Reciprocal healthcare joint data controller agreement: schedule 1
Updated 30 November 2021
© Crown copyright 2021
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/reciprocal-healthcare-privacy-notice/reciprocal-healthcare-joint-data-controller-agreement-schedule-1
Introduction
The Department of Health and Social Care (DHSC) and the NHS Business Services Authority (NHSBSA) are joint controllers for data relating to claims for financial reimbursement for reciprocal healthcare treatment. This means that both organisations are responsible for any personal data that either organisation collects or uses, and we are committed to protecting the privacy and security of your personal information.
This schedule supports the privacy notice and sets out how DHSC and NHSBSA will process personal data as joint controllers. We are publishing this schedule in line with Article 26(1) of the General Data Protection Regulation (GDPR).
Subject matter of the processing
The personal data is being processed to enable the parties to:
a) assess and process data under existing and future reciprocal healthcare arrangements
b) assess and process claims for financial reimbursement under the current and future reciprocal healthcare arrangements
c) issue and register entitlement documents to data subjects when eligibility has or has not been established under the current and future reciprocal healthcare arrangements
d) make payments to countries and international healthcare providers in the European Economic Area (EEA) and Switzerland, as part of reciprocal healthcare arrangements
e) provide appropriate reciprocal healthcare-related support and advice to the public
Duration of the processing
The personal data will be processed in most cases within a period of 7 years. Periods for processing can vary depending on the circumstances. More information can be found in the privacy notice under the section entitled: retention and disposal policy.
Nature and purposes of the processing
DHSC collects and processes personal data for:
a) recording, organising, structuring and storage, to confirm eligibility for healthcare costs under reciprocal healthcare arrangements
b) disclosure by transmission to other parties to progress the application and, if applicable, make payments
c) counter-fraud checks and subsequent investigations
d) erasure or destruction of data when it is no longer needed for the above purposes
Type of personal data
See privacy notice section entitled: The data we may ask you to provide.
Categories of data subject
- individuals
- individual representatives
- medical professionals
Plan for processed data unless there’s a different requirement to preserve it
For a plan for return and destruction of the data once the processing is complete unless there’s a requirement under union or member state law to preserve that type of data, see privacy notice section entitled: Keeping your personal data.