Summary of the Initial Data Protection Impact Assessment. The DPIA completed by the data controllers identified the following risks and additional actions to be taken mitigate impact: • Inappropriate access to individuals’ personal data to be mitigated via: o Anonymised patient / service user data to be used wherever possible; o Pseudonymised NHS patient data to be used is subject to data sharing agreements with NHS Digital and NHS Providers; o Identifiable and confidential patient / service user data will only be used with written authorisation from the SCC / CCG Caldicot Guardian; o Special Category Personal Data of Staff will only be used where approved by SCC / CCG Information Asset Owner • ICT systems holding / processing personal data are not secure leading to IG incidents, to be mitigated via: o Completion of Digital Technology Assessment Criteria (DTAC) by suppliers of any new ICT systems o Completion of appropriate ICT related assurance by data controllers for all ICT systems that hold personal data • Individuals’ rights under data protection legislation are not met, to be mitigated via: o Agreed Standard Operating Procedure for handling Information Rights Requests relating to integrated commissioning teams o Privacy Notices and Records of Processing of SCC and CCG updated to detail sharing of data for these purposes • Inappropriate sharing of commercially sensitive data, to be mitigated via: o Confidentiality related clauses in Surrey Heartlands ISA and data included in Schedule o Honorary Agreements in place with SCC / CCG staff granted access to data The data controllers are satisfied that once the controls detailed above have been implemented that the risks will have been mitigated to a level that is considered by them to be acceptable.
Appears in 4 contracts
Samples: www.surreyheartlands.uk, www.surreyheartlands.uk, www.surreyheartlands.uk