Skip to main content Skip to footer

Overseas Healthcare Services privacy notice

The NHS Business Services Authority (NHSBSA) and the Department of Health and Social Care (DHSC) are jointly responsible for this service under a Joint Controller Arrangement.

These responsibilities have continued following European Union (EU) exit. The information in this privacy notice shows why and how both organisations handle your data following the UK’s exit from the EU.

Why we process your information

We’ll use the information you have given us to:

  • process and verify your application
  • provide appropriate healthcare related support and advice related to your enquiry
  • make payments to countries within the European Economic Area (EEA) and Switzerland
  • claim the cost of treatment provided by the UK from countries within the EEA and Switzerland
  • analyse with other patients' information to understand patterns and trends that will be used to plan and make improvements to NHS services, and/or direct patient care

If you have an NHS pension and we do not have up-to-date details for you, we may use your information to update our records. This is so we can meet our legal obligation to send you information about your NHS pension benefits.

By law, we must process this information to be able to provide this service.

We will ask you for:

  • your address so we can confirm your residency and eligibility
  • information to identify you

If appropriate, we will ask you for:

  • information to identify your dependant(s)
  • details of the international healthcare provider you are treated by
  • information about your State Pension
  • information about your medical condition or planned treatment
  • information to confirm your EU Settlement Scheme (EUSS) Status
  • information about your course of study
  • information relating to your work abroad
  • your gender as recorded against your NHS record to enable us to match and verify European Union Settlement Scheme (EUSS) status

Your information will not be transferred outside the UK, EEA and Switzerland.

Sharing your personal information

To verify and authorise applications you make, where applicable, we may share your information with:

  • Indesser and Lexis Nexis, third party data providers acting on our behalf, who will make a UK residency check or perform a trace to establish your UK residential address when this is unknown and a treatment claim has been made for you
  • the Department for Work and Pensions (DWP) to validate your pension information, and any third parties acting on their behalf to make payments against your entitlements
  • HM Revenue and Customs (HMRC) to validate your S1 entitlement information
  • NHS Digital to validate EUSS Status
  • countries within the EEA and Switzerland, to validate your pension information and if appropriate, make and receive payments
  • NHS England, Scotland, Wales, Northern Ireland and Gibraltar who will authorise your application for planned treatment
  • international healthcare providers and administrators who provided your treatment to validate the information you provide
  • DHSC to make payment to you
  • your family and representatives (for example, if you are unable to submit your own application)
  • Government Legal Department to provide legal advice
  • The Gibraltar Health Authority if you live or have treatment in Gibraltar
  • The Foreign, Commonwealth and Development Office (FCDO) if they are assisting you with an application

We will share your personal information with the international healthcare provider caring for you, the country you choose to live in and DWP. This is to allow them to process and reclaim the cost of treating you from the UK.

We may also share your information with the following to validate any other information you have provided:

  • DWP
  • HMRC
  • DHSC
  • NHS England, Scotland, Wales and Northern Ireland

To prevent, detect and investigate fraud and errors, we may share your information with:

  • International healthcare providers and administrators you are treated by
  • Local Authorities
  • Credit reference agencies
  • Bodies performing functions on behalf of the above organisations
  • NHS Counter Fraud Authority
  • DHSC – International Division and Anti-Fraud Unit
  • Law enforcement organisations, as required by law

To support more effective planning and improvements to NHS services and patient care, we may share our understanding of patterns and trends gained from patient information with:

  • NHS Commissioners and service providers
  • NHS England, Scotland, Wales and Northern Ireland
  • DHSC
  • NHS Counter Fraud Authority

Keeping your personal information

To allow for treatment cost claims made near the end of your card expiry to be processed, we will delete your personal data from our systems and files no later than:

  • 48 months after the expiry of your EHIC if you do not have EUSS status
  • 30 June 2171 if you apply for a European Health Insurance Card (EHIC) and have EUSS status. This is to allow for validation of applications from people whose entitlement is derived from yours. You can find more information in the 'People whose entitlement is derived from yours' section.

We will also delete your personal data from our systems and files no later than:

  • 7 years from when your Provisional Replacement Certificate (PRC) or S2 was processed - to allow for treatment cost claims made to be processed
  • 7 years from the date the NHSBSA are notified that you are no longer entitled to your S1.
  • 7 years from the date payment is made or a claim for payment of treatment costs is closed
  • 24 months from the date of a decision for any rejected applications for PRC, S1 and S2

People whose entitlement is derived from yours

Under Article 10(1)(e)(iii) of the Withdrawal Agreement, any person born to or adopted by the right holder after 31 December 2020 (future children) will be within full scope of the Agreement.

By extension, under Article 30 of the Withdrawal Agreement, the family members and survivors of future children are covered by the EU regulations on social security coordination, to the extent that they derive rights or obligations as a family member.

Your rights

The information you provided will be managed as required by Data Protection law.

You have the right to:

  • receive a copy of the information the NHSBSA hold about you
  • request your information be changed if you believe it was not correct at the time you provided it
  • request that your information be deleted if you believe the NHSBSA are keeping it for longer than necessary

Find out more about your rights and how we process information.