Common use of Summary of the Initial Data Protection Impact Assessment Clause in Contracts

Summary of the Initial Data Protection Impact Assessment. The project has been carefully designed to place the interests of patients uppermost. Concepts of informed consent and compliance with the Caldicott and Data Protection Principles have been incorporated into the software design. The design and data protection and security risks and the associated security measures and safeguards have previously been subjected to a detailed and rigorous impact assessment by representatives from each of the participating partner organisations acting together as the IG Steering Group that oversees Connected Care . The IG Steering Group is satisfied that all appropriate technical and physical measures against unauthorised or unlawful access, accidental loss or destruction of care data are in place. The initial DPIA recommends that a new Data Protection Impact Assessment is not required. It is the recommendation of the IG Steering Group that the proposed Connected Care analytics capability based on GraphNet’s Azure platform is appropriate for the Connected Care programme. Furthermore, it is the view of the Berkshire Local Medical Committee “that the Graphnet solution and proposed change for creating a Central Data Repository has been subjected to a rigorous Information Governance and technical security assessment. It is therefore the LMC’s recommendation that the Graphnet solution and proposed Central Data Repository is fit for purpose, appropriate and justifiable”. Agreement Implementation Status On behalf of the Sharing Organisation I confirm that the information sharing arrangements described in this schedule are agreed and the information described in this schedule is to be made available to the User Organisations and individuals identified in this schedule starting on the Sharing Requirement Start Date and ending on the Sharing Requirement End Date. SU190005 – Windsor Riverside PCN Analytics Agreed by {{!guardian_es_:font(name=calibri,size=10) }} as Caldicott Guardian / Designated Officer / Data Protection Officer, for and on behalf of {{!org_es_:font(name=calibri,size=10) }} {{!addr_es_:font(name=calibri,size=10) }}. End of Schedule K Schedule L – SU190005/{{!dpiaprefix_es_:font(name=calibri,size=10)}}– Windsor Riverside PCN Analytics This schedule to the Regional Health and Social Care Information Sharing Agreement provides key questions covering six risk categories which when answered objectively offer an initial assessment of the additional risks to privacy posed by the proposed sharing of information. Where a question gives rise to an affirmative answer, it does not automatically follow that a full scale Data Protection Impact Assessment is required. Each affirmative answer needs to be assessed for materiality (probability and impact) and for ways in which the potential risks can be avoided or materially mitigated with a revised solution or additional measures. Where a substantial number of questions give rise to an affirmative answer this is a good indicator that a full scale Data Protection Impact Assessment is required and project plans should include the costs and timescales of this activity and any associated consultation that may be needed. Wherever practical the rationale for an answer should be included with the answer concerned. Questions relating to “identity risk” (questions 2 to 8) are of heightened importance in the context of data that has not been anonymised or pseudonymised. These questions have been revised to include latest (summer 2018) guidance provided by the Information Commissioner’s Office. Other aspects are based on guidance from the Information Governance Alliance. Technology Risk

Summary of the Initial Data Protection Impact Assessment. The project has been carefully designed to place the interests of patients uppermost. Concepts of informed consent and compliance with the Caldicott and Data Protection Principles have been incorporated into the software design. The design and data protection and security risks and the associated security measures and safeguards have previously been subjected to a detailed and rigorous impact assessment by representatives from each of the participating partner organisations acting together as the IG Steering Group that oversees Connected Care . The IG Steering Group is satisfied that all appropriate technical and physical measures against unauthorised or unlawful access, accidental loss or destruction of care data are in place. The initial DPIA recommends that a new Data Protection Impact Assessment is not required. It is the recommendation of the IG Steering Group that the proposed Connected Care analytics capability based on GraphNet’s Azure platform is appropriate for the Connected Care programme. Furthermore, it is the view of the Berkshire Local Medical Committee “that the Graphnet solution and proposed change for creating a Central Data Repository has been subjected to a rigorous Information Governance and technical security assessment. It is therefore the LMC’s recommendation that the Graphnet solution and proposed Central Data Repository is fit for purpose, appropriate and justifiable”. Agreement Implementation Status On behalf of the Sharing Organisation I confirm that the information sharing arrangements described in this schedule are agreed and the information described in this schedule is to be made available to the User Organisations and individuals identified in this schedule starting on the Sharing Requirement Start Date and ending on the Sharing Requirement End Date. SU190005 SU190009 – Windsor Riverside Ascot PCN Analytics Agreed by {{!guardian_es_:font(name=calibri,size=10) }} as Caldicott Guardian / Designated Officer / Data Protection Officer, for and on behalf of {{!org_es_:font(name=calibri,size=10) }} {{!addr_es_:font(name=calibri,size=10) }}. End of Schedule K Schedule L – SU190005/{{!dpiaprefix_es_:font(name=calibri,size=10)}}SU190009/DPIA0007– Windsor Riverside Ascot PCN Analytics This schedule to the Regional Health and Social Care Information Sharing Agreement provides key questions covering six risk categories which when answered objectively offer an initial assessment of the additional risks to privacy posed by the proposed sharing of information. Where a question gives rise to an affirmative answer, it does not automatically follow that a full scale Data Protection Impact Assessment is required. Each affirmative answer needs to be assessed for materiality (probability and impact) and for ways in which the potential risks can be avoided or materially mitigated with a revised solution or additional measures. Where a substantial number of questions give rise to an affirmative answer this is a good indicator that a full scale Data Protection Impact Assessment is required and project plans should include the costs and timescales of this activity and any associated consultation that may be needed. Wherever practical the rationale for an answer should be included with the answer concerned. Questions relating to “identity risk” (questions 2 to 8) are of heightened importance in the context of data that has not been anonymised or pseudonymised. These questions have been revised to include latest (summer 2018) guidance provided by the Information Commissioner’s Office. Other aspects are based on guidance from the Information Governance Alliance. Technology Risk

Summary of the Initial Data Protection Impact Assessment. The project has been carefully designed to place the interests of patients uppermost. Concepts of informed consent and compliance with the Caldicott and Data Protection Principles have been incorporated into the software design. The design and data protection and security risks and the associated security measures and safeguards have previously been subjected to a detailed and rigorous impact assessment by representatives from each of the participating partner organisations acting together as the IG Steering Group that oversees Connected Care . The IG Steering Group is satisfied that all appropriate technical and physical measures against unauthorised or unlawful access, accidental loss or destruction of care data are in place. The initial DPIA recommends that a new Data Protection Impact Assessment is not required. It is the recommendation of the IG Steering Group that the proposed Connected Care analytics capability based on GraphNet’s Azure platform is appropriate for the Connected Care programme. Furthermore, it is the view of the Berkshire Local Medical Committee “that the Graphnet solution and proposed change for creating a Central Data Repository has been subjected to a rigorous Information Governance and technical security assessment. It is therefore the LMC’s recommendation that the Graphnet solution and proposed Central Data Repository is fit for purpose, appropriate and justifiable”. Agreement Implementation Status On behalf of the Sharing Organisation I confirm that the information sharing arrangements described in this schedule are agreed and the information described in this schedule is to be made available to the User Organisations and individuals identified in this schedule starting on the Sharing Requirement Start Date and ending on the Sharing Requirement End Date. SU190005 SU200002 – Windsor Riverside PCN Analytics {{!PCNname_es_:font(name=calibri,size=10) }} Agreed by {{!guardian_es_:font(name=calibri,size=10) }} as Caldicott Guardian / Designated Officer / Data Protection Officer, for and on behalf of {{!org_es_:font(name=calibri,size=10) }} {{!addr_es_:font(name=calibri,size=10) }}. End of Schedule K Schedule L – SU190005/{{!dpiaprefix_es_:font(nameSU200002/DPIA0007– PCN Analytics {{!PCNname_es_:font(name=calibri,size=10)}}– Windsor Riverside PCN Analytics } This schedule to the Regional Health and Social Care Information Sharing Agreement provides key questions covering six risk categories which when answered objectively offer an initial assessment of the additional risks to privacy posed by the proposed sharing of information. Where a question gives rise to an affirmative answer, it does not automatically follow that a full scale Data Protection Impact Assessment is required. Each affirmative answer needs to be assessed for materiality (probability and impact) and for ways in which the potential risks can be avoided or materially mitigated with a revised solution or additional measures. Where a substantial number of questions give rise to an affirmative answer this is a good indicator that a full scale Data Protection Impact Assessment is required and project plans should include the costs and timescales of this activity and any associated consultation that may be needed. Wherever practical the rationale for an answer should be included with the answer concerned. Questions relating to “identity risk” (questions 2 to 8) are of heightened importance in the context of data that has not been anonymised or pseudonymised. These questions have been revised to include latest (summer 2018) guidance provided by the Information Commissioner’s Office. Other aspects are based on guidance from the Information Governance Alliance. Technology Risk

Summary of the Initial Data Protection Impact Assessment. The project has been carefully designed to place the interests of patients uppermost. Concepts of informed consent and compliance with the Caldicott and Data Protection Principles have been incorporated into the software design. The design and data protection and security risks and the associated security measures and safeguards have previously been subjected to a detailed and rigorous impact assessment by representatives from each of the participating partner organisations acting together as the IG Steering Group that oversees Connected Care . The IG Steering Group is satisfied that all appropriate technical and physical measures against unauthorised or unlawful access, accidental loss or destruction of care data are in place. The initial DPIA recommends that a new Data Protection Impact Assessment is not required. It is the recommendation of the IG Steering Group that the proposed Connected Care analytics capability based on GraphNet’s Azure platform is appropriate for the Connected Care programme. Furthermore, it is the view of the Berkshire Local Medical Committee “that the Graphnet solution and proposed change for creating a Central Data Repository has been subjected to a rigorous Information Governance and technical security assessment. It is therefore the LMC’s recommendation that the Graphnet solution and proposed Central Data Repository is fit for purpose, appropriate and justifiable”. Agreement Implementation Status On behalf of the Sharing Organisation I confirm that the information sharing arrangements described in this schedule are agreed and the information described in this schedule is to be made available to the User Organisations and individuals identified in this schedule starting on the Sharing Requirement Start Date and ending on the Sharing Requirement End Date. SU190005 SU190012 – Windsor Riverside PCN Analytics {{!PCNname_es_:font(name=calibri,size=10) }} Agreed by {{!guardian_es_:font(name=calibri,size=10) }} as Caldicott Guardian / Designated Officer / Data Protection Officer, for and on behalf of {{!org_es_:font(name=calibri,size=10) }} {{!addr_es_:font(name=calibri,size=10) }}. End of Schedule K Schedule L – SU190005/{{!dpiaprefix_es_:font(nameSU190012/DPIA0007– PCN Analytics {{!PCNname_es_:font(name=calibri,size=10)}}– Windsor Riverside PCN Analytics } This schedule to the Regional Health and Social Care Information Sharing Agreement provides key questions covering six risk categories which when answered objectively offer an initial assessment of the additional risks to privacy posed by the proposed sharing of information. Where a question gives rise to an affirmative answer, it does not automatically follow that a full scale Data Protection Impact Assessment is required. Each affirmative answer needs to be assessed for materiality (probability and impact) and for ways in which the potential risks can be avoided or materially mitigated with a revised solution or additional measures. Where a substantial number of questions give rise to an affirmative answer this is a good indicator that a full scale Data Protection Impact Assessment is required and project plans should include the costs and timescales of this activity and any associated consultation that may be needed. Wherever practical the rationale for an answer should be included with the answer concerned. Questions relating to “identity risk” (questions 2 to 8) are of heightened importance in the context of data that has not been anonymised or pseudonymised. These questions have been revised to include latest (summer 2018) guidance provided by the Information Commissioner’s Office. Other aspects are based on guidance from the Information Governance Alliance. Technology Risk