Even a superficial glance at the processing document suggests some alarming assumptions.
For example: that only clinical data is sensitive PD.
"NHS SBS does not process medical / clinical information off shore. All medical / clinical information processed by NHS SBS is done within the UK only. " However it is suggested elsewhere that e.g. appointment letters may be produced abroad. This IS processing sensitive personal data even for something inoccuous like a fracture clinic. You do not have to have my xrays and diagnosis to make this so. It contains information about my "physical or mental health or condition" i.e. that I need orthopaedic medical services of some sort. Sensitive personal data .
For example: that as long as the data is only accessed in India that is outside the scope.
"Data does not leave the UK. It resides on servers hosted in the UK and is accessed from India." However even if the information to produce the letter resides on UK servers, and after the letter is generated it is printed in and mailed within the UK, that access in India is still processing subject to the DPA as processing includes "consultation or use of the information or data" - and that is without digging into technical issues about local caches, possibility of screen capture etc. In the health area it may be simply an emotive issue, but imagine if the same scenario applied to a credit card company. Worker in India copies all the data manually from the screen as he processes it remotely in order to create cloned cards. Company says no DP issue as no processing in India. I think not.
So the FAQ is at best disingenuous, at worst a misunderstanding of the leagl requirements.
----- Original Message -----
From: Baines, Jonathan
Sent: 09/12/12 12:35 PM
To: [log in to unmask]
Subject: Re: [data-protection] Hospitals
This has come up before
and in 2004
I've been trying to find out more, but not getting very far. If this relates to commissioning by NHS Shared Business Services they say this about their procedures as a processor
Jonathan Baines
Legal and Democratic Services
Buckinghamshire County Council
01296 383681
All archives of messages are stored permanently and are
available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)
