The NHS Business Services Authority (NHSBSA) and the Department of Health and Social Care (DHSC) are jointly responsible for this service under a Joint Controller Arrangement.
These responsibilities have continued following European Union (EU) exit. The information in this privacy notice shows why and how both organisations handle your data following the UK’s exit from the EU and its agreement with Switzerland. You can find out more in the ‘UK-Switzerland Agreement’ section.
Applying for Immigration Health Surcharge (IHS) reimbursement
Overseas Healthcare Services (OHS) are authorised to make IHS reimbursement payments if you are eligible. If you have applied for a refund of your IHS, you may want to read the IHS privacy notice as we may ask for and treat your data differently.
Why we process your information
We’ll use the information you have given us to:
- process and verify your application
- provide appropriate healthcare related support and advice related to your enquiry
- make payments to countries within the European Economic Area (EEA), Switzerland and Gibraltar
- claim the cost of treatment provided by the UK from countries within the EEA, Switzerland and Gibraltar
- analyse with other patients' information to understand patterns and trends that will be used to plan and make improvements to NHS services, and/or direct patient care
If you have an NHS pension and we do not have up-to-date details for you, we may use your information to update our records. This is so we can meet our legal obligation to send you information about your NHS pension benefits.
By law, we must process this information to be able to provide this service.
We will ask you for:
- your address so we can confirm your residency and eligibility
- your email address to keep you updated on your entitlement
- information to identify you
- your National Insurance number
If appropriate, we will ask you for:
- information to identify your dependant(s) and verify their entitlement
- details of the international healthcare provider you are treated by
- information about your UK State Pension or any other pensions you receive from the EU, EEA and Switzerland
- information about any benefits you receive from the Department for Work and Pensions (DWP) while you are living in the EU, EEA, Switzerland and Gibraltar
- information about the medical condition(s) you have been or will be treated for
- information to confirm your EU Settlement Scheme (EUSS) status or right to reside in the UK
- information about your course of study
- information relating to your work abroad
- your bank details to make reimbursement payments to you
- your gender as recorded against your NHS record, or NHS number, to enable us to match and verify EUSS status
- information about your family members if we think their eligibility could give you cover
Your information will not be transferred outside the UK, EEA, Switzerland or Gibraltar.
Sharing your personal information
To verify and authorise applications you make, where applicable, we may share your information with:
- Indesser, Equifax and Lexis Nexis, who are third party data providers acting on our behalf, who will make a UK residency check or perform a trace to establish your UK residential address when this is unknown and a claim has been made for you
- the DWP to validate your pension information and any benefit you receive from DWP while you are living in the EU, EEA, Switzerland and Gibraltar, and any third parties acting on their behalf to make payments against your entitlements
- HM Revenue and Customs (HMRC) to validate your S1 entitlement information
- NHS Digital to validate EUSS Status
- countries within the EEA and Switzerland, to validate your pension information and if appropriate, make and receive payments
- NHS England, Scotland, Wales, Northern Ireland and Gibraltar who will authorise your application for planned treatment or help validate any invoices or claims made for you
- international healthcare providers and administrators who provided your treatment to validate the information you provide
- DHSC or the Danish Authorities in order to make payment to you
- your family and representatives (for example, if you are unable to submit your own application)
- treatment facilities within the UK, EEA, Switzerland and Gibraltar to validate claims made for you or to submit a claim to the EEA, Switzerland or Gibraltar for treatment you have received within the UK
- DHSC or the Government Legal Department to provide policy or legal advice
- The Gibraltar Health Authority if you live or have treatment in Gibraltar
- The Foreign, Commonwealth and Development Office (FCDO) if they are assisting you with an application
We will share your personal information with the international healthcare provider caring for you, the country you choose to live in and DWP. This is to allow them to process and reclaim the cost of treating you from the UK.
We may also share your information with the following to validate any other information you have provided:
- NHS England, Scotland, Wales and Northern Ireland
To prevent, detect and investigate fraud and errors, we may share your information with:
- International healthcare providers and administrators you are treated by
- Local councils and NHS Authorities
- Credit reference agencies
- Bodies performing functions on behalf of the above organisations
- NHS Counter Fraud Authority
- DHSC – International Division and Anti-Fraud Unit
- Law enforcement organisations, as required by law
To support more effective planning and improvements to NHS services and patient care, we may share our understanding of patterns and trends gained from patient information with:
- NHS Commissioners and service providers
- NHS England, Scotland, Wales and Northern Ireland
- NHS Counter Fraud Authority
Keeping your personal information
To allow for treatment cost claims made near the end of your card expiry to be processed, we will delete your personal data from our systems and files no later than:
- 30 June 2171 if you apply for a UK European Health Insurance Card (EHIC) and have EUSS status. This is to allow for validation of applications from people whose entitlement is derived from yours. You can find more information in the 'People whose entitlement is derived from yours' section.
- 48 months after the expiry of your UK EHIC if you do not have EUSS status
- 48 months after the expiry of your UK Global Health Insurance Card (GHIC)
We will also delete your personal data from our systems and files no later than:
- 7 years from when your Provisional Replacement Certificate (PRC) or S2 was processed - to allow for treatment cost claims made to be processed
- 7 years from the date the NHSBSA are notified that you are no longer entitled to your S1.
- 7 years from the date payment is made or a claim for payment of treatment costs is closed
- 24 months from the date of a decision for any rejected applications for UK GHIC, UK EHIC, PRC, S1 and S2
The information you provided will be managed as required by Data Protection law.
You have the right to:
- receive a copy of the information the NHSBSA hold about you
- request your information be changed if you believe it was not correct at the time you provided it
- request that your information be deleted if you believe the NHSBSA are keeping it for longer than necessary
Find out more about your rights and how we process information.
The Switzerland-UK Convention on Social Security Coordination (UK CH SCC) describes the healthcare you can receive when travelling in the UK and Switzerland. Reciprocal healthcare provisions in the agreement apply to UK and Swiss residents and cover:
- people with UK, EU or Swiss nationality
- stateless persons and refugees
Those not covered by the agreement will not be able to get reciprocal healthcare cover under this agreement, unless they are a family member of someone in scope.
People whose entitlement is derived from yours
Under Article 10(1)(e)(iii) of the Withdrawal Agreement, any person born to or adopted by the right holder after 31 December 2020 (future children) will be within full scope of the Agreement.
By extension, under Article 30 of the Withdrawal Agreement, the family members and survivors of future children are covered by the EU regulations on social security coordination, to the extent that they derive rights or obligations as a family member.