Date post: | 22-Mar-2018 |
Category: |
Documents |
Upload: | vuongkhanh |
View: | 214 times |
Download: | 1 times |
Schedule A 12
Schedule A to the Surrey Provision of Care Information Sharing Agreement
Project Specific Sharing Specification
Reference No: SCC ASC IG Team to complete
Sharing Start Date:Sharing Specification Review Date:Lead Organisation(s):
Summary of the Sharing Requirement
Add a summary of the initiative - this may be taken from a business case or project plan
The Sharing Organisation(s)
Within the framework established in The Agreement the organisations detailed below agree to make the PCD identified in this Project Specific Sharing Specification available for use to the User Organisation(s) identified in this Project Specific Sharing Specification.
For the purposes of this sharing initiative the Sharing Organisation(s) may create, edit, archive and delete the PCD.
The Sharing Organisation(s):
1. Are Signatories to The Agreement;
Schedule A 13
2. Have confirmed that the User Organisation(s) are Signatories to The Agreement and Trusted Organisations or have independently assessed any Statements of Compliance and are satisfied that the necessary controls are in place to allow the User Organisation(s) to access the PCD in compliance with The Agreement;
3. Have approved the PIA documentation associated with this Project Specific Sharing Specification; and4. Have confirmed that this Project Specific Sharing Specification complies with the terms of The Agreement
Organisation identifier
Organisation name Designated Officer Data Protection Designation
[Data Controller / Data Processor/
Data Controller in Common/
Data Controllers – Joint]
[Data Controller / Data Processor/
Data Controller in Common/
Data Controllers – Joint]
[Insert additional rows to the table above as required depending on the number of Sharing Organisations]
Schedule A 14
The User Organisations
Within the framework established in The Agreement the organisations detailed below agree to use the PCD identified in this Project Specific Sharing Specification for care purposes in compliance with the terms of The Agreement.
For the purposes of this sharing initiative the User Organisation(s) may [create, edit, archive and delete] the PCD.
[For the purposes of this sharing initiative the use of PCD is restricted to (e.g.) viewing of the data]
The User Organisation(s):
1. Are Signatories to The Agreement; 2. Are Trusted Organisations or have provided a Statement of Compliance which has been independently assessed by the Sharing
Organisation(s) to confirm the necessary controls are in place to allow the User Organisation(s) to access the PCD in compliance with The Agreement;
Organisation identifier
Organisation name IGTK level/Assurance Statement
Date checked
Designated Officer
Data Protection Designation
Teams using the confidential data
Reason for using data
[Data Controller / Data Processor/
Data Controller in Common/
Data Controllers – Joint]
Schedule A 15
[Data Controller / Data Processor/
Data Controller in Common/
Data Controllers – Joint]
[Insert additional rows to the table above as required depending on the number of User Organisations]
Schedule A 16
The Shared Categories of Data
Within the framework established in The Agreement the following categories of data will be shared under this Project Specific Sharing Specification. Persistent data sharing refers to situations where a distinct copy of data is transferred from one data controller to another. Temporary data sharing refers to situations where no distinct copy of data is transferred from one data controller to another with the original data being viewed by another data controller ‘temporarily’.
The data identified below includes PCD as well as data which may not be confidential or personal. All categories of data shared under this Project Specific Sharing Specification are included for completeness and not because the data is necessarily regarded as PCD.
ID Data category Abbreviation Primary Data Controller
Source application Persistent or Temporary
1 [e.g. Demographic data including:
Full Name Full Address Date of Birth NHS Number]
[e.g. Demographics] [e.g. Organisation A] [e.g. Organisation A instance of EMIS]
[e.g. temporary (view only)]
2 [e.g. Pseudonymised data including:
Pseudinymised ID based on NHS Number
Attendance date
Treatment]
[e.g. Pseudonymised dataset]
[e.g. Organisation B] [e.g. Organisation B data warehouse]
[e.g. permanent (transfer of data to Organisation C Data Warehouse]
Schedule A 17
[Insert additional rows to the table above as required depending on the number of Data Categories being shared under the Project Specific Sharing Specification]
Responsibilities
Within the framework established in The Agreement the Sharing Organisation(s) and User Organisation(s) will have the following responsibilities under this Project Specific Sharing Specification.
Organisation identifier
Organisation name Services to be provided
[e.g. Org A] [e.g. Organisation A] [e.g. Access Control:
granting system access terminating access authorisation maintaining lists of authorised users technical support (hardware, software, etc.) RA services training (provision, completion and monitoring) etc.
Monitoring/Auditing:
routine monitoring/reporting requesting ad-hoc reporting responsibility for responding to any actual or suspected inappropriate access etc.]
[e.g. Org B] [e.g. Organisation B]
[Insert additional rows to the table above as required depending on the number of Sharing Organisations and User Organisations]
Schedule A 18
Schedule A 19
Data Protection Compliance
Within the framework established in The Agreement, data shared under this Project Specific Sharing Specification will maintain compliance with The Act as detailed below.
Principle Requirement Compliance
Fair and Lawful ProcessingAll sharing of PCD under The Agreement must be accompanied by Fair Processing or Privacy Notices which comply with the Information Commissioner’s Office Privacy notices code of practice. As a minimum these must be readily available to the Individuals whose PCD will be shared and will ensure those Individuals are informed of:
the identity of all organisations/parties involved in the information sharing;
the purpose or purposes for which the organisations/parties intend to Process the information; and
any extra information necessary in the circumstances to enable PCD to be processed fairly.
A Project Specific Fair Processing Notice has been developed which covers all processing of data which will be conducted as part of the information sharing initiative (including Direct Care and Secondary Purposes):
Yes
No
The Fair Processing Notice has been reviewed against and complies with the Information Commissioner’s Office Privacy notices code of practice.
Yes
No
[Describe how the Fair Processing Notice will be made available to Individuals whose PCD will be shared]
Schedule A 20
The sharing of PCD will only occur where this is likely to facilitate the provision of health or social care services to the Individual and is in the Individual’s best interests.
Yes
No
Information that concerns, or is connected with, the provision of health services or adult social care by an anonymous access provider will not be shared under The Agreement without the Explicit Consent of Individuals as specified within Schedule 2 (1) and Schedule 3 (1) of The Act.
Anonymous access provider data will be shared as part of this information sharing initiative:
Yes
No
If Yes, Explicit Consent will be sought prior to this data being shared:
Yes
No
N/A
For all other sharing of PCD under The Agreement, wherever possible the Explicit Consent of Individuals as specified within Schedule 2 (1) and Schedule 3 (1) of The Act will be sought prior to PCD being shared under The Agreement.
Explicit Consent will be sought prior to this data being shared:
Yes
No
Schedule A 21
Where Explicit Consent cannot be sought:
Schedule 2 (3) of The Act will be relied upon to ensure organisations comply with the Duty to Share within the Health and Social Care (Safety and Quality) Act 2015; and
Individuals will be provided with the opportunity to object to the sharing and any objections will be fully considered and respected unless capacity and competence are in question in which case The Mental Capacity Act 2005 Code of Practice will be followed to assess whether a best interest’s decision should instead be made; and
Schedule 8 (1) of The Act will be relied upon by ensuring the Processing is necessary for Medical Purposes and is only undertaken by a Health Professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a Health Professional.
[If No, Describe how the requirement will be satisfied including the opt-out process]
Specified and lawful purposesSharing of PCD under The Agreement will only occur for the purpose of the Provision of Care.
Yes
No
Schedule A 22
Adequate, relevant and not excessive The minimum necessary PCD required the fulfil
the purpose of the Provision of Care will be shared under The Agreement.
[Describe how the requirement will be satisfied – provide justification for the level of PCD being shared. Where appropriate, refer to the findings of the PIA which should have assessed the level of data being shared]
Accurate and up to dateAll parties will take appropriate steps to ensure all PCD shared under The Agreement is accurate and kept up to date.
The Sharing Organisation(s) have appropriate Data Quality processes in place and these have been reviewed against this Project Specific Sharing Specification to ensure they are fit for purpose:
Yes
No
A procedure for the User Organisation(s) to feedback Data Quality issues identified to the Sharing Organisation(s) has been developed:
Yes
No
[Provide references to any existing or newly developed procedures for dealing with data quality issues identified]
Not be kept for longer than necessary PCD shared under The Agreement will only be A retention period has been identified for
Schedule A 23
retained for the minimum period of time necessary to fulfil the purpose of the Provision of Care.
the PCD shared under this Project Specific Sharing Specification:
Yes
No
[Confirm the identified/agreed retention period for the PCD being shared and provide justification (e.g. the Records Management Code of Practice for Health and Social Care 2016). Where appropriate, refer to the findings of the PIA which should have assessed the need to retain the PCD being shared]
Rights of data subjects All sharing of PCD under The Agreement will occur in accordance with the Rights of Individuals. As a minimum each information sharing initiative must uphold the Rights of Individuals whose PCD is shared to:
access to a copy of the information; object to Processing that is likely to cause
or is causing damage or distress; prevent Processing for direct marketing; object to decisions being taken by
automated means; in certain circumstances have inaccurate
personal data rectified, blocked, erased or destroyed; and
The Sharing Organisation(s) have Subject Access processes in place and these have been reviewed against this Project Specific Sharing Specification to ensure they are fit for purpose:
Yes
No
[Provide references to any existing or newly developed procedures for dealing with Subject Access Requests]
The Sharing Organisation(s) have processes to enable Individuals to object to Processing that is likely to cause or is causing damage
Schedule A 24
claim compensation for damages caused by a breach of The Act.
or distress at any stage of the project and these have been reviewed against this Project Specific Sharing Specification to ensure they are fit for purpose:
Yes
No
[Provide references to any existing or newly developed procedures for dealing with objections to Processing and explain how these are made available to all Sharing and User Organisations]
Will direct marketing occur as a result of this information sharing initiative?
Yes
No
If Yes, a procedure is in place to enable Individuals to opt out of direct marketing:
Yes
No
N/A
[If Yes, provide references to any existing or newly developed procedures for dealing with objections to
Schedule A 25
direct marketing and explain how these are made available to all Sharing and User Organisations]
Will any decisions relating to Individuals be taken by automated means?
Yes
No
If Yes, a procedure is in place to enable Individuals to object to the automated decision making:
Yes
No
N/A
[If Yes, provide references to any existing or newly developed procedures for dealing with objections to automated decision making and explain how these are made available to all Sharing and User Organisations]
A procedure for the User Organisation(s) to refer Subject Access Requests and other issues, feedback or complaints received to the Sharing Organisation(s) has been developed and is available to all User
Schedule A 26
Organisations:
Yes
No
[Provide references to any existing or newly developed procedures and explain how these are made available to all Sharing Organisations]
Technical and organisational measures against unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data
Sharing of PCD under The Agreement will only occur where appropriate technical and organisational measures are in place that take account of the nature of the information in question and the harm that might result from its improper use, or from its accidental loss or destruction.
An assessment of the risks will be completed for each sharing initiative in the form of a PIA which as a minimum will consider:
Management and organisational measures;
Staff vetting and training; Physical security; Technical security; Business continuity and disaster recovery; Incident management.
All Sharing and User Organisations are Trusted Organisations under The Agreement:
Yes
No
[Describe the specific controls/security in place for this project – outline any existing or newly developed procedures to ensure the security of PCD. Where appropriate, refer to the findings of the PIA which should have assessed the Information Security Risks]
Schedule A 27
Transferred outside the EEAPCD shared under The Agreement will not be transferred outside of the EEA.
Will PCD be shared under this Project Specific Sharing Specification be transferred outside the EEA?
Yes
No
If Yes, has the proposed transfer of personal data outside the EEA been assessed in line with the with the Information Commissioner’s Office Assessing Adequacy International data transfers and a finding of adequacy been made?
Yes
No
N/A
[Describe the specific controls/security in place for this project – outline any existing or newly developed procedures to ensure the security of PCD. Where appropriate, refer to the findings of the PIA which should have assessed the Adequacy of he controls]
Schedule A 28
Consent / Legal Basis
[Describe how Explicit Consent will be obtained]
[Where Explicit Consent will not be obtained:
Describe why this cannot be sought and the process by which Individuals will be provided with the opportunity to object to the sharing (with reference to the Fair Processing Notices where relevant) and how those objections will be fully considered and respected;
If relevant, describe the process by which capacity and competence will be assessed in line with The Mental Capacity Act 2005 Code of Practice and whether best interest’s decisions may be made;
Confirm whether Schedule 8 (1) of The Act will be relied upon by ensuring the Processing is necessary for Medical Purposes and is only undertaken by a Health Professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a Health Professional (e.g. a Social Care Professional) – if not (e.g. data will be shared with the non-care professionals, the Voluntary Sector, etc.) , describe what alternative legitimising condition of The Act will be relied upon;
Confirm that information that concerns, or is connected with, the provision of health services or adult social care by an anonymous access provider will not be shared under The Agreement]
Schedule A 29
Access Control, Auditing and Monitoring
Within the framework established in The Agreement and in order to comply with the requirements of The Act, data shared under this Project Specific Sharing Specification will be subject to the following arrangements to ensure appropriate access to data held electronically.
[complete the table below for each system/information asset to which individuals or organisations require access to facilitate the sharing of data]
System Name
Access Control ProcedureThe Sharing Organisation has Access Control Procedures in place and these have been reviewed against this Project Specific Sharing Specification to ensure they are fit for purpose:
Yes
No
[If Yes, provide references to any existing or newly developed procedures which will be relied upon/followed. As a minimum the procedure should cater for access by third party employees (User Organisation employees) and document:
The requirements for access (e.g. training, authorisation, completion of forms, etc.)
Authorisation process (the individuals/roles within each organisation that are required to authorise access and the process by which authorisation will be obtained e.g. completion of form and senior manager sign off)
The account creation/access setup process, including how credentials will be distributed to users
The account deletion/termination process, including how identification of accounts requiring termination are identified (e.g. notification by user, organisation, monitoring of account activity, etc.]
Schedule A 30
The procedure for the User Organisation(s) to obtain access has been developed and is available to all User Organisations:
Yes
No
[Provide references to any existing or newly developed procedures and explain how these are made available to all Sharing Organisations]
Monitoring/Auditing ProcedureThe Sharing Organisation has Monitoring/Auditing Procedures in place to identify inappropriate access and these have been reviewed against this Project Specific Sharing Specification to ensure they are fit for purpose:
Yes
No
[If Yes, provide references to any existing or newly developed procedures which will be relied upon/followed. As a minimum the procedures should cater for access by third party employees (User Organisation employees) and document:
The type of reports available The procedure for routine reporting (running, distributing and following
up reports) The procedure for requesting Ad-hoc reporting; The procedure for incident management (e.g. reporting to
managers/IAOs/Caldicott Guardians, investigation processes and actions available against individuals such as disciplinary action, suspension, etc.]
The procedures for Monitoring/Reporting inappropriate access is
Schedule A 31
available to all User Organisations:
Yes
No
[Provide references to any existing or newly developed procedures and explain how these are made available to all Sharing Organisations]
A shared Incident Reporting and Management Procedure has been developed to respond to any identified or suspected incidents of inappropriate access and is available to all Sharing and User Organisations:
Yes
No
[Provide references to any existing or newly developed procedures and explain how these are made available to all Sharing Organisations]
Schedule A 32
Business Continuity
Within the framework established in The Agreement and in order to comply with the requirements of The Act, data shared under this Project Specific Sharing Specification will be subject to the following Business Continuity Arrangements to ensure operational processes and services reliant on the data sharing can be maintained during any unavailability.
System Name
Business Continuity ProcedureThe Sharing Organisation has procedures in place for maintaining Business Continuity during any period of downtime which may occur and these have been reviewed against this Project Specific Sharing Specification to ensure they are fit for purpose:
Yes
No
[Describe which users/User Organisations may be affected by any downtime/service disruption and how the Business Continuity Procedures have been shared with/made available to users and User Organisations.
Where no Business Continuity arrangements are in place, this should be documented and the risks assessed within the Full Scale PIA. The outcome of the risks assessment and the approval by Designated Officers should be explicitly detailed in this section.]
Schedule A 33
Signature
Reference No: SCC ASC IG Team to complete
Sharing Start Date:Sharing Specification Review Date:
Lead Organisation(s):
Signatory
Name
Job Title of Person signing this agreement (Designated Officer)
Organisation
Signature
Date of signing
Head of IG name and contact details