countries in accordance with the agreed Reciprocal Healthcare Arrangements.

  2. Each controller transferring personal data for the lawful purposes of reciprocal healthcare arrangements between the two countries will act in accordance with this Arrangement.

  3. This Arrangement is in accordance with Article 46(3)(b) of the GDPR and it recognises the rights of Data Subjects under Chapter III and the remedies, liabilities and penalties under Chapter VIII of the GDPR and the related obligations on controllers.

  4. In accordance with Article 46(3)(b) of the GDPR, prior to entering into this Arrangement, the Government of Ireland has consulted with Ireland's National Data Protection Authority, the Data Protection Commission, and the Commission has authorised the provisions in this Arrangement for the transfer of personal data by relevant controllers in accordance with this mechanism.

  5. The data subject rights are provided for in United Kingdom law by the UK GDPR and the Data Protection Act 2018. The Department of Health and Social Care and the NHS Business Services Authority will have appropriate safeguards in place for the protection of data subject rights after the United Kingdom's withdrawal from the EU.

  6. It is recognised that appropriate, effective and enforceable data subject rights as well as obligations on controllers are provided for under applicable data protection law in each country at the specified date for the Reciprocal Healthcare Arrangements and this Arrangement does not create any extra legally binding obligations or confer any additional legally binding rights that supersede those rights and obligations but sets out how those obligations on controllers are to apply to the transfer of personal data for the lawful purposes of reciprocal healthcare arrangements between the two countries.

II. Definitions

For the purposes of this Arrangement:

(a) "applicable legal requirements" means the relevant legal framework for the protection of personal data applicable in each country;

(b) 'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

(c) "personal data" means any information relating to an identified or identifiable natural person ("Data Subject") within the scope of this Arrangement; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(d) "personal data breach" means a breach of data security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

(e) "processing" means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(f) "profiling" means automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person;

(g) "receiving controller" means the controller that receives the personal data from the other country's controller under this Arrangement;

(h) "sharing of personal data" means the sharing of personal data by a receiving controller with a third party in its country.

(i) "transferring controller" means the controller that transfers the personal data to the other country's data controller under this Arrangement;

General Data Protection Rights for Data Subjects:

The GDPR generally provides the following "Data Subject Rights", which are set out in Chapter III of the GDPR and Article 34 of the GDPR:

i. "right not to be subject to automated decisions, including profiling" means a Data Subject's right not to be subject to legal decisions being made concerning him or her based solely on automated processing;

ii. "right of access" means a Data Subject's right to obtain from an Authority confirmation as to whether or not personal data concerning him or her are being processed, and where that is the case, to access the personal data;

iii. "right of erasure" means a Data Subject's right to have his or her personal data erased by an Authority where the personal data are no longer necessary for the purposes for which they were collected or processed, or where the data have been unlawfully collected or processed;

iv. "right of information" means a Data Subject's right to receive information on the processing of personal data relating to him or her in a concise, transparent, intelligible and easily accessible form;

v. "right of objection" means a Data Subject's right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her by an Authority, except in cases where there are compelling legitimate grounds for the processing that override the grounds put forward by the Data Subject or for the establishment, exercise or defence of legal claims;

vi. "right of rectification" means a Data Subject's right to have his or her inaccurate personal data corrected or completed by a controller without undue delay;

vii. "right of restriction of processing" means a Data Subject's right to restrict the processing of the Data Subject's personal data where the personal data are inaccurate, where the processing is unlawful, where the Data Controller no longer needs the personal data for the purposes for which they were collected or where the personal data cannot be deleted;

"right to be informed of a personal data breach" means a data subject's right to be informed by a controller of a personal data breach that results in or is likely to result in a high risk to the rights and freedoms of the individual;

and such rights may only be restricted in accordance with Article 23.

III. Personal data protection safeguards

1) Purpose limitation: personal data will be transferred only for the lawful purposes of reciprocal healthcare arrangements between the two countries. The controllers will process personal data in accordance with the purposes and procedures set out in Schedule 1 to this Arrangement.

2) Data quality and proportionality: personal data to be transferred must be accurate, up to date, adequate, relevant and limited to what is necessary for the purposes for which they are transferred and processed.

3) Transparency: transfer of personal data to which this Arrangement applies is subject to appropriate transparency arrangements (over and above a general information notice on the website of the data controller concerned) being put in place by the controllers involved that will provide notice to Data Subjects about: (a) how and why the controller may process and transfer personal data; (b) the type of data controllers to which such data may be transferred; (c) the rights available to Data Subjects and how to exercise those rights, (d) information about any applicable delay or restrictions on the exercise of such rights; (e) contact details for submitting a dispute or claim and (f) any necessary and lawful sharing of personal data by a receiving controller with a third party in its country. In addition, the Participants to this Arrangement commit to making the Arrangement available to data subjects on request and publicly available on their websites.

4) Security and confidentiality: each controller will have in place appropriate technical and organisational measures, including suitable, specific and appropriate safeguards where Article 9 and Article 10 personal data is involved to protect personal data that are transferred to it against accidental or unlawful access, destruction, loss, alteration, or unauthorised disclosure. Such measures will include appropriate administrative, technical and physical security measures. Where a controller that receives personal data becomes aware of a personal data breach, it will inform the controller that transferred the personal data as soon as possible (as well as the National Data Protection Authority in each country) and use reasonable and appropriate means to remedy the personal data breach and minimise the potential adverse effects (including, where appropriate, and without undue delay, by communicating to the data subject concerned that a personal data breach has occurred).

5) Safeguards Relating to GDPR Data Subject Rights: the controllers transferring personal data for lawful purposes of reciprocal healthcare arrangements between the two countries will have in place appropriate measures which they will follow, such that, upon request from a Data Subject, a controller will:

(i) identify any personal data it has transferred to the other country pursuant to this Arrangement,

(ii) provide general information, including on their respective websites, about safeguards applicable to transfers, and

(iii) provide access to the personal data and confirm that the personal data are complete, accurate and up to date.

Each controller will allow a Data Subject who believes that his or her personal data are incomplete, inaccurate, outdated or processed in a manner that is not in accordance with applicable legal requirements or consistent with the safeguards set out in this Arrangement to make a request directly to the controller for any rectification, erasure, restriction of processing, or blocking of the data.

Each controller, in accordance with applicable legal requirements, will address in a reasonable and timely manner a request from a Data Subject concerning the rectification, erasure, restriction of processing or objection to processing of his or her personal data.

No controller processing personal data for the lawful purposes of reciprocal healthcare arrangements between the two countries will take a legal decision concerning a Data Subject based solely on automated processing of personal data, including profiling, without human involvement.

Safeguards relating to Data Subject Rights are subject to a controller's legal obligation not to disclose confidential information pursuant to professional secrecy or other legal obligations. These safeguards may be restricted to prevent prejudice or harm to supervisory or enforcement functions of a body acting in the exercise of the official authority vested in it, such as for the monitoring or assessment of compliance with applicable laws or prevention or investigation of suspected offences; for important objectives of general public interest. Any such restrictions should be necessary and provided by law, and will continue only for as long as the reason for the restriction continues to exist.

6) Limited data retention period: the controllers will retain personal data for no longer than is necessary and appropriate for the purpose for which the data are processed. Such retention period will comply with the applicable legal requirements governing the retention of such data in the jurisdiction of the receiving controller.

IV. Sharing of personal data by receiving controller

  1. Except as otherwise set out in paragraph (2) below or paragraph (6) of Schedule 1, sharing of personal data by a receiving controller pursuant to this Arrangement will only take place with the prior written consent of the transferring controller, and if the third party provides appropriate assurances that are consistent with the safeguards in this Arrangement.

  2. Where assurances contemplated under the first paragraph cannot be provided by the third party, the personal data may be shared with the third party in exceptional cases if sharing the personal data is for important reasons of public interest, as recognised in the jurisdiction of the receiving controller and, where necessary under the applicable legal requirements of the receiving data controller, including in the spirit of reciprocity of international cooperation, or if the sharing is necessary for the establishment, exercise or defence of legal claims.

  3. A receiving controller may share personal data with a third party without requesting consent from the transferring controller, nor obtaining assurances, in a situation where the sharing of personal data follows a legally enforceable demand or is required by law. The receiving controller will use its best efforts to limit the sharing of personal data received under this Arrangement, in particular through the assertion of all applicable legal exemptions and privileges.

V. Redress

  1. Each controller acknowledges that a Data Subject who believes that a controller has failed to comply with the safeguards as set forth in this Arrangement, or who believes that his or her personal data have been subject to a personal data breach, may seek redress against that controller to the extent permitted by applicable legal requirements. This redress may be exercised before any competent body, which may include a court, in accordance with the applicable legal requirements of the jurisdiction where the alleged non-compliance with the safeguards in this Arrangement occurred. Such redress may include monetary compensation for damages.

  2. In the event of a dispute or claim brought by a Data Subject concerning the processing of the Data Subject's personal data against the transferring controller, the receiving controller or both controllers, the controllers will inform each other about any such disputes or claims, and will use best efforts to settle the dispute or claim amicably in a timely fashion.

  3. If a controller or controllers are not able to resolve the matter with the Data Subject, the controllers will use other methods by which the dispute could be resolved unless the Data Subject's requests are manifestly unfounded or excessive. Such methods will include participation in non-binding mediation or other non-binding dispute resolution proceedings initiated by the data controller or by the controller concerned. Participation in such mediation or proceedings may be done remotely (such as by telephone or other electronic means).

  4. If the matter is not resolved through cooperation by the controllers, nor through non-binding mediation or other non-binding dispute resolution proceedings, the receiving controller will report this to the National Data Protection Authority in the country where the alleged non-compliance with the safeguards in this Arrangement occurred. In situations where a Data Subject raises a concern and a transferring data controller is of the view that a receiving controller has not acted consistent with the safeguards set out in this Arrangement, a transferring controller will suspend the transfer of personal data under this Arrangement to the receiving controller until the transferring data controller is of the view that the issue is satisfactorily addressed by the receiving controller, and will inform the Data Subject thereof.

VI. Oversight

  1. Each controller will review, at such time and in such manner as it considers appropriate the Arrangement to ensure that its terms are being met and the controllers in both countries will co-operate with such review.

  2. The controller or controllers in one country, as the case may be, will notify the controller or controllers in the other country if there is any relevant change to its applicable legal requirements that affects the controller's or controllers' compliance with the safeguards, rights and protections under the Arrangement. The controllers will then assess whether that alters the safeguards, rights and protections for Data Subjects.

  3. The controllers acknowledge the importance of appropriate auditing arrangements in each country in accordance with domestic law.

VII. Revision, suspension and discontinuation

  1. The controllers will advise their respective National Data Protection Authorities of any material changes in the law, regulations or practices affecting the safeguards or operation of this Arrangement and the Authorities may offer such advice or take such action as they consider appropriate.

  2. The controllers may consult and, subject to paragraph 3, revise by mutual consent the terms of the Arrangement in the event of a material change in the laws, regulations or practices affecting the safeguards or operation of the Arrangement.

  3. The controllers will notify their respective National Data Protection Authorities of any proposed material revisions to, or discontinuation of, the Arrangement and the agreement of the Data Protection Commission to any proposed material change will be obtained before any such change can take effect.

  4. If a controller wishes to withdraw from the Arrangement, it will provide written notification of discontinuation to the other controllers and the National Data Protection Authorities and discontinuation will become effective three months after receipt of such notification.

  5. If a controller or controllers can no longer provide adequate safeguards in accordance with the Arrangement, it will advise the other controllers and a controller or controllers from the other country may suspend the transfer of personal data under the Arrangement until the issue is satisfactorily addressed by the controller or controllers concerned, or it may discontinue the Arrangement with immediate effect and in either case the National Data Protection Authorities will be informed.

  6. The controllers may discontinue this Arrangement if the European Commission issues a positive adequacy decision under Article 45(3) of the GDPR in relation to the United Kingdom.

  7. The controllers accept that suspension or discontinuation of this Arrangement (except for discontinuation in the event of a positive adequacy decision) does not relieve them from following the safeguards under this Arrangement as regards the processing of the personal data already transferred.

VIII. Coming into effect

This Arrangement will come into effect at the same time as the Reciprocal Healthcare Arrangements, or, if later, on the signatures of the controllers below, and will continue to have effect for as long as the processing of personal data is necessary to operate the reciprocal healthcare arrangements.

Date:
Signed by:
for and on behalf of the
Health Service Executive

Date:
Signed by:
for and on behalf of the
Department of Health and Social Care

Date:
Signed by:
for and on behalf of the
NHS Business Services Authority

Schedule 1: details of transfers of personal data to which this Arrangement applies

1. Categories of data subjects

1.1 The personal data transferred concerns the following categories of data subjects:

-Persons for whom the costs of healthcare are or may be the responsibility of one of the government of Ireland or the government of the United Kingdom of Great Britain and Northern Ireland who are residing, working or staying in the territory of one of the countries.

-These are employed persons, self-employed persons, student, pensioners, pension claimants, family members, and other residents and insured persons of the countries.

2. Purposes of the transfers

2.1 The personal data will be transferred for the purpose of administering the reciprocal healthcare arrangements that will operate between the government of Ireland and the government of the United Kingdom of Great Britain and Northern Ireland, and specifically:

a) to provide the receiving data controller with information necessary for its country to reimburse the other country for the costs of treatment received for persons whose healthcare costs it is responsible for

b) to establish the rights and obligations of persons covered by the reciprocal arrangements, and in order to administer applications, claims, registrations or payments;

c) to erase or destroy personal data when it is no longer required for the above purposes.

3. Categories of personal data concerned

3.1 The following categories of personal data will be processed to the extent that it is necessary and proportionate by the data controllers:

a) name

b) health identifier (where available)

c) date of birth

d) address and post code

e) benefits received

f) status (as an insured person, pensioner or family member)

g) familial status

h) pregnancy status

i) email address

j) national or social security insurance number (where appropriate)

k) employee number (where appropriate)

l) confirmation that medical treatment has been received or is required

m) the kind of medical treatment received or required

n) the location of any received or required treatment

o) any expected duration of medical treatment

p) any other information which may be required for the purpose only of the administrative process in a particular case

4. How the personal data will be exchanged or shared between the data controllers

4.1 The exchange of information may take place via paper-based postal mail, structured electronic documents and Electronic Data Interchange files with appropriate security measures in place that have regard to the method of exchange.

5.1 The lawful basis for the processing of personal data is Article 6(1)(e) of the GDPR (and of the UK GDPR).

5.2 The data controllers will process special category data in accordance with Article 9 (2)(h) and Article 9(3) of the GDPR (and of the UK GDPR)

5.3 The underlying legislative provision for the HSE in relying on Article 6(1)(e) is the Health Act 2004 which established the HSE and sets out its statutory functions.

5.4 The underlying legislative provision for the Department of Health and Social Care and the NHS Business Services Authority for relying on Article 6(1)(e) is the Healthcare (European Economic Area and Switzerland Arrangements) Act 2019 and the Healthcare (European Economic Area and Switzerland Arrangements) (EU Exit) Regulations 2019.

6. Sharing of personal data

6.1 The Department of Health and Social Care and the NHS Business Services Authority may share personal data received with the following third parties, for the purpose of administering applications, claims, registrations or payments:

(i) The Department for Work and Pensions

(ii) HM Revenue and Customs

(iii) The NHS Commissioning Board (NHS England)

(iv) NHS Counter Fraud Authority

  1. Actual cost relates to Public Patient National Tariffs in the UK and DRG costs in Ireland.