Breadcrumbs
Sharing data with the NHS
This best practice provides the guidance on sharing data with the NHS.
The requests from the NHS should be taken seriously but doesn't mean that it's an open door.
The first question is: should we share this data? The guidance document "Letter from PHE regarding GDPR and health activities in schools" provides a detailed explanation of three common requests from the NHS:
However, when this is being handled by a local NHS Trust, there are some other considerations.
Firstly - are they asking only for the minimum amount of data required for the processing? If they want an excessive amount of data, the question must be asked why? The sharing of data must only be what is required to complete the required task.
Secondly, how do they wish to receive it? Any personal data sent should be sent securely via encrypted mail. We have seen requests from the NHS stating that it is OK to email the data as "we have a secure inbox". This may be the case, but as all data is most at risk when it is in transit, it is only secure if it is encrypted when it is sent.
Lastly, even with a lawful basis, security and data minimisation it is still required to inform data subjects. The Letter from PHE should be published alongside ( or included in) your privacy statements as well as being circulated to parents and carers.
The requests from the NHS should be taken seriously but doesn't mean that it's an open door.
The first question is: should we share this data? The guidance document "Letter from PHE regarding GDPR and health activities in schools" provides a detailed explanation of three common requests from the NHS:
- Vaccinations
- Dental surveys
- Weights and Measurements surveys
However, when this is being handled by a local NHS Trust, there are some other considerations.
Firstly - are they asking only for the minimum amount of data required for the processing? If they want an excessive amount of data, the question must be asked why? The sharing of data must only be what is required to complete the required task.
Secondly, how do they wish to receive it? Any personal data sent should be sent securely via encrypted mail. We have seen requests from the NHS stating that it is OK to email the data as "we have a secure inbox". This may be the case, but as all data is most at risk when it is in transit, it is only secure if it is encrypted when it is sent.
Lastly, even with a lawful basis, security and data minimisation it is still required to inform data subjects. The Letter from PHE should be published alongside ( or included in) your privacy statements as well as being circulated to parents and carers.
Please select NHS Data Sharing from the checklist dashboard