Contents
1 Aim
With the ongoing published advancements in data protection legalisation, the general data protection regulation (GDPR) came into force on the 25 May 2018. The Data Protection Act (2018) makes the GDPR part of UK law and replaces the Data Protection Act (1998). This places a legal obligation on Rotherham, Doncaster and South Humber NHS Foundation Trust (RDaSH) to conduct a screening data protection impact assessment (DPIA) for all projects which includes, but is not limited to, the use of information, data and technologies.
The aim of the DPIA policy and this procedure is to provide colleagues with information that promotes good practice and compliance with the GDPR and other statutory requirements provided by our supervisory authority, the information commissioner’s office (ICO).
Additionally, the policy and procedure reflect the minimum requirements under the conditions of article 35 of the GDPR.
The data protection impact assessment procedure is to complement the data protection impact assessment (DPIA) procedure.
Under the Data Protection Act, the information commissioners office established a privacy impact assessment code of practice, the term privacy impact assessment is used within this document as equivalent to “data protection impact assessment” as referenced within the General Data Protection Regulation (EU) 2016/679.
Personal confidential data has also been referred to as patient identifiable data (PID), patient identifiable information (PII), confidential patient information (CPI) and as personally identifiable data.
Data protection impact assessments (DPIAs) serve to ensure that the organisation remains compliant with legislation and NHS requirements, which determine the use of personal confidential data (PCD). DPIA’s will aid RDaSH in determining how a particular project, process or system will affect the privacy of the individual. The DPIA screening questions and impact assessment have been developed to provide an assessment prior to new services or new information processing or sharing systems being introduced. A DPIA is less effective when key decisions have already been taken.
DPIAs identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow for the identification and remedy problems at an early stage, reducing potential distress, subsequent complaints and the associated costs and damage to reputation which might otherwise occur.
It is important to consider whether a DPIA is required once the objectives or aims of the project are identified, what is required to successfully meet these and how it is envisaged this will happen, whilst ensuring privacy of personal identifiable information.
Conducting a DPIA does not have to be complex or time consuming, if considered at an early stage.
1.1 Data protection impact assessments (DPIA)
DPIAs identify privacy risks, foresee problems and bring forward solutions. A successful DPIA will:
- identify and manage risks in respect of privacy of personal identifiable information (see appendix A for examples)
- avoid inadequate solutions to privacy risks
- avoid unnecessary costs
- avoid loss of trust and reputation
- inform the organisation’s communication strategy (privacy notice)
- meet or exceed legal requirement.
Consideration whether a DPIA should be completed is mandated through the General Data Protection Regulation (EU) 2016/679. DPIAs ensure that privacy concerns have been considered and serve to assure the organisation regarding the security and confidentiality of the personal identifiable information.
1.2 Purpose
A DPIA should serve to:
- identify privacy risks to individuals
- identify privacy and data protection compliance liabilities
- protect the organisations reputation
- instil public trust and confidence in your project or product
- avoid expensive, inadequate “bolt-on” solutions
- inform your communications strategy
2 Scope
This document applies to and is relevant across all services, departments, or care groups.
All colleagues employed by RDaSH, must work in accordance with safeguarding policies, procedures and local guidelines in relation to any safeguarding concerns they have for children or adults they are in contact with.
A DPIA must be considered where there is an introduction of new systems, data sharing or projects, and where appropriate, evidence of this consideration by the completion of the screening questions resides with the responsible project lead.
Line managers are responsible for ensuring that permanent and temporary colleagues and contractors are aware of the data protection impact assessment procedure.
There is an expectation that partner organisations or third parties involved in supplying or providing services provide technical information for the DPIA, as required.
This procedure therefore applies to all colleagues and all types of information held by the organisation. This procedure should be read in conjunction with the RDaSH IG policies:
- Subject access request policy
- Business continuity policy
- Freedom of information and environmental information regulations policy
- Information governance policy and management framework (includes data protection policy content)
- Information technology (IT) security policy
- Records management policy
3 Link to overarching policy
4 Procedure or implementation
4.1 Is a data protection impact assessment required for every project?
- 1. Are you implementing a new system or data sharing arrangement or project or service, or changing the way you work?
- 1.1 No, no need to complete the full DPIA. Retain completed DPIA screening questions with the project documentation.
- 1.2 Yes, Does this project involve the process of personally identifiable or other high risk data?
- 1.2.1 No, see 1.1
- 1.2.2 Yes, A data protection impact assessment is required. Supporting information, such as contracts, system specifications and consent forms may be required
The ICO’s data sharing code of practice (opens in new window) states that DPIAs should be completed where a system, data sharing, or project includes the use of personal data, where there is otherwise a risk to the privacy of the individual, utilisation of new or intrusive technology, or where private or sensitive information which was originally collected for a limited purpose will be reused in a new and ‘unexpected’ way.
4.2 When should I start a data protection impact assessment?
DPIAs are most effective when they are started at an early stage of a project, when:
- the project is being designed
- you know what you want to do
- you know how you want to do it
- you know who else is involved
It must be completed before:
- decisions are set
- you have procured systems
- you have signed contracts or memorandum of understanding or agreements
- while you can still change your mind
The online DPIA portal (staff access only) (opens in new window) can be found at the bottom of the trust’s intranet homepage. Following the review of the screening questions, if any of the questions have been marked yes this determines that a full DPIA is required. Once the DPIA sections have been completed a member of the IG Team will be in contact with the author to assist in the review and suggest any amendments required to the form. It is required that the data protection officer, information security and, where applicable, clinical safety risk agreement is sought prior to the final DPIA being approved. Some DPIAs may be required to be submitted to the IG group for approval by the SIRO and Caldicott guardian. This is upon recommendation of the DPO.
4.3 Publishing data protection impact assessments
All DPIAs are publishable. It is acknowledged that DPIAs may contain commercial sensitive information such as security measures or intended product development. Therefore a log of DPIAs is published via the information governance pages on the trust’s website and will be released upon request via the information governance department. Review and redaction of commercially sensitive information will be undertaken prior to release, however, as much of the document should be published as possible.
5 Appendices
5.1 Appendix A Example risks
5.1.1 Risks to individuals
- Inadequate disclosure controls increase the likelihood of information being shared inappropriately.
- The context in which information is used or disclosed can change over time, leading to it being used for different purposes without people’s knowledge.
- New surveillance methods may be an unjustified intrusion on their privacy.
- Measures taken against individuals as a result of collecting information about them might be seen as intrusive.
- The sharing and merging of datasets can allow organisations to collect a much wider set of information than individuals might expect.
- Identifiers might be collected and linked which prevent people from using a service anonymously.
- Vulnerable people may be particularly concerned about the risks of identification or the disclosure of information.
- Collecting information and linking identifiers might mean that an organisation is no longer using information which is safely anonymised.
- Information which is collected and stored unnecessarily, or is not properly managed so that duplicate records are created, presents a greater security risk.
- If a retention period is not established information might be used for longer than necessary.
5.1.2 Corporate risks
- Non-compliance with the data protection legislation can lead to sanctions, fines and reputational damage.
- Problems which are only identified after the project has launched are more likely to require expensive fixes.
- The use of biometric information or potentially intrusive tracking technologies may cause increased concern and cause people to avoid engaging with the organisation.
- Information which is collected and stored unnecessarily, or is not properly managed so that duplicate records are created, is less useful to the business.
- Public distrust about how information is used can damage an organisation’s reputation and lead to loss of business.
- Data losses which damage individuals could lead to claims for compensation.
5.1.3 Compliance risks
- Non-compliance with the Data Protection Act 2018 or General Data Protection Regulation (EU) 2016/679.
- Non-compliance with the Common Law Duty of Confidentiality.
- Non-compliance with the Privacy and Electronic Communications Regulations (PECR).
- Non-compliance with sector specific legislation or standards.
- Non-compliance with Human Rights Act 1998 and Equality Act 2010.
5.1.4 Clinical safety risks
The Standardisation Committee for Care Information standard SCCI0160 (Clinical Risk Management, Its Application in the Deployment and Use of Health IT Systems) requires health organisations to establish appropriate procedures to ensure patient safety during the implementation and management of clinical information systems.
This means clinical risk analysis of using a clinical information system must be considered before deploying a new system or before implementing a significant change to an existing system, to ensure that the best design of the system and adequate team processes are employed in the use of the system in that particular service area.
If you are planning to implement a new clinical information system, making a significant change in an existing clinical information system for an existing service, or adding a new service to an existing clinical information system which may require changes to the system to accommodate the new service, please contact the organisation’s Clinical Systems team who can advise on what further clinical risk analysis needs to be considered for your proposed change.
5.2 Appendix B Definitions or explanation of terms used
Term | Definition |
---|---|
Anonymity | Information may be used more freely if the subject of the information is not identifiable in any way, this is anonymised data. However, even where such obvious identifiers are missing, rare diseases, drug treatments or statistical analyses which may have very small numbers within a small population may allow individuals to be identified. A combination of items increases the chances of patient identification. When anonymised data will serve the purpose, health professionals must anonymise data and whilst it is not necessary to seek consent, general information about when anonymised data will be used should be made available to patients |
Authentication Requirements | An identifier enables organisations to collate data about an individual. There are increasingly onerous registration processes and document production requirements imposed to ensure the correct person can have, for example, the correct access to a system or have a smart card. These are warning signs of potential privacy risks |
Caldicott | Seven Caldicott principles were established following the original reviewed in 1997 and further development in 2013. The principles include:
|
Common Law Duty of Confidentiality | This duty is derived from case law and a series of court judgements based on the key principle that information given or obtained in confidence should not be used or disclosed further except in certain circumstances:
|
Data Protection Act 2018 | The DPA defines the ways in which information about living people may be legally used and handled. The main intent is to protect individuals against misuse or abuse of information about them. The 6 principles of the act state the fundamental principles of DPA 2018 specify that personal data must:
|
European Economic Area (EEA) | The European Economic area comprises the EU member states plus Iceland, Liechtenstein and Norway |
Explicit consent | Express or explicit consent is given by a patient agreeing actively, usually orally (which must be documented in the patients’ case notes) or in writing, to a particular use of disclosure of information |
General Data Protection Regulation (EU) 2016/679 Principles of Lawful Processing of Personal Identifiable Information |
The GDPR requires that data controllers ensure personal data shall be:
|
IAA (Information Asset Administrator) | There are individuals who ensure that policies and procedures are followed, recognise actual or potential security incidents, consult their IAO on incident management and ensure that information asset registers are accurate and up to date. These roles tend to be system managers |
IAO (Information Asset Owner) | These are senior individuals involved in running the relevant service or department. Their role is to understand and address risks to the information assets they ‘own’ and to provide assurance to the SIRO on the security and use of those assets. They are responsible for providing regular reports regarding information risks and incidents pertaining to the assets under their control or area |
Implied consent | Implied consent is given when an individual takes some other action in the knowledge that in doing so he or she has incidentally agreed to a particular use or disclosure of information, for example, a patient who visits the hospital may be taken to imply consent to a consultant consulting his or her medical records in order to assist diagnosis. Patients must be informed about this and the purposes of disclosure and also have the right to object to the disclosure. Implied consent is unique to the health sector and cannot be used as a legal basis to process personal data under the Data Protection Act 2018 or GDPR |
Information Assets | Information assets are records, information of any kind, data of any kind and any format which we use to support our roles and responsibilities. Examples of Information Assets are databases, systems, manual and electronic records, archived data, libraries, operations and support procedures, manual and training materials, contracts and agreements, business continuity plans, software and hardware |
Information Risk | An identified risk to any information asset that the organisation holds. Please see the risk policy for further information |
Personal Data | This means data which relates to a living individual which can be identified either:
It also includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual |
Privacy and Electronic Communications Regulations 2003 | These regulations apply to sending unsolicited marketing messages electronically such as phone, fax, email and text. Unsolicited marketing material should only be sent if the requester has opted in to receive this information |
Privacy Invasive Technologies | Examples of such technologies include, but are not limited to, smart cards, radio frequency identification (RFID) tags, biometrics, locator technologies (including mobile phone location, applications of global positioning systems (GPS) and intelligent transportation systems), visual surveillance, digital image and video recording, profiling, data mining and logging of electronic traffic. Technologies that are inherently intrusive, new and sound threatening are a concern and hence represent a risk |
Pseudonymisation | Where patient identifiers such as name, address, date of birth are substituted with a pseudonym, code or other unique reference so that the data will only be identifiable to those who have the code or reference |
Records Management: NHS Code of Practice for Health and Social Care 2016 | Is a guide to the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England. It is based on current legal requirements and professional best practice. The code of practice contains an annex with a health records retention schedule and a business and corporate (non-health) records retention schedule |
Retention Periods | Records are required to be kept for a certain period either because of statutory requirement or because they may be needed for administrative purposes during this time. If an organisation decides that it needs to keep records longer than the recommended minimum period, it can vary the period accordingly and record the decision and the reasons behind. The retention period should be calculated from the beginning of the year after the last date on the record. Any decision to keep records longer than 30 years must obtain approval from The National Archives. |
Special categories of personal data (sensitive data) |
This means personal data consisting of information as to the:
|
SIRO (Senior Information Risk Owner) | This person is an executive who takes ownership of the organisation’s information risk policy and acts as advocate for information risk on the board |
5.3 Appendix C Data protection impact assessment (DPIA) template
Document control
- Version: 3.1.
- Unique reference number: 520.
- Date approved: 15 January 2024.
- Approved by: Corporate policy approval group.
- Name of originator or author: Head of information governance or data security officer.
- Name of responsible individual: Director of health informatics.
- Date issued: 16 January 2024.
- Review date: 31 January 2026.
- Target audience: All colleagues.
Page last reviewed: December 24, 2024
Next review due: December 24, 2025
Problem with this page?
Please tell us about any problems you have found with this web page.
Report a problem