Request

I make the following requests under the provisions of the Freedom of Information Act 2000 which imposes timescales upon your organisation and a presumption of disclosure (Date of request/receipt 7th April 2022):

a. Provide me with a copy of your internal policy document which clearly states that you must see evidence of transactions from any bank statement provided as proof of identity.

b. Any document, memo or note discussing why transactions need to be seen on a UK bank statement and any discussions about the lack of probity of electronicky provided accounts or stationary.

c. Any documentation, email note or memo concerning which shows that the policy has been deemed compliant with the Data Protection Act(s), GDPR and Human Rights Act viz article 8 Right to a private life.

d. Any document showing how you will manage private information (not necessary to meet your lawful purpose) obtained by collateral intrusion and how you will mange such material

e. Any document showing you have considered your obligations under the Human Rights Act under this policy and details of who agreed the collection of bulk banking details was necessary, proportionate and justified.

Response

Question a

I am writing to advise you that following a search of our paper and electronic records, I have established that the information you requested is not held by the NHS Business Services Authority. We do not hold an internal policy document which covers proof of identity. However the following is an extract from our UK Global Health Insurance Card Standard Operating Procedure document:

“Bank, Building Society or Credit Union statement or passbook dated within three months prior to the application date, or any date after the application date. Transactions must show a clear UK footprint.”

Question b

Regarding the requirement to obtain a bank statement, this is consistent with the Government Proof of Identity Checklist which ensures that we can prevent fraudulent claims being made, to protect our customers from fraudulent activity being made in their name, and to safeguard public monies.

To ensure information about our Overseas Health Services (OHS) customers is handled in a way which complies with data protection law, a Data Protection Impact Assessment (DPIA) has been carried out. A summary of this can be found at:

https://www.nhsbsa.nhs.uk/what-we-do/publication-scheme/our-data-protection-impact-assessment-dpia-summaries

A DPIA is conducted to identify and mitigate the privacy risks associated with handling personal data, such as information required from our customers to prove their identity.

Question c)

NHSBSA processes data according to Data Protection Legislation. Our Privacy statement explains how we handle your information. Our Data Protection and Confidentiality Policy sets out the principle statements applicable when personal data is being processed to ensure the rights and privacy of individuals are respected and treated in accordance with data protection legislation. Lastly, our Information Security privacy notice explains how we keep your information secure and steps you can take to protect your information.

Question d)

We do not collect unnecessary private information. The above policies and privacy statements explain how we manage customers’ data.

Question e)

We do not collect bulk banking details. A range of documents to show UK residency are provided to the applicant, of which one is a bank statement. Regarding the human right to a private and family life, this is achieved by compliance with Data Protection law. Our approach to ensuring compliance is set out above.

Please note that this request and our response is published on our Freedom of Information disclosure log at:

https://opendata.nhsbsa.net/dataset/foi-24439

Data Queries

If you have any queries regarding the data provided, or if you plan on publishing the data please contact nhsbsa.foirequests@nhs.net ensuring you quote the above reference. This is important to ensure that the figures are not misunderstood or misrepresented.

If you plan on producing a press or broadcast story based upon the data please contact nhsbsa.communicationsteam@nhs.net. This is important to ensure that the figures are not misunderstood or misrepresented.

The information supplied to you continues to be protected by the Copyright, Designs and Patents Act 1988 and is subject to NHSBSA copyright. This information is licenced under the terms of the Open Government Licence detailed at: http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/

Should you wish to re-use the information you must include the following statement: “NHSBSA Copyright 2022” This information is licenced under the terms of the Open Government Licence:

http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/

Failure to do so is a breach of the terms of the licence.

Information you receive which is not subject to NHSBSA Copyright continues to be protected by the copyright of the person, or organisation, from which the information originated. Please obtain their permission before reproducing any third party (non NHSBSA Copyright) information.