Data Sharing EHIC Application Form

The request was partially successful.

Dear NHS Business Services Authority,

When applying for a EHIC online the applicant is required to agree to the EHIC Declaration included on the form. If they do not agree to the terms they cannot apply for a EHIC.

The Data Protection Act 1998 requires consent for any data processing to be freely given (i.e. no coercion) unless the organisation can rely on statutory powers for said processing. Given that the applicant cannot amend the declaration I assume that this must be the case for the processing of the information on the EHIC application form.

One part of the EHIC Declaration has been reproduced below:

“I agree to the disclosure of information on this form for the purposes of verification and, in compliance with the Data Protection Act, to and from other organisations including
- Local Authorities to which Council Tax is paid in respect of my dwelling throughout the United Kingdom
- Organisations from which I am receiving benefits and/or support
- The Department for Work and Pensions
- HM Revenue and Customs
- Credit reference agencies”

RFI1: Please disclose what information from the EHIC application form is shared with these organisations.

RFI2: Please direct me to the relevant primary and/or secondary legislation (including the relevant sections or regulations) that allows the NHS to disclose information on the EHIC application from with the organisations listed.

Yours faithfully,

John Slater

FOIREQUESTS, Nhsbsa (NHS BUSINESS SERVICES AUTHORITY),

1 Attachment

Dear John Slater,

 

Thank you for your request for information as outlined below:

 

‘Dear NHS Business Services Authority, When applying for a EHIC online the
applicant is required to agree to the EHIC Declaration included on the
form. If they do not agree to the terms they cannot apply for a EHIC. The
Data Protection Act 1998 requires consent for any data processing to be
freely given (i.e. no coercion) unless the organisation can rely on
statutory powers for said processing. Given that the applicant cannot
amend the declaration I assume that this must be the case for the
processing of the information on the EHIC application form. One part of
the EHIC Declaration has been reproduced below: “I agree to the disclosure
of information on this form for the purposes of verification and, in
compliance with the Data Protection Act, to and from other organisations
including - Local Authorities to which Council Tax is paid in respect of
my dwelling throughout the United Kingdom - Organisations from which I am
receiving benefits and/or support - The Department for Work and Pensions -
HM Revenue and Customs - Credit reference agencies” RFI1: Please disclose
what information from the EHIC application form is shared with these
organisations. RFI2: Please direct me to the relevant primary and/or
secondary legislation (including the relevant sections or regulations)
that allows the NHS to disclose information on the EHIC application from
with the organisations listed. Yours faithfully’

 

Your request was received on 2 February 2017 and I am dealing with it
under the terms of the Freedom of Information Act 2000.

 

I will process your request as soon as possible, and certainly within 20
working days of the day I received the request. You will hear back from me
by 2 March 2017 at the latest.

 

Details of how we will process your request are available on our website
at:

 

[1]http://www.nhsbsa.nhs.uk/Documents/NHSBS...

 

If you have any queries about this email, please contact me on the number
below.

 

Please quote the reference number above in any future communications to
make it easier for me to deal with your correspondence.

 

Regards

 

Chris Dunn

Information Governance Assistant

Corporate Governance
 

Tel: 0191 203 5352

Internal tel: 500 5352

Fax: 0191 264 5281

[2]www.nhsbsa.nhs.uk
 
[3]Description: Description: Description: NHSBSA Header 2
Stella House, Goldcrest Way, Newburn Riverside Business Park, Newcastle
upon Tyne NE15 8NY
Please read our email disclaimer online at:
[4]http://www.nhsbsa.nhs.uk/email.

To reduce our environmental footprint, please only print when necessary.

 

 

show quoted sections

References

Visible links
1. http://www.nhsbsa.nhs.uk/Documents/NHSBS...
2. http://www.nhsbsa.nhs.uk/
4. http://www.nhsbsa.nhs.uk/email

FOIREQUESTS, Nhsbsa (NHS BUSINESS SERVICES AUTHORITY),

1 Attachment

Dear Mr Slater

 

Thank you for your request for information about the following:

 

‘Dear NHS Business Services Authority,

When applying for a EHIC online the applicant is required to agree to the
EHIC Declaration included on the form. If they do not agree to the terms
they cannot apply for a EHIC. The Data Protection Act 1998 requires
consent for any data processing to be freely given (i.e. no coercion)
unless the organisation can rely on statutory powers for said processing.
Given that the applicant cannot amend the declaration I assume that this
must be the case for the processing of the information on the EHIC
application form. One part of the EHIC Declaration has been reproduced
below: “I agree to the disclosure of information on this form for the
purposes of verification and, in compliance with the Data Protection Act,
to and from other organisations including - Local Authorities to which
Council Tax is paid in respect of my dwelling throughout the United
Kingdom - Organisations from which I am receiving benefits and/or support
- The Department for Work and Pensions - HM Revenue and Customs - Credit
reference agencies”

RFI1: Please disclose what information from the EHIC application form is
shared with these organisations.

Answer (taken from data sharing/service level agreement)

Personal information provided by the applicant to NHSBSA when applying
for/requesting an EHIC card.

RFI2: Please direct me to the relevant primary and/or secondary
legislation (including the relevant sections or regulations) that allows
the NHS to disclose information on the EHIC application from with the
organisations listed. Yours faithfully,’

 

Your request was received on 2 February 2017 and I am dealing with it
under the terms of the Freedom of Information Act 2000.

 

Summary of Response

 

Question 1

 

Any personal information provided by the applicant to NHSBSA when applying
for/requesting an EHIC card may be shared as outlined in the fair
processing notice.

 

Question 2

 

As you point out in your request, the disclosure is made in accordance
with the Data Protection Act. Applicant information is shared only with
the Department for Work and Pensions and HM Revenue and Customs for the
purpose of validating EHIC

applications and claims, and NHS Protect and the Department of Health –
International Division and local authorities in order to prevent and
detect fraud and errors. When applying for an EHIC the customer agrees to
these terms which are necessary to administer the processing of EHIC
applications and claims. Without this sharing the processing of EHIC
applications and claims would not be possible. Members of the public are
not obliged to hold an EHIC and therefore the consent is freely given,
i.e. they can opt to not apply if they are not happy with the sharing of
their personal data.

 

A link the relevant section of the Data Protection Act can be found at the
following web link:

 

[1]http://www.legislation.gov.uk/ukpga/1998...

 

Please note that this response will be published on our Freedom of
Information disclosure log at:

 

[2]https://apps.nhsbsa.nhs.uk/FOI/foiReques...

 

Your personal details will be removed from the published response.

 

The information supplied to you continues to be protected by the
Copyright, Designs and Patents Act 1988 and is subject to NHSBSA
copyright. This information is licenced under the terms of the Open
Government Licence detailed at:

[3]http://www.nationalarchives.gov.uk/doc/o...

 

Should you wish to re-use the information you must include the following
statement:

“EHIC, NHSBSA Copyright 2017” This information is licenced under the terms
of the Open Government Licence:

 

[4]http://www.nationalarchives.gov.uk/doc/o...

 

Failure to do so is a breach of the terms of the licence.

 

Information you receive which is not subject to NHSBSA Copyright continues
to be protected by the copyright of the person, or organisation, from
which the information originated.  Please obtain their permission before
reproducing any third party (non NHSBSA Copyright) information.

 

If you are unhappy with the service you have received in relation to your
request and wish to make a complaint or request a review of my decision,
please write within 6 months of the date of this response to:

 

Chris Gooday

Information Governance Manager

NHS Business Services Authority

Stella House

Goldcrest Way

Newburn Riverside Business Park

Newcastle upon Tyne

NE15 8NY

 

Details of how we will handle your review request are available on our
website at:

 

[5]http://www.nhsbsa.nhs.uk/Documents/NHSBS...

 

If you are not content with the outcome of your complaint, you may apply
directly to the Information Commissioner’s Office (ICO) for a decision.
Please note that generally, the ICO cannot make a decision unless you have
exhausted the NHS Business Services Authority’s complaints procedure.

 

The Information Commissioner can be contacted at:

 

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Tel:  01625 545 745

Fax: 01625 524 510

Email: [6][email address]

 

We would also value your feedback regarding the way in which your request
was handled. You can provide us with direct feedback on our website at the
following address:

 

[7]https://www.ppa.org.uk/FOI_survey_form/d...

 

Any feedback you provide will be strictly anonymous and much appreciated.

 

 

Regards

 

Chris Dunn

Information Governance Assistant

Corporate Governance
 

Tel: 0191 203 5352

Internal tel: 500 5352

Fax: 0191 264 5281

[8]www.nhsbsa.nhs.uk
 
[9]Description: Description: NHSBSA Header 2
Stella House, Goldcrest Way, Newburn Riverside Business Park, Newcastle
upon Tyne NE15 8NY
Please read our email disclaimer online at:
[10]http://www.nhsbsa.nhs.uk/email.

To reduce our environmental footprint, please only print when necessary.

 

 

show quoted sections

References

Visible links
1. http://www.legislation.gov.uk/ukpga/1998...
2. https://apps.nhsbsa.nhs.uk/FOI/foiReques...
3. http://www.nationalarchives.gov.uk/doc/o...
4. http://www.nationalarchives.gov.uk/doc/o...
5. http://www.nhsbsa.nhs.uk/Documents/NHSBS...
6. mailto:[email address]
7. https://www.ppa.org.uk/FOI_survey_form/d...
8. http://www.nhsbsa.nhs.uk/
10. http://www.nhsbsa.nhs.uk/email

Dear NHS Business Services Authority,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of NHS Business Services Authority's handling of my FOI request 'Data Sharing EHIC Application Form'.

Thank you for your response. The NHBSA is clear on its own website that the only requirement to receive an EHIC card is that the requester is resident in the UK:
“The UK operates a residency-based healthcare system which means that insurability in the UK is generally determined by residency and not by past or present payments of National Insurance contributions or UK taxes.”

The link provided by the NHBSA for residency takes the user to the HMRC where the following definition is provided:
“The term “ordinarily resident” is not defined, but its established meaning is that a person is ordinarily resident if they are normally residing in the United Kingdom (apart from temporary or occasional absences), and their residence here has been adopted voluntarily and for settled purposes as part of the regular order of their life for the time being.”

Therefore the sole purpose of the declaration on the EHIC application webpage “I agree to the disclosure of information on this form for the purposes of verification ..” can only be taken to mean for the purposes of verifying if the applicant is resident in the UK. Given that the NHBSA own website is clear that the payment of National Insurance or UK taxes is irrelevant it is difficult to see what the NHBSA would need to check with the following organisations:

- Local Authorities to which Council Tax is paid in respect of my dwelling throughout the United Kingdom
- Organisations from which I am receiving benefits and/or support
- The Department for Work and Pensions
- HM Revenue and Customs
- Credit reference agencies”

The Data Protection Act 1998 (“DPA”) requires data controllers to be clear about why it is collecting personal data, what it intends to do with it and how long it intends to retain it for. The declaration on the EHIC application form clearly fails to comply. For example the declaration makes no mention of the data being used to prevent and detect fraud and errors. On this basis alone the NHBSA claim that consent is freely given is incorrect as consent under the DPA needs to informed. I also note that the NHBSA response omitted to explain why an applicant’s personal data would be shared with credit reference agencies.

The answer provided by the NHBSA does not satisfy part 2 of my request for information. Therefore:

“Please direct me to the relevant primary and/or secondary legislation (including the relevant sections or regulations) that allows the NHS to disclose information on the EHIC application from with the organisations listed.”

Based on the current declaration on the EHIC application form the NHBSA needs to direct me to legislation that allows it to gather the personal information of the applicant and share it for the purposes of entitlement of an EHIC (i.e. residency). Given that the current declaration makes no reference to other uses being made of the personal data I fail to see how the NHBSA can lawfully use it for anything else.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/d...

Yours faithfully,

John Slater

GOODAY, Chris (NHS BUSINESS SERVICES AUTHORITY),

2 Attachments

Dear Mr Salter,

 

Please find attached an acknowledgement of your request.

 

Regards

 

Chris Gooday LLM

Information Governance Manager

Corporate Governance

Tel: 0191 2035351

Internal tel: 500 5351

Fax: 0191 264 5281

[1]www.nhsbsa.nhs.uk

[2]Description: NHSBSA Header 2

Stella House, Goldcrest Way, Newburn Riverside, Newcastle upon Tyne
NE15 8NY

 

Please read our email disclaimer online at:
[3]http://www.nhsbsa.nhs.uk/email.

To reduce our environmental footprint, please only print when necessary.

 

show quoted sections

References

Visible links
1. http://www.nhsbsa.nhs.uk/
3. http://www.nhsbsa.nhs.uk/email

GOODAY, Chris (NHS BUSINESS SERVICES AUTHORITY),

2 Attachments

Dear Mr Slater

 

Please find attached my response to your request for an internal review,
regarding your FOI request.

 

Regards

 

Chris Gooday

Information Governance Manager

Corporate Governance

Tel 0191 2035351

Internal tel: 500 5351

Fax 0191 264 5281

[1]www.nhsbsa.nhs.uk

[2]Description: Description: NHSBSA Header (356K)

Stella House, Goldcrest Way, Newburn Riverside Business Park, Newcastle
upon Tyne NE15 8NY

 

Please read our email disclaimer online at:
[3]http://www.nhsbsa.nhs.uk/email.

To reduce our environmental footprint, please only print when necessary.

 

show quoted sections

References

Visible links
1. http://www.nhsbsa.nhs.uk/
3. http://www.nhsbsa.nhs.uk/email