Author: Hannah Greenwood

Notification of Emis cloud services No.16

Notification of Emis cloud services No.16

From 10 June 2019 EMIS Web started migrating practice patient data storage to Amazon Web Services (AWS).

Because this is a significant change to the way patient data is processed, in order to be compliant with GDPR, practices as ‘Data Controllers’ need to:

  • inform their patient through their usual methods of communication (for example their privacy notice)
  • carry out a Data Protection Impact Assessment (DPIA)
  • update their record of processing activities (ROPA) .

 

Updated  Detailed Privacy Notice

The latest version of the detailed Fair Processing Notice has been updated to cover the required communications and can be uploaded from here and should be pointed to from your practice website:

Updated FPN: privacy-notice-v110-1 (this also contains an update to the NWL DPO Service contact details which information should be in use by all practices whether EMIS or TPP)

 

Example DPIA

EMIS have provided an example DPIA which practices can download and use:

Sample DPIA: Data-Protection-Impact-Assessment-AWS-GP-perspective

The NWL DPO support offers an advisory service and does not have the resources to complete impact assessments on behalf of primary care. There is no central repository where a single form can be completed on behalf of 370 primary care data controllers. It is the responsibility for each data controller to keep their own records, relevant to the type of data and sharing in which they engage and for their individual organisation to be accountable in their own right and to be able to demonstrate GDPR compliance through their DSPT returns.  The DPO may however may recommend a Data Protection Impact Assessment (DPIA), support the process of practices completing it and approve the contents.

This sample DPIA provided by EMIS should be fairly straight forward and can be completed by filling in your practice details and the relevant entries in sections 5, 6 and 7. We recommend using the suggested entries already in place in sections 5 and 6. Where this is the case in section 6 and 7 the NWL CCGs DPO Service has approved both the recommended measures and the identified residual risks and agrees that processing may proceed.  The Caldicot Guardian or a signatory representing the practice’s data controllers should either accept (recommended) or overrule the DPO advice. There is no further consultation response required and the DPIA would be reviewed as part of routine practice process in your annual DSPT returns. See below:
 Practices should keep a copy of the completed DPIA with their practice’s data protection documentation/records.

Records Of Processing Activity

EMIS practices will need to also update their Records Of Processing Activity (ROPA) as described in GDPR Blog 6

If you have any questions please send them to nwl.infogovernance@nhs.net

 

eDSM (Enhanced Data Sharing Model) No. 15

eDSM (Enhanced Data Sharing Model) No. 15

eDSM additional controls have been designed to ensure that GP’s and Patients have greater flexibility and control over which organisations have visibility of their SystmOne records. The new controls will allow GPs to decide if other SystmOne Organisations involved in the care of their patients can view their patient’s records (subject to patient consent).

In order to implement this change, we have now finalised the list of Organisations with whom North West London SystmOne practices currently share with. These are the Organisations who have signed the CWHHE MOU, Extended Hours Hubs and the practices within NWL CCG’s. These are listed within the ‘SHARED LIST’ that you will see attached. When Organisations are added to the ‘SHARED LIST’ this will ensure that patient records can be accessed, assuming consent has been given.

If you do not switch eDSM on then your practice will not be complying with the Data Protection Act 2018, which requires you to tell your patients with whom you share their data. The eDSM model allows you to do this.

Additional documentation:

Importing the ‘allowed list’

NWL eDSM FAQ v0.1

TPP eDSM enhancements_FAQs v.1.1