The Data Protection Impact Assessment - CPFT log - FOI... · The Data Protection Impact Assessment...

DPIA Template v3 KT

The Data Protection Impact Assessment

What is a DPIA? A DPIA is a way for us to systematically and comprehensively analyse our processing and help you identify and minimise data protection risks. DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm - to individuals or to society at large, whether it is physical, material or non-material. To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. A DPIA does not have to eradicate the risks altogether, but should help to minimise risks and assess whether or not remaining risks are justified. DPIAs are a legal requirement for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals. A DPIA may cover a single processing operation or a group of similar processing operations. A group of controllers can do a joint DPIA. It’s important to embed DPIAs into your organisational processes and ensure the outcome can influence your plans. A DPIA is not a one-off exercise and you should see it as an ongoing process, and regularly review it. When do I need to do a DPIA? You must do a DPIA before you begin any type of processing which is “likely to result in a high risk”. This means that although you have not yet assessed the actual level of risk you need to screen for factors that point to the potential for a widespread or serious impact on individuals. In particular, the GDPR says you must do a DPIA if you plan to:

use systematic and extensive profiling with significant effects;

process special category or criminal offence data on a large scale; or

systematically monitor publicly accessible places on a large scale.

The ICO also requires you to do a DPIA if you plan to:

use new technologies;

use profiling or special category data to decide on access to services;

profile individuals on a large scale;

DPIA Template v3 KT

process biometric data;

process genetic data;

match data or combine datasets from different sources;

collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);

track individuals’ location or behaviour;

profile children or target marketing or online services at them; or

process data that might endanger the individual’s physical health or safety in the event of a security breach.

How do I carry out a DPIA? A DPIA should begin early in the life of a project, before you start your processing, and run alongside the planning and development process. It should include these steps:

DPIA Template v3 KT Page 1

APPENDIX 1 – Data Protection Impact Assessment For New Systems / Services or Changes to Existing Systems / Pathways

Information Governance Checklist: Privacy Impact Assessment

Name of project: Community Respiratory

Expected project implementation date: In implementation DPIA submission date: August 2018

Project Manager: Sarah Blackburn Project Sponsor: John Martin

Information Asset Owner: Amanda Holloway Business Case Reference (PID No): (if applicable, or please state where project was authorised)

Please ensure that you have completed all of the above fields

The assessment should be completed at the project planning stage to ensure that risks are identified early and managed effectively before the project is implemented. Identified risks should be included the project risk assessment/register and any changes to the project plan should be reflected in the privacy impact assessment. The IG Checklist (Data Protection Impact Assessment) is a risk management process that enables CPFT to anticipate and address likely impacts of new or changes to existing initiatives, to provide assurance of confidentiality, data protection, IT security, and data quality issues related to a project. This completed assessment should be referenced and embedded in the Business Case Approval papers. Privacy Impact Assessments are mandatory for any new system (IT or otherwise), services, process or technology or changes to existing systems / pathways which involve person identifiable or business sensitive data. Completed Privacy Impact Assessment should be returned to the IG team [email protected] with confirmation of completed actions or to notify of any changes.

mailto:[email protected]


All sections MUST be completed. Sections that are not relevant should be marked as not applicable. Queries over completion can be raised with the IG Team prior to submission. .

Project Outline Please be comprehensive and include: Project Descriptor; Systems’ names; Data Flow Chart; Data Flow (i.e. full description of data flows, not the data process)

Respiratory Pathway Redesign The STP Proactive Care & Prevention work stream oversaw work on the respiratory pathway re-design, informed by 5 stakeholder workshops and the C&P Prevention Strategy. As indicated by RightCare analysis, there is opportunity to reduce non elective admissions and elective outpatients; there is a lead in time for some of the interventions. The proposals have been structured into nine sections, this PIA relates to section E. Introduction of the myCOPD app for patients: 2. Secondary proposal: Other interventions requiring funding or resources. The interventions included in this secondary proposal are relatively small investments and would support the whole pathway of care. E. Introduction of the myCOPD app for patients The myCOPD app is registered in the ICO and regulated by the MHRA holding a CE marking and has been subject to ethics commission regulation over two clinical trials. Approval to proceed with the roll out of the myCOPD app was received on the 4th November. The myCOPD app is part funded by NHS ITT and part funded by the CCG. The CCG will be able to have 20% of the total COPD numbers (3122) via the ITT with an additional 10% being directly purchased by the CCG (1561). myCOPD has been deployed in several locations including Ipswich & East Suffolk, Southampton, Portsmouth, North Lincolnshire and Devon. Additional funding is available to fund further licences in 2018/19 (£30k). Patients suitable to use this app will be identified at point of discharge from an acute setting or if under the care of the community respiratory team and the patient is also categorised as having severe COPD (as per the ITT requirements). Additionally patients will also be identified during the collaborative COPD clinics or other interventions as clinically appropriate (e.g. pulmonary rehabilitation) (for those patients excluded from the ITT requirements). All patients are able to independently fund this app as it is available in the public domain also; any patients that self-purchase this app will be responsible for signing up to or opting out of services as appropriate.


Benefits of the myCOPD app include:

myCOPD provides a comprehensive self-management system to patients with COPD through almost any device connecting to the Internet.

It also provides a clinician interface for managing patients and patient populations.

It is evidence based, NICE compliant, and is at least as good as standard care while significantly cutting costs by reducing the number of patient-clinician consultations, reducing variation in education and improving inhaler technique and adherence to medication.

Within myCOPD there is a full pulmonary rehabilitation program with education that lasts for a lifetime.

myCOPD has been chosen for the National Innovation Accelerator to help deliver the NHS’s Five Year Forward View and currently it is the only NHS-approved app in the new NHS app store.

Evidence suggests that myCOPD will correct inhaler technique errors in 95-98% of patients.

1000s of patients receive pulmonary rehab for a lifetime with improved walking distance improvement achieved against standard class based programs.

Accessible 7 days a week including physiotherapy and psychology modules.

Reduces inequality with an NHS approved set of educational modules and inhaler videos.

Provides medical intelligence to manage the system efficiently. Systems that will be employed are:

my mhealth COPD app


Ref Checklist Questions Guidance Response Action and Status (PIA team use only)

1 Confirm which of the following have been informed of the project.

Information Governance

IM&T Clinical Services

Finance

HR

Clinical Services

Quality

Comms

List all groups that have been informed of the project, who approved the outline specification/Business Case?

Primary Care IT PMO Medicines Optimisation Team Contracting Quality

Finance LMC Respiratory CWG Respiratory steering group Patients HR IM&T Clinical Services Comms As part of the business case reviews, Wave and previous PIA evaluations.

2 Provide a complete list of all of the stakeholders including those departments or organisations that have an interest in, a role to play in the delivery, or may be affected by the project

List all NHS providers and other organisations such as county council, police, charities, service users etc., and their role in the project.

Patients Carers Cambridgeshire & Peterborough Clinical Commissioning Group (CCG) Community Services & Integration (CSI) CCG Urgent & Non-elective care (UEC) CCP Primary & Planned Care (PPC) CCG Primary Care Information Team (PCIT) CCG Communications and



Engagement (CE) Local Authorities Local Medical Council General Practice Cambridgeshire & Peterborough Foundation Trust (CPFT) CPFT Respiratory Team Sustainability and Transformation Partnership System Delivery Unit NHS England Breathe Easy Breathe for Life British Lung Foundation Singing for Breathing Provide Cambridge University Hospital NHS Foundation Trust (CUHFT) North West Anglia NHS Foundation Trust (NWAFT) Papworth Hospital NHS Foundation Trust (PHFT) my mhealth

3 Name the data controller and list all organisations that will be processing data on behalf of the data controller. Provide details of the individual who will be considered as the Information Asset Owner i.e. the person responsible for the

Data controller: a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. Data processor, in relation to personal data, means any

For myCOPD app Cambridgeshire and Peterborough CCG are the data controllers Cambridgeshire & Peterborough Foundation



Service/System.

person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Trust (CPFT)

4 System name

What is the system commonly known as? e.g. SystmOne List all Systems and Software involved.

SystmOne

myCOPD

5 Who are the Suppliers or Providers?

Give full contact details including address, telephone number, and name of person responsible for support. E.g. Healthcare providers; system software suppliers or sub contractors.

My mhealth Limited 01202 299 583 [email protected] Dr. Harry Thirkettle Phone 07850 881305 [email protected] IG lead - Antonio Rodrigues 01202 299583 [email protected] m

my mhealth Limited

First and Second Floor

8 Trinity

161 Old Christchurch Road

Bournemouth

BH1 1JU

United Kingdom

6 Is the purpose for processing the personal data listed in the relevant providers/suppliers notification to the Information Commissioner?

As defined in the provider/supplier’s Data Protection Registration entry (i.e. nature of their business).

Earlier identification of patients suspected of having COPD. Pathway and patient management improvements including adherence to NICE guidelines.



Improved patient self-management and patient activation.

7 Will the data be used for the purpose of direct care?

Definition of direct care – A clinical, social or public health activity concerned with the prevention, investigation. and treatment of illness and the alleviation of suffering of individuals. It includes. supporting individuals' ability to function and improve their participation in life and.

Yes.

Data Protection

8a Provide a list of the datasets / types of Person Identifiable Data (PID) / Patient Confidential Data (PCD) that the new system (IT or otherwise) will process. Please attach/embed an example of a complete data set.

Examples:

Name

Address

DoB

NHS Number

Clinical data (give specific details)

Other (give details)

Format: electronic/paper/both

Any online identifier (e.g. IP address)

myCOPD processes personal and health related data from the individual, as detailed in the attached privacy policy

8b Provide a list of all types of special category data that will be collected. (I.e. ethnicity, religious beliefs etc.) Note: 8b could be combined

Give details of any data that will be collected under the following headings:

sexual life

ethnic origin

medical information

Medical information as relevant to COPD identification and management only Medical information



with 8a as a full data set religious beliefs

political views

criminal convictions

Genetic data and biometric data where processed to uniquely identify an individual.

9 List the purpose(s) for handling/collecting person identifiable data?

Give specific purpose(s) that data will be used for. This information is required in order to ensure that we comply with the Data Protection Act.

Identifying suitable patients for intervention and the purposes of direct patient care. myCOPD collects person identifiable data in order to provide a customised experience, enhance self management, and allow patients and clinicians to coscript a medical record. For further details please see attached privacy policy

10 Is personal data being processed?

See Annex 1 for definition of personal data. Can the processing of personal data be legitimised in accordance with the terms of the GDPR? If yes – what is the legitimate process? See Annex 1 - Article 6 (1a-f Lawfulness of Processing Conditions)

Yes by mhealth.



11 Is special category data being processed?

See Annex 1 for definition of sensitive personal data (special categories). Can the processing of sensitive personal data (special categories) be legitimised in accordance with the terms of the GDPR? If yes – what is the legitimate process? See Annex 1 - Article 9 (2a-j Conditions for Special Categories of Data)

Yes. This will be covered by: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

12 Where and how will the data be stored? Include details for electronic data and paper files

Examples: Electronic data will be stored on Server/PC/Laptop etc. Paper files will be stored in ______ at _______

All data will be stored on the Amazon Web Services cloud, at a UK data centre

13 Is any data processed or stored outside of the UK? Either by the supplier/provider or by a contracted third party.

If yes, please confirm in which country the data will be processed or stored. Does the contract include a clause requiring any Data Processor to inform the Data Controller of any changes to where the data will be processed?

No data to be held outside of the UK. The contract will include a clause requiring the Data Processors to inform the Data Controller of amendments to where the data will be processed.

14 Provide details of data that will be shared with any external organisation(s). List all parties, amount of data to be shared, and frequency.

Please provide this information presented as a flow chart/list, mapping all of the proposed data flows.

At this stage the data is just to remain internal however, we may consider sharing the information externally in the future should this happen the PIA will be reviewed.



15 Will an information sharing agreement be required?

The data sharing may be covered by an existing data sharing agreement. If unsure, contact the IG team for advice/templates.

No PIA initially created by CCG. This PIA has been created to ensure CPFT have one in place but also to capture the changes in the model since CCG created theirs.

16 Will explicit or implied consent be obtained from patients/service users?

Give exact details of whether consent will be required and how it will be gained and recorded.

Explicit consent, patients will have to sign up to use myCOPD. No patient leaflet.

Is there a supporting Patient Information Leaflet?

Attach patient leaflet covering consent, processing, restricted access etc.

If consent is identified as the reason to legitimise processing, what happens when consent is withdrawn?

Attach patient leaflet as above.

State method to be used to record consent /dissent. i.e. consent to share information not consent to treat

Give details of what information will be available, the format and where. Examples to be attached to this Assessment.

Will this new service/system require amendments to Fair Processing / Privacy Notices that are/should be on Provider websites?

ICO’s Privacy Notices – Code of Practice

https://ico.org.uk/media/for-organisations/documents/1610/privacy_notices_cop.pdf

https://ico.org.uk/media/for-organisations/documents/1610/privacy_notices_cop.pdf



Are individuals offered the opportunity to restrict processing of their personal data? If so, when is that opportunity offered?

Are procedures in place for maintaining an up to date record of use of personal data. If so how often and by whom?

17 Does the System have a separate reporting system for generating both anonymised and/or identifiable reports?

Yes the system is able to produce anonymised reports, such as number of licenses distributed, these will be accessible by the ‘Admin’ and ‘Clinical Manager’ roles (at the CCG and providers respectively) Printed or Digital Identifiable reports can be generated on request or in specific circumstances by the my mhealth Information Governance Lead, as detailed in our privacy policy attached.

Is the System able to produce a printout of all personal data to satisfy the subject access provision of the Data Protection Act? Reference: NHS Standard Contract – 2016/17 Service Conditions SC23 Service User Health Records

Provide details of who will manage subject access requests e.g. IG lead for each organisation. Is there a Subject Access Request Policy in place?

18 Is there a process for managing incidents relating to information breaches/losses and reporting those to the CPFT/Data Controller? .

Relevant Policies in place? Yes/No Incident reporting is included in the contract? Yes/No

Yes, CCG and CPFT Policies. my mhealth also have policies in this regard – please see the attached IG FAQs document for more information

https://www.england.nhs.uk/wp-content/uploads/2016/04/2-nhs-fll-length-1617-scs-apr16.pdf





Reference: NHS Standard Contract 2016/17 (short form) SC33 Incident Requiring Reporting

Information Security

19 IT requirements analysis Include details of functional specifications, security controls system architecture, compliance with ISB standards, selection of software, maintenance and replacement costs, support contract requirements etc.

Give details of access restrictions to building/areas/systems e.g. passwords/smartcards/ID cards etc. How will IT support be provided? Will this be provided from outside of the UK? If so, provide details of the security arrangements

User names and password – approval processes before these are granted. Regular user reviews are performed.

20 What testing of the system will be undertaken?

Clinicians to receive training on using the system and they will then have the opportunity to test the system.

21 How will this project impact on existing information assets?

No impact.

22 Give details of the access controls to be in place for staff accessing patient identifiable data. Include details of i.e. password controls, Smartcards etc.

Give details of access restrictions to building/areas/systems e.g. passwords/smartcards/ID cards etc. How will IT support be provided?

myCOPD app: the roles and associated restrictions are: - Patients: access their own data only; Clinicians: access data of patients under direct care only; - Clinical managers and

https://www.england.nhs.uk/wp-content/uploads/2016/04/5-nhs-shrtr-frm-1617-scs-apr16.pdf

https://www.england.nhs.uk/wp-content/uploads/2016/04/5-nhs-shrtr-frm-1617-scs-apr16.pdf



Will this be provided from outside of the UK? If so, provide details of the security arrangements

nonclinical managers: access anonymised aggregated data only; - System administrators: access the underlying system under contractual clauses and additional security measures.

23 Give details of the security systems in place that will ensure that patient identifiable data is protected from unlawful or unauthorised access e.g. firewalls, anti-virus etc.?

Is PCD/PID stored in a system which is compliant with NHS and wider government standards? Provide details of storage standards / levels met?

UK Data Centres – ISO 27001 accredited. Secure access controls in place.

24 Give details of measures in place to protect data from accidental loss, destruction, or damage?

Include business continuity plans, back-ups etc.

myCOPD app: Under IGT procedures are documented, distributed and maintained for: data handling / management, operating procedures and physical access. Network and systems security Restriction to HTTP over TLS v1.2 only, using updated, secure ciphers, AES-256. Known insecure protocols, ciphers and configurations are disabled, e.g. RC4, SSL3, non-perfect-forward secrecy, client re-negotiation.

Data encrypted at rest. Firewall ans systems configuration implement least-privilege principle. Operational work



involving security: systems security patching, internal and external security audits, software quality assurance and application security updates as part of the software development life cycle, policies on network configuration, weekly security advisory reviews covering full stack software components. Physical security In Amazon AWS, IGT / G-Cloud aligned (or better) security provisions are maintained. Application security Content Security Policy (CSP), secure cookies and HTTP-only cookies are enforced in HTTP communications. Authentication cookies are encrypted and salted. Passwords are hashed with PBKDF2. Incoming data is filtered using OWASP sanitisation at point of reception, and also at point of reception from the database. HTML is disallowed as content in the database. Data caching is disabled on web browsers. Operational security on the development side includes separation of testing and



production environments (including secrets in source control), Change Management policy on information assets including documented procedures for development, functional and non-functional testing. Security code reviews are routinely made and all code changes are logged in a version control system.

25 Will mobile/portable devices and/or removable media be used? If so, they must be encrypted.

Provide details of devices and security measures proposed i.e. encryption solutions.

No.

26 Is Patient Identifiable Data encrypted within the system and on transfer? (nhs.net to nhs.net is encrypted on transfer)

Give details of how data is transferred, whether it is encrypted and to what standard. Is nhs.net to nhs.net (or equivalent government secure e-mail) used to transmit electronically? Note: This information can be included on the data flow chart (please refer to no 14).

Encrypted in system and the transmission of data from end point to end point shall be encrypted.

Data Quality

27 Does the system have the ability to record and verify NHS

No. NHS number provided with license. This can be checked by



number for relevant patient systems?

respiratory clinician.

This is now a requirement of all new systems. Steps must be taken to ensure the NHS number is captured and stored.

If the answer is yes, how is the NHS number verified?

If the answer is no, what steps are being taken to ensure this requirement is met?

28 What processes will be in place for data validation?

How and when will patient data be verified? e.g. - checked at each appointment.

Checked at respiratory clinic appointment.

29 Are national or locally defined data standards being used?

What local policies or national guidelines will be followed?

National requirements from NHS England specifically for this app.

30 Where different systems are recording the same data, are processes in place to ensure there are no inconsistencies between them?

If not applicable (N/A) please mark as such.

n/a

31 Who will have access to the system and how will that access be controlled?

IG training is mandatory. The service lead clinicians will oversee user access to the system.



The following functions to be controlled by the service lead clinicians in order to allow or revoke access, utilising responsive web browser application technology: 1. Allow a non-clinical manager to create, edit, or suspend a clinical team lead or a sub-manager user account 2. Allow a clinical team lead to create, edit or suspend clinician

Will training on use of the system be provided and a list of trained personnel maintained?

accounts as part of a local clinical team. my mhealth to provide training on the app to service lead clinicians and respiratory nurses on 25th July, 2018.

Is there a process in place to ensure all users have attended mandatory data protection training?

List the IG training requirements for staff (this may be role specific). Is IG training mandatory? Has/will the requirement to complete annual IG training been included in the contract?

Service lead clinicians will ensure a record is kept of all those trained on the myCOPD app and will be ensure that training is provided to new starters as part of their induction to the team. Training will be mandatory for all respiratory nurses using the app within their clinics.

32 Can changes to records be tracked to identify who has made the change?

Is there an active audit trail built into the electronic system used?

Yes – All systems in place will have the ability to track amendments.



Records Management

33 Will changes/introduction of new system impact on the ability to dispose, retain, or archive information appropriately?

Yes/No or describe No.

34 What processes are in place for tracking records?

n/a

35 What processes are in place for managing retention and disposal of records? What will happen to the personal data when it is no longer required? Who will take responsibility for ensure disposal of data in accordance with National and local retention and disposal policy timescales?

Does the contract include requirements relating to records retention and disposal? What will happen to records at the end of the project/service? Has reference to handover of service user records to new provider been included in the contract?

Yes – IGA Records Management Code of Practice: 30 years or 8 years after patient is deceased, in line to NHS chronic conditions data retention guidance (subject to legal obligations and removal requests from data subjects).

36 Do the records management systems support compliance with CQC Outcome 21: Records?

In summary, this Outcome is about ensuring that patient records whether in paper or electronic form are:

Accurate;

Fit for purpose;

Remain confidential;

Held securely and can be located promptly when

Yes.

http://www.cqc.org.uk/sites/default/files/documents/guidance_about_compliance_summary.pdf

http://www.cqc.org.uk/sites/default/files/documents/guidance_about_compliance_summary.pdf



required;

Retained for an appropriate period of time; and securely destroyed when it is appropriate to do so.

Freedom of Information

37 What processes are in place to respond to Freedom of Information (FOI) requests?

Give details. Does the resulting contract/SLA specify that FOI requests should be reported to the Commissioners FOI Lead?

NHS Organisations including CCG and CPFT are legally required to have FOI Policy in place.

This section will be completed by the IG team to provide feedback and list additional actions that need to be completed by the project team prior to the project going live.

To be completed by project lead

Requirements/Actions to be taken Notes Status of identified actions

Inform IAO to add to the Information Asset Register/data flows

Information sharing agreement required? Y/N

Data processing agreement required? Y/N

DPA Reg checked or changes required? Y/N

DSP Toolkit submission checked or required?

Y/N

Patient information leaflet required? Y/N

Data Flow Chart attached? Y/N

Data Set attached? Y/N

Others ( incl LMC awareness)

For office use:

Date received

Outcome of review

Date agreed 06.08.2018 IGSG

PIA Process Guidance and Documentation Version 3 – March 2018

ANNEX 1 Processing of Personal and Special Categories (Sensitive) of Personal Data in accordance with the terms of the General Data Protection Regulation (GDPR) GDPR Article 6 - Lawfulness of processing personal data Processing shall be lawful only if and to the extent that at least one of the following applies: (a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) Processing is necessary for compliance with a legal obligation to which the controller is subject; (d) Processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. GDPR – Article 9 Processing of special categories of personal data 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. 2. Paragraph 1 shall not apply if one of the following applies: (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject; (c) Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact


with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; (e) Processing relates to personal data which are manifestly made public by the data subject; (f) Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3; (i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; or (j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. 3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies. 4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data, or data concerning health.


Definitions

Data Protection Impact Assessment

A risk technique mandated in law to enable organisations to address privacy concerns and ensure appropriate safeguards are addressed and built in as projects or plans to develop existing information assets. This is sometimes referred to as an Information Governance Checklist. DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm - to individuals or to society at large, whether it is physical, material or non-material

Projects / plans to develop

Data Protection Iimpact assessments are required when new projects occur (for example introduction of a new electronic patient record or new software ) or where plans are proposed to develop an existing information asset. Change the way we process current personal and special category data. These can be both in paper and electronic format.

Information Sharing Agreements

Data sharing agreements set out a common set of rules to be adopted by the various organisations involved in a data sharing operation. These often form part of a contract between organisations. It is good practice to have a data sharing agreement in place, and to review it regularly, particularly where information is to be shared on a large scale, or on a regular basis. Source: ICO Data Sharing Code of Practice

Personal Data (For legitimate processing of Personal Data in accordance with the terms of the GDPR - see Annex 1)

Often referred to as PCD (personal confidential data) or PID (patient identifiable data). Defined by the General Data Protection Regulations (GDPR) as data which is capable of identifying a living individual, but isn’t classified as sensitive data, ie name; GP; next of kin; address; postcode; date of birth or any online identifier (eg an IP address).

Sensitive Personal Data (For legitimate processing of Sensitive Personal Data in accordance with the terms of the GDPR - see Annex 1)

Defined under the General Data Protection Regulations (GDPR) as ‘special categories of personal data’ eg data such as patient diagnosis; physical or mental health and condition; ethnicity; sexual life; religious beliefs. Also includes genetic data, and biometric data where processed to uniquely identify an individual.

Processing ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

The Data Protection Impact Assessment - CPFT log - FOI... · The Data Protection Impact Assessment...

Documents

Transcript of The Data Protection Impact Assessment - CPFT log - FOI... · The Data Protection Impact Assessment...