NHS shares patient information with Home Office for immigration enforcement
A government document has revealed the patient information sharing agreements between NHS Digital and the Home Office, while data shows that more than 8,000 requests were made in 2016.
Details of the procedures and process for sharing patient information have been set out in a memorandum of understanding between the Home Office, the Department of Health and NHS Digital, published for the first time this week.
Although the MoU – which details the rules on patient information exchange between NHS Digital and the Home Office – came into effect on 1 January this year, government authorities have been able to request information from the NHS for law enforcement activities for some years.
The latest figures from NHS Digital show that the Home Office made 8,127 requests for information in 2016 up to November – the last date for which records are available.
Of these, 5,854 were approved and traced, with a further 1,583 requests approved but where NHS Digital was unable to trace the information.
This compares with 339 requests from the police during this time – of which 73 were approved and traced – and 2,703 requests from the National Crime Agency – of which 574 were approved and traced.
According to the MoU, the Home Office can request non-clinical information – such as last known address, date of birth and date of NHS registration – from NHS Digital in relation to immigration offences, such as escaping detention or exceeding a time limit to stay in the UK.
The document say that, because this information is “administrative in nature” it “falls at the less intrusive end of the privacy spectrum” and that the nature of immigration offences mean “there is a low probability of mistaken identity”.
The Home Office can only request information if it fulfils certain criteria, including that it has used “all usual sources of internal information” to establish contact with the person and that the disclosure of such information is “a matter of public interest”.
However, the document states that because of the non-clinical nature of the records requested, “the public interest threshold is lower”, especially “where there are concerns regarding the safety or welfare of an individual, such as a vulnerable child or adult”.
It argues that there is a public interest in disclosing data on offenders under the Immigration Act, emphasising the importance of “effective immigration controls” for the UK – for instance by allowing the removal of “those who might pose a danger to the public”.
The document also says that immigration offenders “harm the economic wellbeing of the country” and that it is in the public interest that “limited UK resources and public services (including the NHS, jobs, schools, housing) are protected from unnecessary financial and resource pressures”.
The document making clear that NHS Digital can refuse a request from the Home Office “without limitation…if it is not satisfied that the request is in the public interest”, but less than 120 of the 8,127 requests in 2016 were rejected by NHS Digital.
The memorandum adds that all information must be sent to the Home Office under secure NHS mail and that all transfers of information, in both directions, must be done under the data protection principles in the Data Protection Act.
In addition, all information exchanged in these circumstances “will not be kept longer than is necessary for the purpose set out in this MoU”, and that once it is no longer relevant it must be destroyed securely.
NHS Digital is required to respond to a tracing request from the Home Office within 20 working days, but the Home Office can also request a shorter time frame if there are “exceptional circumstances”, which the memorandum said includes concern over the wellbeing of children.
The memorandum defines the Department of Health’s role as one of oversight – for data flow, accountability arrangements and updating ministers where necessary – and of brokering solutions in the event of issues between NHS Digital and the Home Office.
Shadow home secretary Diane Abbott described the use of patient data for immigration enforcement as “unacceptable”, arguing that it could deter people from seeking medical care and that “it should stop now”.
In a lengthy attempt to find out about the security of government’s software systems, PublicTechnology finds a very uneven approach to transparency and what constitutes sensitive...
The UK has tended to only introduce data-protection laws in conjunction with EU legislation and, according to Ray Walsh from ProPrivacy, the post-Brexit world may see the country prioritise...
A major government-commissioned study found that about half of UK organisations are lacking basic security skills. PublicTechnology talks to the researchers behind it to find out where...
Cabinet Office minister said that, despite the controversy that often surrounds the PM’s top adviser, ‘people are interested in Dominic and his ideas’
CyberArk's David Higgins explores the cyber risks of hiring independent contractors
CyberArk's John Hurst looks at the true cost of GDPR breaches
PublicTechnology talks to Rich Turner about why organisations need to adopt a ‘risk-based approach’ to security – but first make sure they get the basics right