Data Protection Impact Assessment Procedure Page 1 of 32

Data Protection Impact Assessment

Procedure

Procedure Number: IG07

Version: 3.2

Approved by: Information Governance Working Group

Date approved August 2018

Ratified by: Audit and Risk Committee

Date ratified: September 2018

Name of originator/author:

Louise Chatwyn – Information Manager

Name of responsible individual: Neil Boughton – Deputy Director of Corporate Affairs

Review date: May 2020

Target audience: All Staff

Data Protection Impact Assessment Procedure Page 2 of 32

Version Control Sheet

Version Date Who Change

0.1 05/13 To GEM IG leads for comments

0.3 05/13 Final draft for approval

0.4 07/13 Minor changes in text with information lead at CCG

0.6 07/13 Reviewed in line with ICO guidance

1.0 09/13 Approved at Information Governance Committee

1.1 06/14 Reviewed in line with ICO guidance

Review for CCG ownership

1.3 06/14 Amended in line with comments from GEM product group

2.0 08/14 Approved at Information Governance Product Group

3.0 06/16 L Chatwyn Review and update to current

3.1 07/17 L Chatwyn Minor revisions to reflect current legislation and practice and changes under the General Data Protection Regulations (GDPR)

3.2 07/18 L Chatwyn Incorporate Corby CCG Insertion of NEL template as adopted assessment

Data Protection Impact Assessment Procedure Page 3 of 32

Contents

1. Introduction .......................................................................................................4

2. Purpose ............................................................................................................4

3. Scope ................................................................................................................5

4. Key Roles and Responsibilities .........................................................................5

5. Process .............................................................................................................6

5.1 Full scale Data Protection Impact Assessment ............................................. 6

5.2 Data Flow Mapping ............................................................................................ 7

6. Monitoring and Review .....................................................................................8

7. Training .............................................................................................................8

8. Distribution and Implementation ........................................................................8

9. Associated Legislation and Documents ............................................................9

10. References........................................................................................................9

11. Appendices ..................................................................................................... 10

Appendix 1 The Data Protection Impact Assessment ............................................ 11

Data Protection Impact Assessment - Questionnaire ............................................ 12

Appendix 2 - The conditions (the legal basis) for processing Personal Data under

the Data Protection Legislation .............................................................................. 30

Data Protection Impact Assessment Procedure Page 4 of 32

1. Introduction

Robust Information Governance requires clear and effective management and accountability structures, governance processes, documented policies and procedures, trained staff and adequate resources. A Data Protection Impact Assessment (DPIA) should be carried out whenever there is a change that is likely to involve a new use; or significantly change the way in which personal data is handled, for example a redesign of an existing process or service, or a new process or information asset is being introduced. Completion of a DPIA should be built into the organisational business approval and procurement processes. This document is a practical tool to help identify and address the data protection and privacy concerns at the design and development stage of a project, building data protection compliance in from the outset. It sets out the CCGs procedure for conducting a (DPIA) through a project lifecycle to ensure that, where necessary, personal and sensitive information requirements are complied with and risks are identified and mitigated 2. Purpose Under the General Data Protection Regulation (GDPR) which came into effect in May 2018 the completion of DPIA for new or revised uses of data became an express legal requirement This document is a statement of the approach and intentions for Corby CCG and Nene CCG to fulfil their statutory and organisational responsibilities. It will enable management and staff to make correct decisions, work effectively and comply with relevant legislation and the organisations aims and objectives. This procedure is to be considered in the following circumstances:

introduction of a new paper or electronic information system to collect and hold personal data;

update or revision of a key system that might alter the way in which the organisation uses, monitors and reports personal information.

changes to an existing system where additional personal data will be collected

proposal to collect personal data from a new source or for a new activity

plans to outsource business processes involving storing and processing personal data

plans to transfer services from one provider to another that include the transfer of information assets

any change to or introduction of new data sharing agreements

Data Protection Impact Assessment Procedure Page 5 of 32

3. Scope This document applies to all staff, whether permanent, temporary or contracted. They are responsible for ensuring that they are aware of all relevant requirements and that they comply with them on a day to day basis. Furthermore, the principles of this document apply to all third parties and others authorised to undertake work on behalf of the CCGs. This document covers all aspects of information, in both paper and electronic format

4. Key Roles and Responsibilities

Role Responsibility

Accountable Officer The Accountable Officer and the Board have ultimate accountability for actions and inactions in relation to this document

Senior Information Risk Officer

The CCGs SIRO is responsible for having overall accountability for Information Governance; this includes the Data Protection and Confidentiality function. The role includes briefing the Board and providing assurance through the Audit and Risk Committee that the IG approach is effective in terms of resource, commitment and execution. The SIRO for Corby CCG and Nene CCG is the Chief Finance Officer

Caldicott Guardian The Caldicott Guardian has responsibility for ensuring that there are adequate standards for protecting patient information and that all data transfers are undertaken in accordance with Safe Haven guidelines and the Caldicott principles. The Caldicott Guardian for Corby CCG is a Clinical Executive The Caldicott Guardian for Nene CCG is the GP Chair

Data Protection Officer

The DPO has responsibility for Data Protection compliance The DPO role for the CCGs is fulfilled by NEL CSU Email: nelcsu.dpo@nhs.net Phone: 03000 428438 The DPO maintains the authority for sign off of completed DPIA’s

Data Protection Impact Assessment Procedure Page 6 of 32

Deputy Director of Corporate Affairs

The Deputy Director of Corporate Affairs has overall day to day responsibility for the Information Governance in the CCG. The role includes briefing the Board, including the SIRO and Caldicott Guardian of information risks and information incidents

Information Manager The Information Manager has day to day responsibility for implementing and monitoring procedures to ensure compliance with relevant information legislation

Managers Managers and supervisors are responsible for

ensuring that staff who report to them have suitable access to this document and it’s supporting policies and procedures and that they are implemented in their area of authority

ensuring the initial training compliance of all staff reporting to them

All staff Have a responsibility to:

Be aware of the Information Governance requirements

Support the CCG to achieve Toolkit Compliance

Complete annual Data Security and Protection training

Report information Incidents appropriately

5. Process

Any systems which do not identify individuals in any way do not require a DPIA to be performed. However, it is important to understand that what may appear to be “anonymised” data, could in fact be identifiable when used with other information, so anonymised data should be considered very carefully before any decision is made that it will not identify individuals. Any person who is responsible for introducing a new or revised service or changes to a new system, process or information asset is the Information Asset Owner (IAO) and is responsible for ensuring the completion of a DPIA. This is usually the project manager. The Data Protection Impact Assessment (NEL template) can be found at Appendix 1 5.1 Full scale Data Protection Impact Assessment In most small scale projects the DPIA may identify one or more Data Security risks and the lead manager will be advised on the actions necessary to mitigate or eliminate those risks.

Data Protection Impact Assessment Procedure Page 7 of 32

Where the DPIA discovers complex or several Data Security risks, an action plan should be developed on how the risks will be mitigated a report should be produced. The final report should cover (where applicable):

A description of the proposal including the data flow process

The case justifying the need to process an individual’s personal data and why the particular policy or project is important

An analysis of the data protection issues arising from the project

Details of the parties involved

Details of the issues and concerns raised

Discussions of any alternatives considered to meet those concerns, the consultation process, and the rationale for the decisions made

A description of the privacy by design features adopted

An analysis of the public interest of the scheme

Compliance with the data protection principles

Compliance with the Government Data Handling review’s information security recommendations

Where the proposal involves the transfer and storage of personal data the DPIA should include details of any security measures that will be put into place to ensure the data is protected and kept secure.

The organisations Caldicott Guardian and/or Senior Information Risk Owner (SIRO) and Data Protection Officer (DPO) should be included at an early stage to ensure adequate consultation of the DPIA. 5.2 Data Flow Mapping As part of the DPIA process we should describe how information is collected, stored, used and deleted. We should explain what information is used, what it is used for and who will have access to it. A thorough assessment of privacy risks is only possible if an organisation fully understands how information is being used in a project. An incomplete understanding of how information is used can be a significant privacy risk – for example; data might be used for unfair purposes, or disclosed inappropriately. This part of the DPIA process can be integrated with any similar exercises which would already be done for example; we already conduct information audits, develop information maps, and make use of information asset registers. A Data Flow Map is a graphical representation of the data flow. This should include:

Incoming and outgoing data

Organisations and/or people sending/receiving information

Storage for the ‘Data at Rest’ i.e. system, filing cabinet

Methods of transfer

Data Protection Impact Assessment Procedure Page 8 of 32

If such data has already been captured covering the proposed project or similar document this can be useful for understanding how personal data might be used. The information flows can be recorded as a flowchart, an information asset register, or a project design brief which can then be used as an important part of the final DPIA report. Describing information flows

Explain how information will be obtained, used, and retained – there may be several options to consider. This step can be based on, or form part of, a wider project plan.

This process can help to identify potential ‘function creep’ - unforeseen or unintended uses of the data (for example data sharing)

People who will be using the information are consulted on the practical implications.

Potential future uses of information are identified, even if they are not immediately necessary.

6. Monitoring and Review

Performance against key performance indicators will be reviewed on an annual basis through the Data Security and Protection Toolkit submission and used to inform the development of future documents. Toolkit Data Security Standard 1.5.1 Personal information is used and shared lawfully.

Unless there is major legislation or policy, this document will be reviewed annually

7. Training

Appropriate training will be provided to all staff annually commensurate with their role profile.

Training is available through ESR which can be found here: http://www.esrsupport.co.uk/access.php

8. Distribution and Implementation All policy and procedural documents in respect of Information Governance will be made available via the intranet where this is in place.

Staff will be made aware of procedural updates as they occur via team briefs, management communications, shared driven availability and notification via the CCG staff intranet where this is in place.

Data Protection Impact Assessment Procedure Page 9 of 32

9. Associated Legislation and Documents

To include but not limited to:

IG01a – Framework CSU Information Governance Framework

IG01b – Policy CSU Information Governance Policy

IG02a – CCG Physical Assets

IG02b – Data Assets (application provider guide)

IG03 – CCG Information Disclosure and Sharing Policy and Procedure

IG04 – CCG Email and Internet

IG05 – CCG Data Security and Protection Incidents Reporting Procedure

IG06 – CSU Confidentiality & Data Protection Policy

IG08a – Framework CSU Information Security Framework

IG08b – CCG Information Security Policy

IG09 – CCG Safe Haven Procedure

IG10a – Framework CSU Information Quality Framework

IG10b – CCG Records Management Policy

IG11 – CCG Subject Access Request

IG12 – CSU Freedom of Information Policy and Procedure

The following references and areas of legislation should be adhered to.

Confidentiality NHS Code of Practice

Data Protection Act 2018

Caldicott Guardian principles

Freedom of Information Act 2000

Environmental Information Regulations 2004

Access to Health Records 1990

Records Management NHS Code of Practice

EU General Data Protection Regulation (GDPR)

10. References Information Commissioner’s Office Code of Practice https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/ Data Security and Protection Toolkit https://www.dsptoolkit.nhs.uk/ Data Protection Act 2018 http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

Data Protection Impact Assessment Procedure Page 10 of 32

EU General Data Protection Regulation (GDPR) https://www.eugdpr.org/ Freedom of Information Act 2000 http://www.legislation.gov.uk/ukpga/2000/36/contents Data Security and Protection Incident Reporting tool https://www.dsptoolkit.nhs.uk/News/31 The NHS Constitution for England https://www.gov.uk/government/publications/the-nhs-constitution-for-england/the-nhs-constitution-for-england NHS Code of Confidentiality https://www.england.nhs.uk/wp-content/uploads/2013/06/conf-policy-1.pdf NHS Care Record Guarantee http://systems.hscic.gov.uk/rasmartcards/documents/crg.pdf NHS Information Risk Management http://systems.hscic.gov.uk/infogov/security/risk The Caldicott Review: Information Governance in the Health and Social Care System

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/2900774_InfoGovernance_accv2.pdf Access to Health Records Act 1990 http://www.legislation.gov.uk/ukpga/1990/23/contents

11. Appendices

Data Protection Impact Assessment Procedure Page 11 of 32

Appendix 1 The Data Protection Impact Assessment A word copy of the assessment document is available from the Information Team

Data Protection Impact Assessment Procedure Page 12 of 32

Data Protection Impact Assessment - Questionnaire Do I Need to Complete a Data Protection Impact Assessment questionnaire?

When deciding whether a DPIA questionnaire is required, if the first answer is ‘yes’, but the second response is ‘unsure’, please complete the questions in section 1 of the DPIA questionnaire to assist the decision. Further guidance can be sought from the CCG Information Team: nccg.informationgovernance@nhs.net or the CSU Information Governance Team: nelcsu.Information-Governance@nhs.net. It is a requirement of the General Data Protection Regulations that all systems have a DPIA conducted, including any systems processing data that do not require a full DPIA, i.e. you must complete at least the screening questions and identify why a full DPIA is not required. If you are assessing a system which does not have a DPIA, including one that identifies that a full DPIA is not required, please complete the relevant section of this questionnaire. The questionnaire will be reviewed by the stakeholders, including the IG Lead and the recommendation from the questionnaire will be notified to the Director (Information Asset Owner). The recommendation will be either:

1. A full DPIA is required where the new process or change of use of PCD/Business Sensitive data requires more thorough investigation.

2. The DPIA questionnaire will be signed off by the Information Asset Owner/SIRO and the PIA log updated by the IG Lead.

There is an Information Security Procurement Questionnaire (for use in the commissioning process for new information systems), an Information Risk Questionnaire template and an ICT System Security Risk Assessment available to assist in assessing the risks.

Yes

Document in the business case and/or project documentation

Are you implementing a new system or service, or changing the way you work?

No Yes

No Does this project involve the collection, recording, storing or processing of person-confidential/business sensitive data?

Complete a Data Protection Impact Assessment questionnaire.

You may be asked to provide

supporting information e.g.

contract, system

specification,

No need to conduct a full Data Protection Impact Assessment

questionnaire. Complete the

screening questions and note why a full

DPIA is not required.

Data Protection Impact Assessment Procedure Page 13 of 32

Work stream:

Work stream Lead Name

Designation

Telephone

Email

Information Asset

Owner (if different to

above)

Implementation Date:

Key Information – please be as comprehensive as possible.

Project Name:

Description of project:

Data Protection Impact Assessment Procedure Page 14 of 32

Screening Questions YES or NO

Will the project involve the collection of information about individuals?

Does the project introduce new or additional information technologies that can substantially reveal business sensitive information, specifically: have a high impact on the business, whether within a single function or across the whole business?

Will the project compel individuals to provide information about themselves?

Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information?

Are you using information about individuals for a new purpose or in a new way that is different from any existing use?

Does the project involve you using new technology which might be perceived as being privacy intrusive? For example, the use of data to make a decision about care that’s automated.

Will the project result in you making decisions about individuals in ways which may have a significant impact on them? e.g. service planning, commissioning of new services

Will the project result in you making decisions about individuals in ways which may have a significant impact on identifiable individuals? i.e. does the project change the delivery of direct care.

N.B. If the project is using anonymised/pseudonymised data only, the response to this question is “No”.

Will the project require you to contact individuals in ways which they may find intrusive?

Key Contacts

Key Stakeholder Names & Roles:

Date:

Data Protection Impact Assessment Procedure Page 15 of 32

Screening Questions YES or NO

Does the project involve multiple organisations, whether they are public sector agencies i.e. joined up government initiatives or private sector organisations e.g. outsourced service providers or business partners?

Does the project involve new or significantly changed handling of a considerable amount of personal and/or business sensitive data about each individual in a database?

Does the project involve new or significantly changed consolidation, inter-linking, cross referencing or matching of personal and/or business sensitive data from multiple sources?

If any of the screening questions have been answered “YES”, then please continue

with the Data Protection Impact Assessment Questionnaire (below).

If all questions are “NO”, please return the document to the Information Governance

Team and do not complete a Data Protection Impact Assessment. Please email the

completed screening to nelcsu.Information-Governance@nhs.net

Data Protection Impact Assessment Procedure Page 16 of 32

Use of personal information

Description of data: National and local data flows containing personal and identifiable personal information

Personal Data Please tick all that apply

Sensitive Personal Data Please tick all that apply

Name Racial / ethnic origin

Address (home or business) Political opinions

Postcode Religious beliefs

NHS No Trade union membership

Email address Physical or mental health

Date of birth Sexual life

Payroll number Criminal offences

Driving Licence [shows date of birth and first part of surname]

Biometrics; DNA profile, fingerprints

Bank, financial or credit card details

Mother’s maiden name

National Insurance number

Tax, benefit or pension Records

Health, adoption, employment, school, Social Services, housing records

Child Protection

Safeguarding Adults

Additional data types (if relevant)

Lawfulness of the processing

Conditions for processing for special categories: to be identified as whether they apply

Condition Please tick all that apply

Explicit consent unless or allowed by other legal route

Explicit consent

Other legal route

Processing is required by law

Processing is required to protect the vital interests of the person

Is any processing going to be by a not for profit organisation, e.g. a Charity

Would any processing use data already in the public domain?

Could the data being processed be required for the defence of a legal claim?

Would the data be made available publically, subject to ensuring no-one can be identified from the data?

Is the processing for a medical purpose?

Data Protection Impact Assessment Procedure Page 17 of 32

Would the data be made available publically, for public health reasons?

Will any of the data being processed be made available for research purposes?

The answers will not specifically identify the legality of the data flow; your

responses to the questions below need to identify the specific legal route for

processing.

Business sensitive data

Financial Procurement information

Local Contract conditions (National contract conditions are in the Public

domain)

Decisions impacting: One or more business function

Yes/No

Across the organisation

Description of other data collected

Answer all the questions below for the processing of Personal Confidential Data

What is the justification for the inclusion of identifiable data rather than using de-identified/anonymised data?

Will the information be new information as opposed to using existing information in different ways?

Data Protection Impact Assessment Procedure Page 18 of 32

What is the legal basis for the processing of identifiable data? E.g. Conditions under the Data Protection Act 1998, the Section 251 under the NHS Act 2006 etc.

(See Appendix 1 for Legal basis under the Data Protection Legislation)

If consent, when and how will this be obtained and recorded? 1

Where and how will this data be stored?

Who will be able to access identifiable data?

Will the data be linked with any other data collections?

1 See NHS Confidentiality Code of Practice Annex C for guidance on where consent should be gained. NHS Act 2006 S251

approval is authorised by the National Information Governance Board Ethics and Confidentiality Committee and a reference

number should be provided

Data Protection Impact Assessment Procedure Page 19 of 32

How will this linkage be achieved?

Is there a legal basis for these linkages?

Data Protection Impact Assessment Procedure Page 20 of 32

How have you ensured that the right to data portability can be respected? i.e. Data relating to particular people can be extracted for transfer to another Data Controller, at the request of the person to which it relates, subject to:

Receipt of written instructions from the person to which the data relates.

Including data used for any automated processing,

And

The transfer of the data has been made technically feasible.

N.B. Transferable data does not include any data that is in the public domain at the time of the request.

No data that may affect the rights of someone other than the person making the request can be included.

What security measures will be used to transfer the data?

What confidentiality and security measures will be used to store the data?

Data Protection Impact Assessment Procedure Page 21 of 32

How long will the data be retained in identifiable form? And how will it be de-identified? Or destroyed?

What governance measures are in place to oversee the confidentiality, security and appropriate use of the data and manage disclosures of data extracts to third parties to ensure identifiable data is not disclosed or is only disclosed with consent or another legal basis?

If holding personal i.e. identifiable data, are procedures in place to provide access to records under the subject access provisions of the DPA?

Is there functionality to respect objections/ withdrawals of consent?

Are there any plans to allow the information to be used elsewhere either in the NEL CSU, wider NHS or by a third party?

Will the fair processing notices in relation to this data be updated and ensure it includes:

• ID of data controller

• Legal basis for the processing

• Categories of personal

Data Protection Impact Assessment Procedure Page 22 of 32

data

• Recipients, sources or categories of recipients of the data: any sharing or transfers of the data (including to other countries)

• Any automated decision making

• Retention period for the personal data

• Existence of data subject rights, including withdrawal of consent and data portability

The data must be able to be easily separated from other datasets to enable data portability (see previous questions), audit of data relating to specific organisations and to facilitate any requirements for service transitions.

Are there any new or additional reporting requirements for this project? Yes/No

What roles will be able to run reports?

What roles will receive the report or where will it be published?

Data Protection Impact Assessment Procedure Page 23 of 32

Will the reports be in person-identifiable, pseudonymised or anonymised format?

Will the reports be in business sensitive or redacted format (removing anything which is sensitive) format?

If this new/revised function should stop, are there plans in place for how the

information will be retained / archived/ transferred or disposed of?

Yes/No

Are multiple organisations involved in processing the data? If yes, list below Yes/No

Name Data Controller (DC) or Data Processor (DP)?

Completed

and

compliant

with the IG

Toolkit2

Yes/No

Has a data flow mapping exercise been undertaken?

If yes, please provide a copy, if no, please undertake – see Note 4 for guidance

Yes/No

2 The Data Security and Protection Toolkit is a self-assessment tool provided by NHS Digital to assess compliance to the

Information Governance

Data Protection Impact Assessment Procedure Page 24 of 32

Is Mandatory Staff Training in place for the following? Yes/No Dates

Data Collection:

Use of the System or Service:

Collecting Consent:

Information Governance:

Describe the information flows

The collection, use and deletion of personal data should be described here and it may also be useful to refer to a flow diagram or another way of explaining data flows.

Does any data flow in identifiable form? If so, from where, and to where?

Media used for data flow?

(e.g. email, fax, post, courier, other – please specify all that will be used)

Data Protection Impact Assessment Procedure Page 25 of 32

Data Protection Risks

List any identified risks to Data Protection and personal information of which the project is currently aware.

Risks should also be included on the project risk register.

Risk Description

(to individuals, to the NEL CSU or to wider compliance)

Cu

rren

t Im

pact

Cu

rren

t L

ikelih

oo

d

Ris

k S

co

re (

I x

L) Proposed Risk

solution (Mitigation)

Is the risk reduced, transferred, or accepted? Please specify.

Evaluation: is the final impact on individuals after implementing each solution a justified, compliant and proportionate response to the aims of the project?

Approval by IG Team/Information Security

Risk Description Approved solution Approved by Date of approval

Data Protection Impact Assessment Procedure Page 26 of 32

Actions to be taken

Action to be taken Date of Completion

Action Owner

Consultation requirements

Part of any project is consultation with stakeholders and other parties. In addition to those indicated “Key information, above”, please list other groups or individuals with whom consultation should take place in relation to the use of person identifiable information.

It is the project’s responsibility to ensure consultations take place, but IG will advise and guide on any outcomes from such consultations.

Further information/Attachments

Please provide any further information that will help in determining Data Protection impact.

See note 5 for examples

Data Protection Impact Assessment Procedure Page 27 of 32

IG Team comments:

Following review of this DPIA by the Information Governance Team, a determination will be made

regarding the Data Protection impact and how the impact will be handled. This will fall into three

categories:

1. No action is required by IG excepting the logging of the Screening Questions for recording purposes.

2. The questionnaire shows use of personal information but in ways that do not need direct IG involvement – IG may ask to be kept updated at key project milestones.

3. The questionnaire shows significant use of personal information requiring IG involvement via a report and/or involvement in the project to ensure compliance.

Data Protection Impact Assessment Procedure Page 28 of 32

It is the intention that IG will advise and guide those projects that require IG compliance but at all

times will endeavour to ensure that the project moves forward and that IG is not a barrier unless

significant risks come to light which cannot be addressed as part of the project development and

will need to be escalated to the NEL CSU Senior Information Risk Owner- SIRO, David Thomas, for

approval.

The DPIA Process

Complete DPIA

Questionnaire

Obtain IG review Add to DPIA Log

Project/New Process Start

Implement any necessary actions in agreed timescales.

You may be asked to provide supporting

information e.g. contract, system

specification, consent forms etc.

You may be asked to provide assurance that the agreed IG actions haves been implemented and are effective on privacy

You may be required

to include recommendations

from the Information Asset Owner Group or

IGG. Post implementation

reviews for subsequent changes

and conduct a new PIA if required.

Request IAO/SIRO approval

Data Protection Impact Assessment Procedure Page 29 of 32

Please email entire completed document to nelcsu.Information-Governance@nhs.net

IG review

IG staff name:

Signature:

Date:

Information Asset Owner (IAO) approval (for low to medium risk processing)

IAO name:

Signature:

Date:

SIRO approval (for high risk processing)

SIRO name:

Signature:

Date:

Data Protection Impact Assessment Procedure Page 30 of 32

Appendix 2 - The conditions (the legal basis)

for processing Personal Data under the Data

Protection Legislation

The conditions for processing Personal Data and Sensitive Personal Data the Data

Protection Legislation, Data Protection Act 2018 and General Data Protection

Regulation (EU) 2016/679 as referenced in this Act – identified in this documentation

as the Data Protection Legislation.

Definition of Personal Data and Sensitive Personal Data

Data: • The Data Protection Act defines data as:

– Information which is being processed automatically in response to instruction – Information recorded as part of a highly structured filing system (e.g. an individual

with limited knowledge of the filing structure could logically retrieve relevant information)

– Recorded information held by a public authority – Information that forms part of an accessible record (health, educational, public record)

Personal Data: • Personal data means data which relates to a living person who can be identified from that set

of data or who could be identified if that data was combined with other information either available or likely to become available.

• This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

Sensitive Personal Data

The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10). Special Categories of personal data includes Information relating to the data subjects’:

racial or ethnic origin,

political opinions,

religious beliefs or other beliefs of a similar nature,

trade union membership,

physical or mental health or condition,

sexual life,

the commission or alleged commission by him of any offence, or

any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.

Data Protection Impact Assessment Procedure Page 31 of 32

The Data Protection Act (DPA) outlines 6 principles for handling Personal Confidential Data (PCD), with 2

additional safeguards:

1. Data must be processed fairly and lawfully

2. Data must be obtained and processed only for one or more specified and lawful purposes

3. Date must be adequate, relevant and not excessive in relation to the purpose

4. Data must be accurate and kept up to date

5. Data must not be kept for longer than is necessary

6. Appropriate technical and organisational security measures for the data must be in place

Safeguards:

1. Data must be processed in accordance with the rights of data subjects

2. Sensitive Data must only be processed with legal compliance to the Act, referenced to a current

policy. e.g. Can only be processed in a country or territory outside the United Kingdom unless

adequate levels of protection are in place, within statutory functions.

Data Protection Impact Assessment Procedure Page 32 of 32

Supporting Guidance for Completion of the Privacy Impact Assessment

1 Information Asset E.g. Operating systems, infrastructure, business applications, off-the-shelf products, services, user-developed applications, devices/equipment, records and information (extensive list).

2. Person Confidential Data

Key identifiable information includes: • patient’s name, address, full post code, date of birth; • pictures, photographs, videos, audio-tapes or other images of patients; • NHS number and local patient identifiable codes; • Anything else that may be used to identify a patient directly or indirectly. For example, rare diseases, drug treatments or statistical analyses which have very small numbers within a small population may allow individuals to be identified.

3. New use of information could include: - consistent with PIA Introduction

Setting up of a new service. The Commissioning of a new service Data Extracts Setting up a database or independent Patient System Reports

Examples of changes to use of information could include:

Moving paper files to electronic systems Collecting more data than before Using Data Extracts for a different purpose Additional organisations involved in information process Revisions to systems, databases (including merges) or spread sheet reports

4. Data Flow Mapping

A Data Flow Map is a graphical representation of the data flow. This should include:

Incoming and outgoing data

Organisations and/or people sending/receiving information

Storage for the ‘Data at Rest’ i.e. system, filing cabinet

Methods of transfer

5. Examples of additional documentation which may be required (copies):

Contracts

Confidentiality Agreements

Project Specification

System Specifications (including Access Controls)

Local Access Controls Applications

Information provided to patients

Consent forms