Common use of Summary of the Initial Data Protection Impact Assessment Clause in Contracts

Summary of the Initial Data Protection Impact Assessment. The DPIA completed by the data controllers identified the following risks and additional actions to be taken mitigate impact: • Inappropriate access to individuals’ personal data to be mitigated via: o Anonymised patient / service user data to be used wherever possible; o Pseudonymised NHS patient data to be used is subject to data sharing agreements with NHS Digital and NHS Providers; o Identifiable and confidential patient / service user data will only be used with written authorisation from the SCC / CCG Caldicot Guardian; o Special Category Personal Data of Staff will only be used where approved by SCC / CCG Information Asset Owner • ICT systems holding / processing personal data are not secure leading to IG incidents, to be mitigated via: o Completion of Digital Technology Assessment Criteria (DTAC) by suppliers of any new ICT systems o Completion of appropriate ICT related assurance by data controllers for all ICT systems that hold personal data • Individuals’ rights under data protection legislation are not met, to be mitigated via: o Agreed Standard Operating Procedure for handling Information Rights Requests relating to integrated commissioning teams o Privacy Notices and Records of Processing of SCC and CCG updated to detail sharing of data for these purposes • Inappropriate sharing of commercially sensitive data, to be mitigated via: o Confidentiality related clauses in Surrey Heartlands ISA and data included in Schedule o Honorary Agreements in place with SCC / CCG staff granted access to data The data controllers are satisfied that once the controls detailed above have been implemented that the risks will have been mitigated to a level that is considered by them to be acceptable.