Staff access to health and care systems from non-UK countries

Data protection laws do not stop staff accessing health and care systems from non-UK countries but you will need to assess the risks and decide whether this is appropriate.

You should consider:

• your organisation’s risk appetite and technical capabilities
• potential reputational damage to your organisation (if personal data is lost or unlawfully accessed abroad)
• the nature of the services provided
• the type of information that needs to be accessed

Accessing health and care systems from non-UK countries brings heightened risks to data. Risks could include laws in non-UK countries granting law enforcement agencies access to data, or individuals’ rights not being suitably protected.

A data protection impact assessment (DPIA) can be used to assess the risks to data and how to mitigate these risks. The DPIA must make clear who the Controller is whilst data is processed outside of the UK, and who is responsible for ensuring compliance with data protection requirements.

Approaches to data protection vary by country so you will need to take this into account when assessing the risk. You should consider the wider risks associated with a particular country on a case by case basis.

You must ensure that appropriate organisational and technical security measures are in place to protect data whilst abroad. These can include device encryption, multi-factor authentication, and use of your organisation’s virtual private network (VPN). The security controls you choose should be proportionate to the risks associated with the particular country.

You should also check that the non-UK country does not have technical or other barriers in place which would prohibit or impact secure data transfers or storage.

Access arrangements will need to be clear. For example whether data would be accessed remotely or processed only on trusted devices.

You need to consider any issues that would heighten the risk of cyber-attacks, such as leaving devices unattended or unsecured in a hotel room, or local requirements to install intrusive mobile phone applications. One way of reducing this risk is by using your organisation’s VPN, which can secure connections to your organisation’s networks and systems and reduce the risk of a data breach.

You do not need to put an International Data Transfer Agreement in place for staff accessing your organisation’s systems or information whilst overseas. This is because they are accessing systems and information in the same way they would whilst in the UK. The information stays within your organisation and is not transferred outside of it to another organisation.

If a staff member needs to access personal data from a country outside the UK, you will need to take this into account as part of your risk assessment. For some countries access to this type of data may be appropriate, whereas for others the risks will be too high. Individuals may not have the same legal protection if their information is processed in a different country.

The NHS Spine was intended to be accessed from within the UK, so access from outside the UK should be treated as exceptional. Your risk assessment or DPIA must take this into consideration before deciding whether access to the NHS Spine and applications is appropriate and secure.

You must ensure that allowing staff access to information while away from the UK does not breach any contractual agreements. This includes the Health and Social Care Network (HSCN) which has terms restricting the transfer of data to certain countries. You should also check the contractual agreements for any other products being used from abroad which connect to national services, such as the Personal Demographics Service (PDS).

If access from abroad is agreed, you will need to arrange and monitor how the staff member will obtain and use the NHS Smartcard, if relevant.

You should set out your decision in an ‘accessing health and care systems from abroad’ policy document. Each case will differ, so even if you decide a policy that accessing health and care systems from abroad could be appropriate, individual requests should still be looked at on a case-by-case basis.

Employment contracts should be appropriately updated for staff who will routinely be accessing health and care systems from abroad as part of their role. You should speak to your payroll and HR colleagues about what the contracts need to cover. For example they may need to include a clause about access to the NHS Spine and national applications if that has been agreed.

In addition, you should make sure the employee is clear about any conditions or limitations in place regarding their access to health and care systems from abroad, for example, only using secure Wi-Fi connections or encrypted mobile devices.

NHS Employers has commissioned legal firm Capsticks LLP (and partners) to produce a guidance document on overseas working arrangements, which covers contractual terms, data protection and data transfer and other topics in more detail.