Guidance

Joint privacy notice for the implementation of reciprocal healthcare arrangements

Updated 30 November 2021

1. Summary of initiative and policy

This privacy notice describes how we collect and use personal information about you, in accordance with data protection law, including the UK General Data Protection Regulation 2016/679 (‘the UK GDPR’) and the Data Protection Act 2018.

The use and collection of data relates to agreements before and after the UK’s exit from the EU.

The UK has agreed reciprocal healthcare arrangements with the EU, Switzerland and the European Economic Area (EEA) European Free Trade Association (EFTA) states through the following agreements:

  • the UK-EU Trade and Cooperation Agreement
  • the UK-Switzerland Convention on Social Security Coordination
  • the UK-EU Withdrawal Agreement
  • the UK-Switzerland Citizens’ Rights Agreement
  • the UK-EFTA Separation Agreement
  • the UK-Gibraltar 1974 Arrangement

The rights and entitlements of UK-insured individuals depends on the agreement, but all agreements provide eligible UK-insured individuals with UK-funded necessary healthcare for temporary stays in the other country, UK-funded comprehensive healthcare for those exporting certain benefits, including state pensions and for certain categories of cross-border workers, and for planned treatment in the other country if the eligibility criteria are met.

You are ‘UK-insured’ if your state healthcare is funded by the UK because you:

  • pay or have paid National Insurance contributions, or

  • are ‘ordinarily resident’ in the UK

UK-insured individuals include:

  • S1 holders and their dependants
  • UK-issued Global/European Health Insurance Card (GHIC/EHIC) holders
  • people travelling for planned treatment using the S2 route

2. Data controller

The Department of Health and Social Care (DHSC) and the NHS Business Services Authority (NHSBSA) are joint controllers for data relating to claims for financial reimbursement for reciprocal healthcare treatment. This means that both organisations are responsible for any personal data that either organisation collects or uses, and we are committed to protecting the privacy and security of your personal information.

3. What personal data we collect

By law, we must process the following information to be able to provide this service:

  • your address to enable us to confirm your residency and eligibility
  • information to identify you, referred to as ‘personally identifiable information’
  • evidence of your nationality or status as a refugee or stateless person, or your dependant status, to allow us to confirm your eligibility under certain agreements

If appropriate, we will ask you for:

  • details about the treatment you received and of any charges paid (if you are a UK-insured person)
  • details about the treatment you have provided (if you are an NHS treatment facility)
  • information to identify your dependent(s)
  • details of the international healthcare provider that you have, or are being treated by
  • information about your medical condition or planned treatment
  • information about your exportable benefit(s), including your state pension

4. How we use your data (purposes)

The processing of personal data by the DHSC is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller pursuant to Article 6 (1) (e) of the UK General Data Protection Regulation (GDPR), namely to assess and respond to claims for financial assistance and healthcare costs.

The processing of personal data by the NHSBSA is necessary for compliance with a legal obligation pursuant to Article 6 (1) (c) of the UK GDPR, namely to process payments for financial reimbursement under the current and contingency reciprocal healthcare.

We are collecting your necessary data to enable us to:

  • process and determine eligibility for financial reimbursement of healthcare costs as part of the UK’s reciprocal healthcare arrangements with the EU, other European Economic Area (EEA) States and Switzerland
  • make payments to countries and international healthcare providers within the EU, other EEA countries and Switzerland for healthcare treatment
  • claim the cost of treatment provided by the UK from countries within the EEA and Switzerland
  • provide appropriate healthcare related support and advice related to your enquiry
  • analyse data alongside other patient information to understand patterns and trends that will be used to plan and make improvements to NHS services, and/or direct patient care

Under GDPR, the lawful bases we rely on for processing this information are:

  • (a) we have a legal obligation
  • (b) necessary task in the public interest or controller’s official authority

6. Data processors and other recipients of personal data

To enable us to process your request or determine your eligibility for healthcare financial reimbursement we (and our data processors) sometimes need to share your personal data) with other organisations. Where this is necessary, we are required to comply with all aspects of data protection legislation.

Next in this document we have included types of organisations we may need to share personal information to and the reasons for this.

Where necessary, required and within the law, we may share information with:

  • third party data providers acting on our behalf, who will make a UK residency check
  • the Department for Work and Pensions (DWP) to validate your pension information and make claims, and any third parties acting on their behalf to make payments against your entitlements
  • HM Revenue and Customs (HMRC) to validate your S1 entitlement information
  • countries within the EU, EEA and Switzerland, to validate your pension information and, if appropriate, make and receive payments
  • NHS England and Improvement, NHS Scotland, NHS Wales, HSC in Northern Ireland to authorise your application for planned treatment
  • international healthcare providers and administrators who provide your treatment to enable us to validate the information that you provide
  • family and representatives of the person whose personal data we hold, and this will be shared if deemed necessary and with the consent of that person or if that person is showing a lack of mental capacity.
  • the Government Legal Department to support resolution of cases where legal input is required
  • the Gibraltar Health Authority if you live or have treatment in Gibraltar to authorise your application
  • the NHSBSA to validate information such as personal details and circumstances
  • DHSC legal for cases that involve exceptional circumstances – personal data will be shared where DHSC need to seek legal advice or are setting a legal precedent

To prevent, detect and investigate fraud and errors, we may share your information with:

  • NHSBSA Loss and Fraud Prevention Team (for DHSC only)
  • international healthcare providers and administrators you are treated by
  • local authorities
  • credit reference agencies
  • bodies performing functions on behalf of the above organisations
  • NHS Counter Fraud Authority
  • Department of Health and Social Care (DHSC) International Division and Anti-Fraud Unit
  • law enforcement organisations, as required by law

To support more effective planning and improvements to NHS services and patient care, we may share our understanding of patterns and trends gained from patient information (in an anonymised format) with:

  • NHS commissioners and service providers
  • NHS England and Improvement, NHS Scotland, NHS Wales, HSC in Northern Ireland and the Gibraltar Health Authority
  • Department of Health and Social Care
  • NHS Counter Fraud Authority

7. International data transfers and storage location(s)

Personal data will be stored in a number of repositories in the UK.

8. Retention and disposal policy

In most cases, personal data will be disposed of when it has reached the following retention periods:

  • 7 years from when a person’s Provisional Replacement Certificate (PRC) or S2 was processed – to allow for treatment cost claims made to be processed
  • 7 years from the date the NHSBSA are notified that the person is no longer entitled to their S1
  • 7 years from the date payment is made or a claim for payment of treatment costs is closed
  • 24 months from the date of a decision for any rejected applications for PRC, UK GHIC, UK EHIC S1 and S2

For treatment cost claims made near the end of the EHIC or GHIC’s expiry date, claims that are yet to be processed, the NHSBSA will delete a person’s personal data from the systems and files no later than:

  • 30 June 2171 if a person applies for a UK EHIC and has EU Settlement Scheme (EUSS) status – this is to allow for approval of applications from people whose entitlement is derived from the original applicant
  • 48 months after the expiry of the person’s UK EHIC, if they do not have EUSS status
  • 48 months after the expiry of a person’s UK GHIC – this allows claims to be made near the end of card expiry and be processed
  • 48 months after the expiry of your UK European Health Insurance Card (EHIC) if you do not have EUSS – this allows for treatment cost claims made near the end of the card expiry to be processed

There may be occasions when records need to be kept for longer. Your personal data will only be retained for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting or reporting requirements.

9. How we keep your data secure

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have also introduced procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

10. Your rights as a data subject

By law, data subjects have a number of rights and this processing does not take away or reduce these rights under the EU General Data Protection Regulation (2016/679) and the UK Data Protection Act 2018 applies.

These rights are:

  1. the right to get copies of information – individuals have the right to ask for a copy of any information about them that is used
  2. the right to get information corrected – individuals have the right to ask for any information held about them that they think is inaccurate, to be corrected
  3. the right to limit how the information is used – individuals have the right to ask for any of the information held about them to be restricted, for example, if they think inaccurate information is being used
  4. the right to object to the information being used – individuals can ask for any information held about them to not be used – however, this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case
  5. the right to get information deleted – this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case

The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party – in certain situations.

11. What we ask of you

So that we can keep your personal data reliable and up to date, please:

  • give us accurate and current information
  • contact us as soon as possible if there are any changes during your relationship with us, such as a new address

All correspondence should be directed to the Overseas Healthcare Services at:

Overseas Healthcare Services
NHS Business Services Authority
Bridge House
152 Pilgrim Street
Newcastle Upon Tyne
NE1 6SN

12. Comments or complaints

Anyone unhappy or wishing to complain about how personal data is used as part of this agreement should contact DHSC data_protection@dhsc.gov.uk and the NHSBSA in the first instance or write to both:

12.1 DHSC

Data Protection Officer
1st Floor North
39 Victoria Street
London
SW1H 0EU

12.2 NHSBSA

NHS Business Services Authority
Stella House
Goldcrest Way
Newburn Riverside
Newcastle upon Tyne
NE15 8NY

Anyone who is still not satisfied can complain to the Information Commissioner’s Office. Their postal address is:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

13. Automated decision making or profiling

No decision will be made about individuals solely based on automated decision making (where a decision is taken about them using an electronic system without human involvement) which has a significant impact on them.

14. Changes to this policy

This privacy notice is regularly reviewed and is up to date.