ÒÁÈËÖ±²¥

Introduction

The Department of Health and Social Care (DHSC) processes your data to meet the UK’s obligations under the reciprocal health agreements with partner countries listed in the .

This privacy notice describes how DHSC (we) processes personal information about you in accordance with data protection law, including the (UK GDPR) and the .

Joint data controller

DHSC and the NHS Business Services Authority (NHSBSA) are joint controllers of personal data under the reciprocal healthcare arrangements with the European Economic Area (EEA), Switzerland and Gibraltar, which is processed to:

• assess eligibility to reciprocal healthcare entitlements
• process claims and payments for reciprocal healthcare treatment
• meet the UK’s other obligations under the reciprocal healthcare arrangements

This means that DHSC and NHSBSA are each responsible under the UK GDPR and the DPA 2018 for any personal data processed for these purposes. The accompanying guidance on this publication, Reciprocal healthcare joint data controller agreement: schedule 1, provides a summary of the joint controller agreement.

See also the , as well as setting out how it deals with more sensitive data.

Data controller

We also process data as sole data controller for reciprocal healthcare entitlements relating to other countries or territories listed in the Schedule to the Healthcare (International Arrangements) (EU Exit) Regulations 2023. We do this to:

• assess eligibility to and arrange referrals for healthcare
• meet the UK’s other obligations under these agreements

What personal data we process

Personal data, or personal information, means any information about a living individual from which that person can be identified directly or indirectly.

We process certain categories of personal information about you, such as:

• personal contact details, such as name, title, addresses, telephone numbers and email addresses
• nationality or status as a refugee or stateless person or your dependent status
• date of birth
• marital status and dependants
• National Insurance number
• bank account details
• information about your employment, income, tax, UK State Pension and/or any exportable benefits
• your GP details

We may also process data relating to deceased individuals (which is not in scope of UK GDPR and DPA 2018) as this may affect eligibility and entitlements to reciprocal healthcare.

There are special categories of more sensitive personal data which require a higher level of protection. We will, if necessary, also process the following special categories of more sensitive personal information where it is relevant to assess any entitlement to and/or process claims for financial reimbursement for reciprocal healthcare treatment or to meet our other reciprocal healthcare responsibilities. These are:

• information about criminal convictions and offences
• health data
• nationality which may reveal racial or ethnic origin

Purposes for which we process your data

We process personal information to carry out our reciprocal healthcare responsibilities and associated public functions. These include (but are not limited to):

• determining eligibility for reciprocal healthcare and/or financial reimbursement of healthcare costs where a matter is escalated to DHSC for consideration
• making payments to competent authorities, institutions and/or healthcare providers within partner countries, or to you for healthcare treatment received in scope of the reciprocal healthcare agreements
• claiming the cost of treatment provided by the UK
• arranging healthcare referrals under quota places within the applicable healthcare agreements
• providing appropriate healthcare related support and advice

We receive your personal information when we are asked for advice, when matters are escalated to us or when we are sent or need to request information to carry out our reciprocal healthcare responsibilities. The personal information comes from third parties including (but not limited to):

• family, associates and representatives of the person whose personal data we hold
• NHSBSA
• other government departments and agencies – these may include:
  • HM Revenue and Customs (HMRC)
  • Department for Work and Pensions (DWP)
  • Ministry of Defence (MOD)
  • Home Office (HO)
  • Foreign, Commonwealth and Development Office (FCDO)
• NHS England, NHS Scotland, NHS Wales, Health and Social Care (HSC) in Northern Ireland
• competent authorities and institutions within partner countries
• healthcare providers

Lawful basis for processing personal data

Our processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller pursuant to article 6(1)(e) of the UK GDPR, namely, to meet the UK’s obligations under the reciprocal healthcare arrangements and other related activities. Our legal power for data processing is section 4 of the .

We process health and/or racial or ethnic origin data under:

• article 9(2)(b) of the UK GDPR: processing is necessary for the purposes of employment and social security and social protection law
• article 9(2)(g) of the UK GDPR: processing is necessary for reasons of substantial public interest

We process criminal conviction and offence data under:

• article 10 of the UK GDPR

We also process health, racial or ethnic origin and/or criminal conviction and offence data under:

• paragraph 1 of part 1 schedule 1 of the DPA 2018: processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection
• paragraph 6 of part 2 schedule 1 of the DPA 2018: processing is necessary for reasons of substantial public interest and for the exercise of a function conferred on a person by an enactment or rule of law or exercise of a function of the Crown, a minister of the Crown, or a government department

DHSC’s reciprocal healthcare appropriate policy document sets out how we process health, racial or ethnic origin and criminal conviction and offence data.

Purposes for which we share your data

We may share information with other organisations so that we can carry out our functions, or to enable others to perform theirs, including but not limited to:

• NHSBSA, to validate information such as personal details and circumstances, and to resolve queries
• third party data providers acting on our behalf, who will complete a UK residency check
• other government departments and agencies, including HMRC, DWP, MOD, HO, FCDO and the Government Legal Department (GLD), to help us determine your eligibility for reciprocal healthcare and to provide healthcare related support and advice
• NHS England, NHS Scotland, NHS Wales, HSC in Northern Ireland in relation to applications for planned treatment and/or allocating quota places within the applicable healthcare agreements
• competent authorities and institutions with partner countries we have a healthcare agreement with to help us:
  • assess your eligibility for reciprocal healthcare
  • to provide healthcare related support and advice
  • to make and receive payments
  • and/or to arrange healthcare referrals under quota places within the applicable healthcare agreements
• healthcare providers to help us assess your eligibility for reciprocal healthcare and to provide healthcare related support and advice, and, if appropriate, make and receive payments
• family and representatives if applicable

To prevent, detect and investigate fraud and errors, we may share your information with organisations such as:

• NHSBSA Loss and Fraud Prevention Team
• healthcare providers and administrators you are treated by
• local authorities
• NHS Counter Fraud Authority
• DHSC International Division and Anti-Fraud Unit
• law enforcement organisations, as required by law

To support more effective planning and improvements to reciprocal healthcare processes, NHS services and patient care, we may share our understanding of patterns and trends gained from patient information (in an anonymised format) with:

• NHS commissioners and service providers
• NHS England, NHS Scotland, NHS Wales, HSC in Northern Ireland and the Gibraltar Health Authority
• NHS Counter Fraud Authority

International data transfers and storage locations

Personal data will be stored in a number of repositories in the UK.

When relevant and necessary, we may need to transfer the personal information we process about you outside the UK for the purposes of meeting our obligations under international healthcare agreements and arrangements to another country that is deemed adequate for data protection purposes. In the event we need to transfer your personal data to authorities or organisations in other countries or territories, we will, where necessary, take appropriate steps to safeguard your information in accordance with UK GDPR and we will inform you of the appropriate safeguards that are in place.

Retention and disposal policy

Your personal data will only be retained for as long as necessary to fulfil our responsibilities under the reciprocal healthcare agreements and for the purposes it was processed, including for the purposes of satisfying any legal, accounting or reporting requirements. DHSC retains and destroys personal data securely in line with our retention and disposal policy.

How we keep your data secure

We have put in place appropriate security measures to protect your personal data from unauthorised or unlawful processing and against accidental loss, destruction or damage. We have also introduced procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Your rights as a data subject

Under certain circumstances, under the UK GDPR and the DPA 2018 you have the right to:

• be provided information about the processing and use of your personal data
• request access to your personal information
• request correction of the personal information that we hold about you
• request erasure of your personal information - this is not an absolute right and continued use of the information may be necessary
• object to processing of your personal information - this is not an absolute right and continued use of the information may be necessary
• request the restriction of processing of your personal information - this is not an absolute right and only applies in certain circumstances

Automated decision-making or profiling

No decision will be made solely based on automated processing (where a decision is taken using an electronic system without human involvement) which has a legal or significant impact on you.

Comments or complaints

If you wish to contact us about how your personal data has been used, you should contact DHSC and/or NHSBSA in the first instance by email or by writing to:

DHSC

·¡³¾²¹¾±±ô:Ìýdata_protection@dhsc.gov.uk

NHSBSA

Email: dataprotection@nhsbsa.nhs.uk

Anyone who is still not satisfied can complain to the :

Changes to this policy

This privacy notice is kept under regular review. It was last updated on 13 June 2025.