Skip to main content Skip to footer

Overseas Healthcare Services privacy notice

The NHS Business Services Authority (NHSBSA) and the Department of Health and Social Care are jointly responsible for this service.

These responsibilities have continued following European Union (EU) exit. The information in this privacy notice shows why and how both organisations handle your data following the UK’s exit from the EU.

This privacy notice is also available in Welsh (Cymraeg).

Why we process your information

We’ll use the information you have given us to:

  • process and verify your application
  • provide appropriate healthcare related support and advice related to your enquiry
  • make payments to countries within the European Economic Area (EEA) and Switzerland
  • claim the cost of treatment provided by the UK from countries within the EEA and Switzerland
  • analyse with other patients' information to understand patterns and trends that will be used to plan and make improvements to NHS services, and/or direct patient care

If you have an NHS pension and we do not have up-to-date details for you, we may use your information to update our records. This is so we can meet our legal obligation to send you information about your NHS pension benefits.

By law, we must process this information to be able to provide this service.

We will ask you for:

  • your address, so we can confirm your residency and eligibility
  • information to identify you

If appropriate, we will ask you for:

  • information to identify your dependant(s)
  • details of the international healthcare provider you are treated by
  • information about your UK benefit(s) that you can claim abroad, including State Pension
  • information about your medical condition or planned treatment

Your information will not be transferred outside the UK, or the EEA and Switzerland.

Sharing your personal information

To verify and authorise applications you make, where applicable, we may share your information with:

  • third party data providers acting on our behalf, who will make a UK residency check
  • the Department for Work and Pension to validate your pension information and make claims, and any third parties acting on their behalf to make payments against your entitlements
  • HM Revenue and Customs (HMRC) to validate your S1 entitlement information
  • countries within the EEA and Switzerland, to validate your pension information and if appropriate, make and receive payments
  • NHS England, Scotland, Wales, Northern Ireland and Gibraltar who will authorise your application for planned treatment
  • international healthcare providers and administrators who provided your treatment to validate the information you provide
  • the Department of Health and Social Care to make payment to you
  • your family and representatives (for example, if you are unable to submit your own application)
  • Government Legal Department, to provide legal advice
  • The Gibraltar Health Authority, if you live or have treatment in Gibraltar

We will share your personal information with the international healthcare provider caring for you, country you choose to live in and the Department for Works and Pensions. This is to allow them to process and reclaim the cost of treating you from the UK.

We may also share your information with the following to validate any other information you have provided:

  • Department for Work and Pensions
  • HMRC
  • Department of Health and Social Care
  • NHS England, Scotland, Wales and Northern Ireland

To prevent, detect and investigate fraud and errors, we may share your information with:

  • International healthcare providers and administrators you are treated by, and any bodies acting on their behalf
  • Local Authorities, and any bodies acting on their behalf
  • Credit reference agencies, and any bodies acting on their behalf
  • NHS Counter Fraud Authority
  • Department of Health and Social Care – International Division and Anti-Fraud Unit
  • Law enforcement organisations, as required by law

To support more effective planning and improvements to NHS services and patient care, we may share our understanding of patterns and trends gained from patient information with:

  • NHS Commissioners and service providers
  • NHS England, Scotland, Wales and Northern Ireland
  • Department of Health and Social Care
  • NHS Counter Fraud Authority

Keeping your personal information

We will delete your personal data from our systems and files no later than:

  • 48 months after the expiry of your European Health Insurance Card (EHIC) - to allow for treatment cost claims made near the end of your card expiry to be processed
  • 7 years from when your Provisional Replacement Certificate (PRC) or S2 was processed – to allow for treatment cost claims made to be processed
  • 7 years from the date the NHSBSA are notified that you are no longer entitled to your S1
  • 7 years from the date payment is made or a claim for payment of treatment costs is closed
  • 24 months from the date of a decision for any rejected applications for PRC, S1 and S2

Your rights

The information you provided will be managed as required by Data Protection law.

You have the right to:

  • receive a copy of the information the NHSBSA hold about you
  • request your information be changed if you believe it was not correct at the time you provided it
  • request that your information be deleted if you believe the NHSBSA are keeping it for longer than necessary

Find out more about your rights and how we process information.