Go back to Data Protection Impact Assessments
Integrated Services Information Governance Board
Information Sharing Business Case
Service / Team / Project Name:
Royal College of Speech and Language Therapists online Outcome Audit
Date of completion:
2/4/2019
Completed by:
Marjan Daneshpour
Head of Information and Child Health
Information Sharing - presenting a Business Case:
This document is a tool for practitioners and sets out the principles that will be applied to sharing information (such as aggregate data) across organisations, both internal and external. It sets out the commitment to information sharing, explains what information is generally shared, grounds for sharing information and the controls and assurances which are agreed. Most importantly it provides a clear way of demonstrating compliance with the various legislation, such as the Data Protection Act.
Information will be shared with partner organisations to provide high quality people focussed services.
Understanding the benefits to be gained through working in partnership, the commitment to building effective partnerships and sharing information is recognised - in particular to ensure early intervention to achieve positive outcomes.
The importance of sharing information is carefully balanced with the need for privacy. This is done by assessing whether the sharing is necessary and proportionate and having controls in place against loss, inaccurate recording or misuse of information and by working tightly to the Data Protection Act and other relevant legislation.
In particular, in sharing information: -
When to use this document?
This document is a guide designed for use when sharing aggregate data or personal/ sensitive data between different organisations on a regular basis and/or seeking permission for staff to access specific databases outside of their own service area. You should use it as part of the early stages of considering to share information.
What it includes and how used?
The key principles of good practice in sharing information and compliance with various legislation (e.g. the Data Protection Act) are set out. This document can be used for a wide range of information sharing purposes, for example, to facilitate information sharing under the Crime and Disorder Act 1998.
This document does not intend to set out all legal issues; instead it is designed for use by practitioners focussing on the practicalities of information sharing and requires them to detail how compliance will be achieved.
Using this document does not invalidate any existing information sharing agreements.
The proforma
Attached to this principles document (Appendix 1) is the proforma to set up individual information sharing arrangements. The proforma requires practitioners to describe what, where and how information will be shared by answering a series of questions.
The proforma is designed to be completed by practitioners responsible for the day to day management of the information which is proposed to be shared. To ensure proper compliance checks, the proforma must be sent to the Caldicott Guardian /Data Controller for each participating organisation who will arrange for the information sharing arrangement to be checked and verified by the Integrated Information Governance Board.
Aggregated data - is statistical information (i.e. non-personal). Sometimes, even though data is statistical and aggregated, individuals may be identifiable (e.g. data by postcode – where there is one property in a postcode an individual could be identifiable). Therefore care must be taken to check whether data is statistical or personal or where information together can reveal a person (e.g. Age, Postcode and Gender).
Personal data* - is information which identifies a living individual – Data Protection Legislation and related legislation must be complied with. For example, a name of an individual and home address.
Special category data - The conditions are listed in Article 9(2) of the GDPR:
Controls, whether legislative or otherwise, need to be commensurate with the risk and proportionate to the objective which is sought to be achieved.
Legislative controls include:
See https://ico.org.uk for further detail and information on the above legislative controls.
Accuracy of information – the accuracy of information is likely to be relied upon by partner organisations and therefore, the accuracy of information must be communicated to all parties (subject to legal obligations).
Updating of information – the information providing and receiving organisations should put arrangements in place to inform each other (and any other parties to the arrangement) of any relevant changes or updates to the information shared (after the information has been shared). The responsibility of onward correction must be considered and assigned.
Information use – Whether aggregated or personal data, information must only be used for the purposes it has been shared. If the organisation receiving the information wishes to use it for purposes not clearly described in the proforma separate permission must be sought from the organisation that has provided the information.
Disclosure –information should only be disclosed to any other partner organisations/ third parties with the permission of the partner organisation providing the information or, where appropriate, the permission of the individual who the information is about.
Security measures should be commensurate with the type of information shared and the risk (e.g. of loss, inappropriate disclosure etc). Any special security controls that need to be taken in regard to transfer, collection, holding and use of the information should be communicated to all organisations involved in the handling of the shared information.
The partner organisation receiving the information should set out what security controls they plan to have in place; they are responsible for the security of that information. In some cases a signed undertaking may be appropriate, but generally the information sharing arrangements (such as the proforma, Appendix 1) will be sufficient.
Where the information is protectively marked then further advice should be sought on the specific handling and care arrangements that need to be in place when dealing with that information.
The final record of the completed proforma should be kept on record in a central register (a copy held by all parties to the arrangement).
As a matter of good practice, in setting up arrangements for accountable and auditable information sharing, key information about arrangements in place should be recorded in a central system. Following should be recorded as a minimum: -
Partner organisations will ensure that all relevant staff are aware of and comply with their responsibilities in relation to:
As appropriate, the public will be informed of information sharing arrangements (in particular, where this involves sharing of personal data).
As far as possible, the individual information sharing arrangements should be published on websites/ publication schemes or in some other way to ensure openness and transparency.
Partners are committed to having procedures in place to address complaints relating to the sharing of information and or about how information about individual service users has been shared. Complaints procedures will be provided to members of the public/ service users, ideally on the website.
A DPIA is a way for you to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks.
DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm - to individuals or to society at large, whether it is physical, material or non-material.
To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals.
A DPIA does not have to eradicate the risks altogether, but should help to minimise risks and assess whether or not remaining risks are justified.
DPIAs are a legal requirement for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals.
A DPIA may cover a single processing operation or a group of similar processing operations. A group of controllers can do a joint DPIA.
It’s important to embed DPIAs into your organisational processes and ensure the outcome can influence your plans. A DPIA is not a one-off exercise and you should see it as an ongoing process, and regularly review it.
Who completes what?
It is suggested the partner organisation (lead organisation if more than one partner) receiving the information completes sections 1 – 5 and the partner organisation providing the information completes section 6 and sections 7 and 8 completed at the end by all parties. Once agreed and completed, all parties should sign section 9.
Explain broadly what project aims to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal. Summarise why you identified the need for a DPIA.
The on line audit will support speech and language therapists in clinical practice as well as service users, service managers and other key stakeholders.
For practising clinicians, outcome measurement increases reflective practice leading to improvements in patient care, professional development and informing clinical decision making. At a service level, outcomes data can assist in informing service change, quality improvement, and resourcing decisions. Furthermore, a robust and validated demonstration of the impact of speech and language therapy has the potential to be useful evidence to present to commissioning bodies, to demonstrate how the profession contributes to the delivery of policies and frameworks across the UK and to influence key decision makers.
The RCSLT Online Outcome Tool (ROOT) facilitates the collection of Therapy Outcome Measures (TOMs) data to support with monitoring, evaluating and reporting on outcomes for individuals receiving speech and language therapy. The ROOT has been developed by Different Class Solutions Ltd in collaboration with SLT services involved during a pilot.
It facilitates the collection of data about individual service users’ outcomes at different points in time, using TOMs. It is a stand-alone online tool that collects, collates and reports on outcomes data.
Describe the nature of the processing: how will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved?
Data is entered in RCSLT Online Outcome Tool (ROOT) by Your Healthcare Speech and Language Therapy team for children. SLT team will add service users’ Therapy Outcome Measures (TOMs) data in ROOT directly or upload in bulk to the ROOT. The RCSLT has adopted a privacy-friendly approach in the development of the ROOT, with respect to the information collected about the individuals receiving speech and language therapy and the SLTs using the tool. The ROOT is a securely hosted web system utilising SQL Server 2016 and ASP.net 4.6.1. The servers have SSL certification to ensure that all data flowing to and from the server is encrypted and could not be deciphered if intercepted in transit. The servers are protected by firewalls to protect the data and prevent unauthorised access by anyone else. The data is stored using an encryption algorithm so that if anyone physically removed a disk or the server itself, they would not be able to access the data. The servers are located in a UK data centre, hosted by a third party supplier.
Describe the scope of the processing: what is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?
The data is pseudonumised and doesn’t include special category or criminal offence data. The data has been provided by Your Healthcare’s SALT team.
The data items included are:
Additional fields may be added, if required, but additional data shared with the ROOT by users of the system must comply with local information governance policies and frameworks and is not the responsibility of the data processor or the RCSLT.
This information is collected when the individual registers to use the ROOT and will be updated annually. Personal data about the individuals using the ROOT is retained for as long as any outcomes data related to them is retained. This is analogous to keeping patient forms in their file with the staff member’s name on. The geographic area that it covers is Kingston.
Data about speech and language therapists and other individuals using the ROOT Personal data collected about the individuals using the ROOT includes:
This information is collected when the individual registers to use the ROOT and will be updated annually. Personal data about the individuals using the ROOT is retained for as long as any outcomes data related to them is retained. This is analogous to keeping patient forms in their file with the staff member’s name on.
Describe the context of the processing: what is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?
Pseudonumised data on individuals who are receiving speech and language therapy is collected to support better care, professional development and informing clinical decision making . Individuals won’t access the tool.
Speech and language therapy data are related to children. There is no concern over the processing and security flaws. A privacy policy is also provided on the ROOT. Different Class Solutions Ltd has prior experience of this type of processing for other similar products and it is not expected, therefore, that the processing of personal data in relation to the ROOT will be considered unreasonable or cause concern. Your Health care and Different Class Solutions Ltd is certified for ISO27001 Data Security.
Describe the purposes of the processing: what do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing – for you, and more broadly?
The intended outcome of the ROOT is that it will have benefits for patient care by supporting quality improvement in speech and language therapy services. The minimum amount of data about individuals receiving speech and language therapy is collected in order to achieve this.
The processing of personal data about speech and language therapists and other individuals using the ROOT is required to ensure that the individuals accessing the ROOT have a legitimate reason for doing so. This is required to ensure the fidelity of the outcome data collected and to enable use of the system to be audited. It is also required to support users of the system, including in instances whereby help is requested.
Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts?
The data entered in ROOT system is pseudonymised and individuals will not be identifiable from the data.
Describe compliance and proportionality measures, in particular: what is your lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimisation? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers?
The data collected about individuals receiving speech and language therapy are pseudonymised and in the majority of cases, individuals will not be identifiable from the data. Nevertheless, the data should be treated as personal data.
Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary. | Likelihood of harm | Severity of harm | Overall risk |
---|---|---|---|
1. Security breach of servers. The impact would be that personal data is at risk. | Possible | Significant | Medium |
2. Inappropriate use of the system by users authorised to access the ROOT. This might include attempting to access unauthorised areas, disclosing account details to others, and attempting to use someone else’s login details to access the ROOT. The impact would be access to other users’ personal data. | Possible | Significant | Medium |
3. Inappropriate users given access to the system. The impact of this would be that those without a legitimate reason would have access to pseudonymised data about speech and language therapy outcomes for the service. | Possible | Minimum | Low |
Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5 | ||||
Risk | Options to reduce or eliminate risk | Effect on risk | Residual risk | Measure approved |
---|---|---|---|---|
1. Security breach of servers | The physical security arrangements for the servers have been reviewed and approved. The demographic data is held in encrypted tables. In the unlikely event of a breach the servers will be taken off line to minimise any use of the data. | Accepted | Medium | Yes |
2. Inappropriate use of the system by users authorised to access the ROOT. | Limited number of users have access to the system. Access is managed and controlled by the service leads. | Reduced | Medium | Yes |
3. Inappropriate users given access to the system. | Entry and control of users will be validated by the service leads. Limited number of users have access to the system. Tight control is in place. | Reduced | Low | Yes |
Item | Name/date | Notes |
---|---|---|
Measures approved by: | Marjan Daneshpour | Integrate actions back into project plan, with date and responsibility for completion |
Residual risks approved by: | Marjan Daneshpour | If accepting any residual high risk, consult the ICO before going ahead |
DPO advice provided: | DPO should advise on compliance, step 6 measures and whether processing can proceed | |
Summary of DPO advice: | ||
DPO advice accepted or overruled by: | If overruled, you must explain your reasons | |
Comments: | ||
Consultation responses reviewed by: | If your decision departs from individuals’ views, you must explain your reasons | |
Comments: | ||
This DPIA will kept under review by: | The DPO should also review ongoing compliance with DPIA |