Summary of the Initial Data Protection Impact Assessment. The DPIA completed by the data controllers identified the following risks and additional actions to be taken mitigate impact: • Inappropriate access to individuals’ personal data to be mitigated via: o Anonymised patient / service user data to be used wherever possible; o Pseudonymised NHS patient data to be used is subject to data sharing agreements with NHS Digital and NHS Providers; o Identifiable and confidential patient / service user data will only be used with written authorisation from the SCC / CCG Caldicot Guardian; o Special Category Personal Data of Staff will only be used where approved by SCC / CCG Information Asset Owner • ICT systems holding / processing personal data are not secure leading to IG incidents, to be mitigated via: o Completion of Digital Technology Assessment Criteria (DTAC) by suppliers of any new ICT systems o Completion of appropriate ICT related assurance by data controllers for all ICT systems that hold personal data • Individuals’ rights under data protection legislation are not met, to be mitigated via: o Agreed Standard Operating Procedure for handling Information Rights Requests relating to integrated commissioning teams o Privacy Notices and Records of Processing of SCC and CCG updated to detail sharing of data for these purposes • Inappropriate sharing of commercially sensitive data, to be mitigated via: o Confidentiality related clauses in Surrey Heartlands ISA and data included in Schedule o Honorary Agreements in place with SCC / CCG staff granted access to data The data controllers are satisfied that once the controls detailed above have been implemented that the risks will have been mitigated to a level that is considered by them to be acceptable.
Summary of the Initial Data Protection Impact Assessment. The project has been carefully designed to place the interests of patients uppermost. Concepts of informed consent and compliance with the Caldicott and Data Protection Principles have been incorporated into the software design. The design and data protection and security risks and the associated security measures and safeguards have previously been subjected to a detailed and rigorous impact assessment by representatives from each of the participating partner organisations acting together as the IG Steering Group that oversees Connected Care . The IG Steering Group is satisfied that all appropriate technical and physical measures against unauthorised or unlawful access, accidental loss or destruction of care data are in place. The initial DPIA recommends that a new Data Protection Impact Assessment is not required. It is the recommendation of the IG Steering Group that the proposed Connected Care analytics capability based on GraphNet’s Azure platform is appropriate for the Connected Care programme. Furthermore, it is the view of the Berkshire Local Medical Committee “that the Graphnet solution and proposed change for creating a Central Data Repository has been subjected to a rigorous Information Governance and technical security assessment. It is therefore the LMC’s recommendation that the Graphnet solution and proposed Central Data Repository is fit for purpose, appropriate and justifiable”. Agreement Implementation Status On behalf of the Sharing Organisation I confirm that the information sharing arrangements described in this schedule are agreed and the information described in this schedule is to be made available to the User Organisations and individuals identified in this schedule starting on the Sharing Requirement Start Date and ending on the Sharing Requirement End Date. SU190005 – Windsor Riverside PCN Analytics Agreed by {{!guardian_es_:font(name=calibri,size=10) }} as Caldicott Guardian / Designated Officer / Data Protection Officer, for and on behalf of {{!org_es_:font(name=calibri,size=10) }} {{!addr_es_:font(name=calibri,size=10) }}. End of Schedule K Schedule L – SU190005/{{!dpiaprefix_es_:font(name=calibri,size=10)}}– Windsor Riverside PCN Analytics This schedule to the Regional Health and Social Care Information Sharing Agreement provides key questions covering six risk categories which when answered objectively offer an initial assessment of the additional risks to privacy posed by the proposed sharing of information. Where a question...
Summary of the Initial Data Protection Impact Assessment. The Data Protection Impact Assessment completed for this sharing activity has identified: • That this is existing data sharing activity for which there are no known incidents having occurred • The data sharing has a lawful basis under the Data Protection Xxx 0000 and the UK General Data Protection Regulation • The Common Law Duty of Confidentiality has been met via an implied consent process where the service users (or their representative) are provided with information regarding how their data will be used and given the opportunity to object to this should they wish to do so • That data will be held securely by the CCG and SCC and only shared with those that require it for a legitimate purpose • Risks associated with inappropriate disclosure of the data by the recipients of data – these can be partially mitigated by the application of protective markings and restrictions on usage of data when this is provided to recipients. The residual risk for this is accepted by the data controllers. Summary of Consultations The sharing has been discussed with partners at: • The Surrey IG Group, which includes the Data Protection Officers of Data Controllers • The ICS Data Governance Group, which includes the ICS Chief Clinical Information Officer Agreement Implementation Status On behalf of the Sharing Organisation I confirm that the information sharing arrangements described in this schedule are agreed and the information described in this schedule is to be made available to the User Organisations and individuals identified in this schedule starting on the Sharing Requirement Start Date and ending on the Sharing Requirement End Date. Agreed by as Caldicott Guardian / Designated Officer for and on behalf of NHS Surrey Heartlands Clinical Commissioning Group Annex D.1 – Sharing Service Profiles Data will be processed by: • staff and contractors of the CCG and SCC who work as part of the Integrated SEND Team • staff and contractors of the CCG and SCC that support delivery of the activity (e.g. IG, Complaints etc.) Annex D.2 – Opt-in/opt-out and Consent Model Sharing of service user identifiable personal and special category data is for direct care purposes only. The National Data Opt- out does not apply for the processing of personal data for the purpose of direct care. However, data subjects can object to their data being processed in line with UK GDPR Article 21 by contacting the relevant data controller. The data controller may refuse to comply with the objection to ...
Summary of the Initial Data Protection Impact Assessment. The project has been carefully designed to place the interests of patients uppermost. There is sharing of data through multiple stakeholders who utilise appropriately secured communication channels. The users of the information covered by this schedule would normally be expected to have access to this level of information as part of their normal working environment. Following on from the Initial Data Protection Impact Assessment, which has been answered objectively, a full PIA has been conducted. The Data Protection Impact Assessment for Connected Care project has identified 38 privacy and information security related risk topic areas. Following the implementation of appropriate mitigation measures for each privacy-related risk topic area the residual risk for all of these topic areas is now assessed as low. Representatives from each of the participating partner organisations acting together as the IG Steering Group covering Connected Care have completed a thorough review of the Data Protection Impact Assessment and the IG steering group is satisfied that all appropriate technical and physical measures against unauthorised or unlawful access, accidental loss or destruction of care data are in place. It is the recommendation of the IG Steering Group that the proposed Connected Care Intelligence capability based on GraphNet’s Azure platform is appropriate for the Connected Care programme.
Summary of the Initial Data Protection Impact Assessment. The project has been carefully designed to place the interests of patients uppermost. The design and data protection and security risks and the associated security measures and safeguards have previously been subjected to a detailed and rigorous impact assessment by representatives from each of the participating partner organisations. The Clinisys ICE solution has been active for the last ten years without issue the system can be regarded as tried and proven. However, a new summary level Data Protection Impact Assessment has been conducted. The summary level Data Protection Impact Assessment has been prepared for the BSPS Clinisys ICE (DPIA0036) and has been reviewed and approved by the Regional IG Steering Group. In the opinion of the Regional IG Steering Group all risks are satisfactorily mitigated and now have a residual rating of “low”.
Summary of the Initial Data Protection Impact Assessment. The Surrey Care Record project is a continuation of an already proven concept, exercised over a year ago by SABP team. This is a text file-based type of integration dedicated to daily clinical shared data record exchange between SystmOne and Connected Care, Frimley ICS Shared Care Record that also uses Graphnet’s signature software application product called Care Centric.
Summary of the Initial Data Protection Impact Assessment. The project has been carefully designed to place the interests of patients uppermost. Concepts of informed consent and compliance with the Caldicott and Data Protection Principles have been incorporated into the software design. The design and data protection and security risks and the associated security measures and safeguards have previously been subjected to a detailed and rigorous impact assessment by representatives from each of the participating partner organisations acting together as the IG Steering Group that oversees Connected Care . From the existing Data Protection Impact Assessment for the Connected Care Clinical Platform (DPIA0001) the IG Steering Group is satisfied that all appropriate technical and physical measures against unauthorised or unlawful access, accidental loss or destruction of care data are in place. Furthermore, it is the view of the Berkshire Local Medical Committee “that the Graphnet solution and proposed change for creating a Central Data Repository has been subjected to a rigorous Information Governance and technical security assessment. It is therefore the LMC’s recommendation that the Graphnet solution and proposed Central Data Repository is fit for purpose, appropriate and justifiable”. As a consequence a new or updated Data Protection Impact Assessment is not required for Connected Care. However, a new Data Protection Impact Assessment is required for the Surrey Ice and Connected Care interface. A Data Protection Impact Assessment has been prepared for the Surrey Ice and Connected Care interface (DPIA0022) and has been reviewed and approved by the Regional IG Steering Group.
Summary of the Initial Data Protection Impact Assessment. The project has been carefully designed to place the interests of data subjects uppermost. There is sharing of data through multiple stakeholders who utilise appropriately secured communication channels. The users of the information covered by this schedule would normally be expected to have access to this level of information as part of their normal working environment.
