§ Mr. RandallTo ask the Secretary of State for Health what data protection rules apply to the transmission of UK health records to health authorities abroad. [184342]
§ Mr. HuttonThe Data Protection Act 1998 regulates disclosures, including transfers abroad, of health information about identifiable living individuals. Subject to specified exemptions the Act requires data controllers, including national health service organisations, to comply with the eight 'data protection principles' set out in schedule 1, part 1 to the Act. The first and eighth principles are particularly relevant to transfers abroad. Where the foreign transfer is to a 'data processor', for example, any person or organisation processing data on behalf of the United Kingdom data controller, the seventh principle will also be important.
Among other provisions, these three principles respectively provide that such transfers must be fair and lawful; ensure "an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data" and include "appropriate technical and organisational measures" to protect the information.