Version: 3.0 Data Protection Impact Assessment (DPIA

Version: 3.0 Date: January 2019

Page | 1

Data Protection Impact Assessment (DPIA) (Stage 2) (To be completed if the Data Protection Impact Assessment Screening Questionnaire states that a full Data Protection Impact Assessment needs to be completed. “Yes” has been answered for one or more questions asked in the screening questionnaire.) DPIA is a tool used to assess whether a process or project involving person identifiable data is compliant with various data protection and confidentiality regulations such as the General Data Protection Regulation (GDPR), Data Protection Act 2018 and the Data Security & Protection Toolkit.

This Data Protection Impact Assessment (DPIA) form should be completed:

as part of the project initiation documentation for all new information systems,

changes to the purpose/use of systems,

the introduction of new processes/policies, or

changes to processes/policies,

which involve the use of person confidential / sensitive data or business sensitive data or a change that will significantly amend the way in which person confidential / sensitive data or business sensitive data is handled.

If you have any questions please contact Paul Cook (IG) the CCG’s IG Lead at: [email protected] Please select, add or delete the appropriate text for each question below.

1. GENERAL INFORMATION

1.0 IG DPIA Reference Number: (From IG Team)

1.1 Implementation Date: 1st June 2019 (project start) 1st November 2019 (service will start)

1.2 The name of the new system / change in process / policy or system?

Virtual ward, it will be known as the ‘Enhanced Support At Home’ Service

1.3 The name of the responsible lead for implementing the new system / change in process / policy or system?

Name: Sarah Hedges Job Title: Integrated transformation lead Contact Details: 07539 226617

1.4 Have the key stakeholders been identified as part of the project initiation documentation?

Yes

1.5 Describe the purpose or main aims of the new system / change in process / policy or system?

This test and learn service is provided within peoples own homes by a dedicated group of professionals, who work together to support individuals and their families during a time of increased pressure due to a period of ill health. The service is for people needing support to be discharged from hospital who would have historically been referred to the community assessment beds as well as those who are at risk of admission if support is not provided. Aims of the Service 1. To provide an increased frequency of interventions than the community services would usually be able to offer for up to a 2 week period 2. To provide patients with a wrap-around service that gives people the confidence to maximise independence during a time of ill

mailto:[email protected]


Page | 2

health 3. To discharge up to 16 patients per month from the West Suffolk Hospital and support up to 4 patients per month to stay within their own homes whilst suffering a temporary reduction in usual health or their social support 4. To provide the patients with access to the help and treatment that they need at the right time and place with good outcomes and experience of the care that they receive 5. To use equipment and technology to provide less intrusive and more cost-effective care 6. To promote and support earlier discharge for medically optimised patients 7. To free up hospital beds for the most sick patients during winter pressures 8. To avoid admissions when the need can be met by an enhanced community offer

1.6 Does the planning documentation include all of the purposes for processing the data?

Yes

2. SYSTEM SUPPLIER (if a system is not being implemented or used as part of this DPIA please answer N/A against the

questions in this section)

2.1 Who supplies the system? New system being used:

Current Health – Telehealth

2.2 What is the suppliers registered address? 125 Princes Street, Edinburgh, EH2 4AD

2.3

Is the supplier of the system registered with the Information Commissioners Office (ICO) for data protection (https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/)? If so, please provide details of the registration number and expiry date.

Yes. Registration Number: ZA152739 Expiry date: 18 November 2019

2.4

Is the supplier of the system Data Security & Protection Toolkit (previously known as IG Toolkit) compliant? If so, please provide the details.

Yes. Organisation Code: Current Health Limited (SP400) Version Number: 2018/2019 Status: Satisfactory

2.5 Has the supplier of the system implemented ISO/IEC 27001:2013? If so, please provide a copy of the ISO27001 certification.

Yes. Approval number(s): ISO/IEC 27001 – 00015227 Issued:04 March 2019

2.6 Does the supplier hold a Cyber Essentials or a Cyber Essential Plus certificate?

NO

2.7

Does the contract include clauses related to data protection, confidentiality, consent and freedom of Information?

Yes. Supplier contract. See attached – CurrentHealth-WestSuffolk-LegalAgreement.pdf; Section 5.

https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/

https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/


Page | 3

2.8 What training will the users receive for using the system?

Current Health will provide on-site training as well as be available for telephone, video and email training support.

3. INFORMATION ASSET1 REGISTER 2AND DATA FLOW MAPPING

3.1 Who is the Information Asset Owner3? Kate Foxwell, Community Matron Newmarket

3.2 Who is the Information Asset Administrator/s4?

Neighbourhood team coordinator

3.3 Has this system been added to the relevant Information Asset Register?

Yes it will be added to the metaprivacy register once DPIA has been approved

3.4 What is the Information Asset Register risk rating level?

Yes it will be added to the metaprivacy register once DPIA has been approved Rating Level: (N/A / Not known at this stage of the process (please state expected date when this information will be available))

3.5 If personal or business sensitive data is being processed by the system, has this been added to the relevant Data Flow Mapping5 document?

See attached Current Health System Diagram: WestSuffolkCurrentHealthSystem.pdf

3.6 Has a process map been developed which details the process? If so, please provide a copy.

See copy attached (this is still in development and we a scoping out the OOH telehealth monitoring which we hope Care UK (111 contract) will monitor these vital signs OOH.

4. DATA PROCESSING6 4.1

Whom is the information processed about? (please tick √ all the related options)

√ Employees (log in details only)

√ Patients

Students

√ Partner businesses or organisations (log in details only)

1 An Information Asset - All organisations own and use information assets that support their local business needs. A subset of these assets will be

personal data in some form and/or the equipment within which personal data is held. The majority of these information assets will underpin service user / patient care processes, human resource processes, activity management or clinical audit, research or service evaluation but there may be a wide range of other business activities supported by such assets. Whilst all information assets should be protected, the importance of ensuring that this particular subset is held securely is paramount. 2 An Information Asset Register (IAR) – is a simple way to help you understand and manage your organisation’s information assets and the risks

to them. It is important to know and fully understand what information you hold in order to protect it and be able to exploit its potential. 3 Information Asset Owners (IAOs) – Information Asset Owners (IAOs) must be senior/responsible individuals involved in running the relevant

business. Their role is to understand what information is held, what is added and what is removed, how information is moved, and who has access and why. As a result, they are able to understand and address risks to the information, and ensure that information is fully used within the law for the public good. They provide a written judgement of the security and use of their asset annually to support the audit process. 4 Information Asset Administrators – individuals that use the information assets.

5 Data Flow Mapping – means mapping person-identifiable or business critical information that flows between departments or flows in/out of the

organisation. This includes manual or electronic flows relating to original and back up or copy data. 6 Processing - in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set

of operations on the information or data, including – (a) organisation, adaptation or alteration of the information or data, (b) retrieval, consultation or use of the information or data, (c) disclosure of the information or data by transmission, dissemination or otherwise making available, or (d) alignment, combination, blocking, erasure or destruction of the information or data.


Page | 4

Other

4.2

What are the Data Classes that will be held or processed as part of the implementation or change? (please tick √ all the related options) (When data is processed, interpreted, organised, structured or presented so as to make them meaningful or useful, it is called information.)

√

Person sensitive details (Special Category)(name, address, postcode, date of birth, NHS number, IP address – please delete as appropriate)

√

Family, lifestyle and social circumstances (marital status, housing, travel, leisure activities, membership of charities – please delete as appropriate)

Education and training details (qualifications or certifications, training records – please delete as appropriate)

Employment details (career history, recruitment and termination details, attendance details, appraisals, other – please delete as appropriate)

Financial details (income, salary, assets, investments, payments, other – please delete as appropriate)

Criminal proceedings, outcomes and sentences

√ Goods or services (contracts, licenses, agreements etc.)

Racial or ethnic origins

Religious or other beliefs of a similar nature

Political opinions

√ Physical or mental health conditions

Offences including alleged offences

Sexual health

Trade Union membership

Other

The telehealth processing will only be basic person sensitive details including vital signs (see contract for details). Remaining categories are from current alliance working

4.3

Will this system include data, which has not previously been collected as part of the system or process / policy? If yes, have you amended the existing privacy notice?

The core staffing will use the existing systems including Systmone, ecare, HIA, liquid logic and potentially Lorenzo. Care Uk and WSFT will access the telehealth through a cloud based portal and app which are now added to the authorised list of apps.

4.4 What checks have been made regarding the adequacy, relevance and necessity of data used?

The data used will all be for the direct care of patients including the referral information that may be obtained from the patient, relative and IT systems.


Page | 5

The telehealth data will also be used to inform direct care.

4.5

Are you transferring any personal or sensitive data to a country outside the European Economic Area (EEA)? If yes, please provide the name of the country.

NO.

5. TECHNOLOGY

5.1 Can the system use pseudonyms7 or work on anonymous8 data?

The use of Personal Information in the Current Health is to enable the best patient Care. It is possible that is be used with anonymised data but this will restrict the value to clinical team.

5.2 Is the use of Cloud Technology9 being used or considered? If yes, provide the data centre location.

Amazon AWS; EU-West1 – Ireland. (expected to move to EU-West2 – London in Q4 2019)

5.3 Does the cloud hosting data centre (s) meet tier-x standards ?

Yes.

5.4 How will we be alerted to any possible cloud system breaches?

Current Health operate the attached Data Breach policy and will notify West Suffolk in line with this. See attached: ISMS 11_Data Breach Response and Notification Procedure_Rev 03.pdf

5.5 Does the system include new technology that might be perceived as intrusive? (i.e. the use of biometrics or facial recognition etc.)

Current Health provides a passive, non-invasive wearable monitoring device to capture vital sign data. It is fitted to the upper arm of the patient and worn for a number of days.

5.6 Will the system require access to any CCG network or system? If yes, how is IT managing this?

NO

6. LEGAL BASIS

6.1 What Condition under Article 6 are we relying upon?

At least one condition must be met: (please tick appropriate condition)

Article 6 (1) (a) Consent √ Article 6 (1) (d) Vital Interests

Article 6 (1) (b) Contract Performance Article 6 (1) (e) Public Task √

Article 6 (1) (c) Legal obligation

6.2 Special Category Data (sensitive data)

racial or ethnic origin political opinions religious beliefs or other beliefs of a

similar nature trade union membership physical or mental health or condition

7 Pseudonymisation – is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or

pseudonyms. There can be a single pseudonym for a collection of replaced fields or a pseudonym per replaced field. 8Anonymisation – Anonymisation is the process of turning data into a form, which does not identify individuals and where identification is not likely

to take place. 9 Cloud Technology - means storing and accessing data and programs over the Internet instead of your computer's hard drive.


Page | 6

sex life and sexual orientation generic data and biometric data

Is Special Category Data under Article 9 being processed?

NO. Current Health platform captures vital sign data (Motion, Pulse Rate, SPO2, Skin Temperature, Respiration Rate) for the provision of health care. This is not considered personal sensitive data within the boundaries Article 9. This said, Current Health treats this patient data as sensitive – and applies the same rigour of data protection. If yes please list: N/A

6.3 What Condition under Article 9 are we relying upon? At least one condition must be met

If processing Special Category data, you need to fulfil a condition under both Article 6 and Article 9

Article 9 (2) (a) Explicit consent Article 9 (2) (f) Legal Claims or court proceedings

Article 9 (2) (b) Employment Law Article 9 (2) (g) Substantial Public Interest

Article 9 (2) (c) Vital Interests Article 9 (2) (h) Provision of Health & Social Care

√

Article 9 (2) (d) Non-profit organisation Article 9 (2) (i) Interests of Public Health

Article 9 (2) (e) Made public by Data Subject

Article 9 (2) (j) Scientific, statistical research

6.4 Consent: If relying on consent as a legal basis, is this explicit? are details of such recorded?

Each system have their own explicit consent to share data mechanism within the IT software. The team will only be using telehealth where verbal consent is obtained

6.5 Can consent be withdrawn at any-time?

Yes by changing the tick box or contacting the GP Stays within the individual providers IT system

6.6 How will you tell the data subjects about the use of their data?

Will add to the information leaflet about the service. (Please include full name and contact details)

6.7 Does the process allow data subjects to have copies of their own information in accordance with Article15?

Yes, as per existing organisational policies Current Health will provide this on request via West Suffolk who will act as Data Controller in line with the procedure: ISMS 09_Data Subject Access Request Procedure_Rev 03.pdf

6.8 Is there a process in place for when an individual requests to have inaccurate information rectified in

Yes, as per existing organisational policies


Page | 7

accordance with Article 16? Current Health has an appropriate process in place. See attached: ISMS 09_Data Subject Access Request Procedure_Rev 03.pdf

6.9 Is there a process in place to consider requests from individuals to have their data erased (right to be forgotten) in accordance with Article 17?

Yes, as per existing organisational policies Current Health has appropriate process in place. See attached: ISMS 09_Data Subject Access Request Procedure_Rev 03.pdf

6.10

Is there a process in place to consider requests from individuals who wish to object to processing of their personal data in accordance with Article 18?

Yes, as per existing organisational policies Grounds for restricting is permitted when one of the following applies:

a) Accuracy is contested b) Processing is unlawful c) Defence of legal claims d) Verification of legitimate grounds

Current Health has appropriate process in place. See attached: ISMS 09_Data Subject Access Request Procedure_Rev 03.pdf

7. ACCESS TO THE DATA

7.1 Who will use the system or process and have access to the data?

The staff working under the service specification. This will include staff from ACS, Homefirst, WSFT, GP Fed and Care UK.

7.2 What training have users had in patient confidentiality?

All organisations are GDPR compliant and have their own training and staff will be trained to complete their roles in accordance with existing organisational policies.

7.3 How will the users access and amend data?

Within their own IT system. HIE will provide read only views of other clinical data from other IT systems. The coordinator and nursing lead for the service offer will have read and write access to multiple systems. Data in the Current Health system is immutable and cannot be altered by a member of the clinical team @ West Suffolk. It is a read-only service.

7.4 Is there a usable audit trail in place for the information asset?

As per each organisational policy Current Health maintains a full audit trail for all data in place within its system. This is discussed in the provided Security Whitepaper: Current Health Product Security Whitepaper - Aug 2019.pdf


Page | 8

7.5 How often will the system or process / policy be audited?

As per each organisational policy Current Health holds annual management reviews of processes and policies. We undertake frequent customer led or notified body led external audits in line with our ISO 27001 certification.

8. STORAGE OF THE DATA

8.1 Where will the data be stored?

Within each organisations IT system or data warehouse. Current Health operates on Public cloud infrastructure operated by Amazon AWS. Data is stored within AWS region Eu-West-1. Data is stored across multiple Availability Zones. Automated backups are made on a specific scheduled and stored in an alternative AWS region. We use AES-256 and RSA-2048 encryptions on all data at rest. All high-risk PII data is further isolated within a secure enclave in the Current Cloud. Within the internal Current health system, data is de-identified during all process and storage stages where possible with random identifiers. Only as data is provided to an authorised application user is it linked back to its PII for their use. Access to the private data enclave goes through ‘bastion’ servers which enforce several additional layers of security for both application API access and operations. Operations management access to private data stores in the enclave is heavily sanctioned with a “four eye” policy and approval required from relevant senior members of the team. In addition to continuous automated monitoring, all access to this enclave is reviewed by the security team monthly. We manage a central platform event audit log. This allows us to monitor all actions across every Current system. We use this for internal threat identification and providing reports on-demand for Current customers of their users’ access and interaction with our services for audit and billing purposes


Page | 9

8.2 Could the system or process change the way data is stored?

No

8.3

Which format will the data be stored in? (please tick √ all the relevant options)

√ Electronic

√ Paper

√ Verbal

Other

9. DATA SHARING

9.1 Will the data be shared with any other organisation/s? If yes, please list the names of the organisation/s.

Yes – Two-way patient focused communications will occur between staff within the locality as per current processes to manage referrals and patient care. The CCG will have non-patient identiable data only. Current health will only have access to vital sign data and personal data as per contract. Organisation/s Name: West Suffolk Foundation Trust West Suffolk CCG (non-patient identifiable data only) Suffolk County Council GP Fed Oakfield Surgery Rookery Medical Practice Orchard House Surgery Care UK NSFT East England Ambulance Trust East Suffolk and North Essex Foundation Trust Medequip Potentially: Haverhill Family Practice Clements and Christmas Maltings Wickhambrook GP surgery White House Surgery Market Cross Surgery Brandon Medical Practice Forest Surgery Lakenheath Surgery

9.2 How will the data be shared?

Access to systems as required for direct care and then read only access via the HIE for information only needs again for direct care.

9.3 Are there any Information Sharing Agreements or Protocols in place to support the sharing of data? If so, please provide a copy.

Not beyond the contract between Current Health and West Suffolk.


Page | 10

10. DATA SECURITY

10.1 What security measures10 have been undertaken to protect the data?

IG toolkits in place and standard data protection that comes with this Current Health describes this in the White Paper: Current Health Product Security Whitepaper - Aug 2019.pdf

10.2

What business continuity plans are in place in case of data loss or damage? (i.e. as a result of human error, virus, network failure, theft, fire, floods etc.)

Each clinician will follow the business continuity place in place for their own team. Current Health has appropriate DR/BCP in place. See attached: ISMS 03_Disaster Recovery & Back Up_Rev 03.pdf

11. DATA QUALITY

11.1 Who provides the information for the asset? West Suffolk Alliance clinical teams provide any Patient Personal Data required.

11.2 Who inputs the data into the system or process?

Staff working within the service, including the coordinator and clinical staff On registering a patient, Patient Personal Data is inputted by the West Suffolk clinical team into the Current Health system. This is the minimum necessary to provide the proposed level of care.

11.3 How will the information be kept up-to-date and checked for accuracy and completeness?

Clinicians working on current time IT systems During Normal use the clinician can update any erroneous Patient Personal Data (Name, DOB) as necessary. The vital sign data for a patient is immutable.

12. ON-GOING USE OF DATA

12.1 Will the system or process interfere with the privacy rights of the data subject under article 8 of the Human Rights Act11 1998?

NO

12.2 Will the data be used to send direct marketing messages?

NO

12.3 If direct marketing messages will be sent, are consent and opt-out procedures in place?

N/A

10

Information security processes and policies typically involve physical and digital security measures to protect data from unauthorised access, use, replication or destruction. 11 Human Rights Act 1998 – Article 8 (Right to a private and family life) - Everyone has the right to respect for his or her private and family life, home and correspondence. This right is subject to proportionate and lawful restrictions.


Page | 11

12.4

Does the system or process / policy involve changing the standard disclosure of publicly available information in such a way that the data becomes more readily available than before?

N/A

12.5

What is the data retention period for this data? (please consult the detailed retention schedule (appendix 3) in the link below https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016)

8 years for paper notes and see code of practice for electronic notes. Data Retention within the Current Health system is defined by the length of the contract. On termination of the contract with West Suffolk, Current Health will delete all patient personal information (including PII) inline with the contract. For information outwith the contract – this is held per the attached: ISMS 019_Control Of Records and Data Retention_ Rev 02.pdf

12.6 How will the data be securely destroyed when it is no longer required?

As per each organisations shredding policies Current Health has an appropriate procedure in place. See attached: ISMS 020_Secure Disposal_Rev 02.pdf

13. DETAILS OF THE INDIVIDUAL COMPLETING THIS FORM

13.1

The name, role and email of the individual completing this form:

Name: Sarah Hedges Role: Integrated transformation lead Email: [email protected]

13.2 Form completion date: 12/09/19

14. IT SECURITY REVIEW – TO BE COMPLETED BY THE IT LEAD

14.1 Please include / attach any supporting documents e.g. completed IT privacy impact assessment, security questionnaires, vulnerability scan results, PEN test results, security accreditation or certification held by provider etc.

14.2 The name, role and email of the individual completing the technology questions:

Name: Andrew Smith Role: IT Implementation Manager Email: [email protected]

14.3 Form completion date:

15. THE INFORMATION GOVERNANCE TEAM WILL COMPLETE THE FOLLOWING SECTION

15.1 ICO Registration details received: Yes / No

15.2 ISO27001 certification received: Yes / No

15.3 DSPT compliance seen: Yes / No

https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016




Page | 12

15.4 DPA and FOI sections received: Yes / No

16. DPIA OUTCOME

Applicable Governance Regimes Always applicable legislation Possible applicable legislation

Data Protection Act 1998 / 2018(DPA) Regulation of Investigatory Powers Act 2000

General Data Protection Regulations (GDPR) ISO27001 Information Security Management

Freedom of Information Act 2000 Privacy and Electronic Communications Regulations

Environmental Information Regulations Children’s Act 1989 / 2004

Code of Practice for Records management

Computer Misuse Act 1990

Human Rights Act 1998

Confidentiality Code of Practice

Health and Social Care Act 2012

17. APPROVAL (please add detail or delete options as appropriate)

17.1 The name, role and signature of the individual approving this document:

Name: Role: (IG Lead / Data Protection Officer / Caldicott Guardian / Senior Information Risk Owner) Signature:

17.2 Form approval date:





Page | 13







Documents

Version: 3.0 Data Protection Impact Assessment (DPIA