Thank you for your request for information about the following:

Request

This is a FOI request concerning rules around eligibility to GHIC card and the apparent requirement to provide details of dual nationality. Please note that when I refer below to ‘3rd countries’ I am referring to countries that are not the UK (1st country) or EU/EEA/Switzerland countries (2nd countries). These are countries that appear to play no part in the eligibility to GHIC/EHIC cards.

Q1/ Please could you state whether each of the following four statements are true. If not please provide clarification.

a/ entitlement to either card (GHIC/EHIC) requires (at least) UK residence, a NI number and no healthcare entitlement funded by another country. (these are questions in the online dialogue)

b/ In addition, the EHIC has some conditions regarding nationals of EU/EEA/Switzerland

c/GHIC does not have the restrictions in (1.2) and the requirements are (this taken from NHS web)

• you're ordinarily and legally resident in the UK. • you do not have healthcare cover provided by an EEA country or Switzerland.

d/ There is no dependency on eligibility by virtue of holding a nationality other than UK, EU, EEA or Swiss (and by UK I include variants of a UK passport) – whether this is a dual or single nationality.

Q2/ Please explain why it is deemed necessary to provide details of 3rd country nationalities held (ie other than the UK or EEA/EU/Swiss countries) when there appears to be no such dependency of eligibility on 3rd country nationalities.

Q3/ If there is a clear requirement (as stated in statutory regulations) to know dual nationality details involving 3rd countries to assess eligibility, can you give some examples of where it is relevant and provide a link to those regulations. Example should include a case where applicant would be eligible for GHIC and a case where they would not be eligible.

Q4/ If there is no clear regulatory requirement or the information is additionally being used in other ways, please provide the following information

a) exactly how the information is used

b) whether all 3rd nationality countries are considered equal as far as processing is concerned or whether some generate different checks.

c) the nature of any questions or decision trees used based on this information.

d) by which organisation(s) it is being processed

e) how long it is retained for and the data controller.

f) which other government departments or outside bodies are involved in processing, using, sharing or checking this information?

Based on a question to your Social Media line on X concerning why there is a necessity to provide 3rd country nationality details I was told:

As part of the changes to Overseas Healthcare Services we must ensure that everyone applying for a card is entitled to do so. If we’re not able to automatically confirm this during your application, we’ll ask for more information about your eligibility. I hope this answers your query

This did not answer the question posed but based on this response (where it can be surmised there is an automated check during the online application) :

Q5/ Can you please provide the logic statements in this automated process that utilises the information when ‘third country nationalities’ are indicated in the application. (a further response on X pointed me to a link but this only mentions 1st and 2nd countries – not 3rd.)

Thanks in advance for response on this matter.

The NHS Business Services Authority (NHSBSA) received your request on 4 November 2024.

We have handled your request under the Freedom of Information Act (FOIA) 2000.

Our response

I can confirm that the NHSBSA holds the information you have requested.

Please read the below notes to ensure correct understanding of the data.

Question 1

a) This statement is partially true.

Caveats:

• People that do not permanently live in the UK, but who hold a UK issued S1 entitlement, may also be eligible for UK GHIC/UK EHIC.

• Exceptions for applicants who do not have a NI number may apply. Where an applicant does not have a NI number, they still may be eligible for UK GHIC/ UK EHIC.

Although, if an applicant does not have a NI number, they will not be able to use the online portal and will need to contact OHS directly to apply.

b) This statement is true.

c) This statement is true.

Caveats:

• We have interpreted “the restrictions” in the above statement as eligibility criteria.

• People that do not permanently live in the UK, but who hold a UK issued S1 entitlement, may also be eligible for UK GHIC/UK EHIC.

d) This statement is incorrect.

Caveats:

• Some third country nationals may be entitled to UK GHIC/ UK EHIC, subject to eligibility.

Question 2

The information about applicant’s nationality is required in order to issue the correct entitlement. Some third country nationals may be entitled to UK GHIC/ UK EHIC, subject to eligibility.

Question 3

There are no statutory regulations that the NHSBSA follow for the purpose of third country nationals. The NHSBSA have received their guidance on how to assess third country nationality from the Department of Health and Social Care.

Question 4

a) The information about nationality is used in conjunction with other criteria, i.e. residency check, to determine the eligibility to UK GHIC.

b) All third country nationals are treated equally. When an application for UK GHIC is processed, all third country nationals undergo the same checks.

c) The information about nationality is used in conjunction with other criteria, i.e. residency check, to determine eligibility to UK GHIC.

d) The UK GHIC/ UK EHIC entitlements are processed by NHSBSA.

e) On this occasion, the information is retained by NHSBSA for 7 years.

NHSBSA becomes the Data Controller of an applicant’s personal data once the data have been provided/ submitted as part of an application.

f) For details on how NHSBSA Overseas Healthcare Services uses your personal information, please see Overseas Healthcare Services privacy notice.

Question 5

We have considered this request under the Freedom of Information Act 2000 (FOIA 2000) and are issuing a refusal notice under section 17 of the FOIA.

I can confirm that we do hold the requested information, but this information is exempt under section 31(1)(a) of the FOIA (law enforcement) as disclosure would be likely to prejudice the prevention or detection of crime.

Disclosure of information on the cyber security used by the NHSBSA would be likely to increase the vulnerability of our systems and aid any potential cyber attacker. If a cyber attacker is aware of the vulnerabilities and security strategies, this will provide vital information and knowledge to assist them in future attacks.

Section 31 is a qualified, prejudice-based exemption and is subject to the public interest test. This means that not only does the information have to prejudice one of the purposes listed, but before the information can be withheld, the public interest in preventing that prejudice must outweigh the public interest in disclosure.

Public Interest Test:

Considerations in favour of disclosure:

• Disclosure of the investigation report would demonstrate a commitment to the NHSBSA’s transparency and could provide assurance to the public regarding the NHSBSA’s cyber security.

• Contribute to public understanding of the NHSBSA’s procedures and actions.

• Disclosure would assist in the accountability of public money being spent.

Considerations against disclosure:

• The inherent public interest in maintaining the integrity and security of the NHSBSA’s systems.

• Disclosure would offer cyber criminals’ an insight into the strengths of the NHSBSA’s cyber security and any potential weaknesses that may exist. This could ultimately result in a future cyber-attack. Cyber security measures are in place to protect the integrity of patient, confidential and corporate information and it is in the public interest to ensure those cyber security measures are protected.

• The occurrence of a future cyber-attack would prejudice the NHSBSA’s legal duty to safeguard personal information from loss, theft, inappropriate access, or destruction and therefore it is not in the public interest to disclose information.

• A cyber-attack could have severe consequences for the NHSBSA’s services and therefore have a direct impact on members of the public receiving those services, as demonstrated in the recent cyber-attack.

• The inherent public interest in ensuring that public authorities can safeguard themselves from cyber-attacks which is linked to the protection of public funds.

Conclusion:

The NHSBSA recognises that there is a public interest in disclosure of the information to promote transparency and assurance of how the NHSBSA has responded to a cyber-attack; however, in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information as more weight is afforded to the arguments outlined above in maintaining the security and integrity of the NHSBSA’s systems.

Please see the following link to view the section 31 exemption in full - https://www.legislation.gov.uk/ukpga/2000/36/section/31

Publishing this response

Please note that this information will be published on our Freedom of Information disclosure log at:

https://opendata.nhsbsa.net/dataset/foi-02366

Your personal details will be removed from the published response.

Data Queries

Please contact foirequests@nhsbsa.nhs.uk ensuring you quote the above reference if you have any specific questions regarding this response; or, if you feel you may be misunderstanding or misinterpreting the information; or, if you plan on publishing the data.

Reusing the data and copyright

If you plan on producing a press or broadcast story based upon the data please contact communicationsteam@nhsbsa.nhs.uk. This is important to ensure that the figures are not misunderstood or misrepresented.

The information supplied to you continues to be protected by the Copyright, Designs and Patents Act 1988 and is subject to NHSBSA copyright. This information is licenced under the terms of the Open Government Licence detailed at:

http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/

Should you wish to re-use the information you must include the following statement: “NHSBSA Copyright 2024” Failure to do so is a breach of the terms of the licence.

Information you receive which is not subject to NHSBSA Copyright continues to be protected by the copyright of the person, or organisation, from which the information originated. Please obtain their permission before reproducing any third party (non NHSBSA Copyright) information.