Category: Uncategorised

DSPT Support Page – No. 13

DSPT Support Page – No. 13

Introduction

Working with Practice Managers, NWL Primary Care Teams, The NWL IG team and the DPO, this page and the documents in it have been put together to help you complete the Data Security and Protection Toolkit (DSPT) by the 31st March 2019.

To avoid a plethora of DSPT support pages we plan to present all the required information on this page. If there is new advice or additional documentation it will be added here.

There are TWO MAIN documents which will help you through your submission.

1) A Data Security Policy

The various sections in DSPT ask for information which will include policies, protocols, guidelines or procedures across a range of different topics. We have designed this Data Security Policy to be the overarching document in your practice, where you can see links to all of the required elements in one place.

2) DSPT Requirement & Evidence V1.2   **Updated 18-March 2019**

This contains comments and guidance related to all of the 10 sections and subsections in the DSPT.

Both of these documents are works in progress and the links below (under Output Documentation) will always point to the most up-to-date versions.

By now, you should have logged in to the DSPT website and have started to add some of the simpler responses, such as your ICO number and your Caldicott Guardian details, as well as reviewing the mandatory questions.

Please note: for Hillingdon CCG Practices, it is advised that you contact the Hillingdon IT service desk for responses to questions that relate to your IT Service Provider.

Review of action points from last blog

  • To do 44 – Identify a lead practice member for the DSPT and allocate some regular time for them to do this work
  • To do 45 – Register your practice for the DSPT here https://www.dsptoolkit.nhs.uk/Account/Register
  • To do 46 – Start working though the sections completing only the compulsory sections in the first instance

Please note that as further work on the DSPT is clearly linked to going through each of the 10 sections, there will be no further To Do list other than the requirement for your practice to submit your DSPT returns under each of those sections.

Work covered in this session

Data Security Policy

It will be worth familiarising yourself with this document, which you may wish to add to as you progress. Working through the GDPR blogs will have generated much of the information needed for the DSPT.  This document should enable you to pull together all of your existing policies, plus help you with some new ones. It is an overarching policy document to which you or your staff can refer. You can also use to it as a resource within DSPT and it may be helpful in responding to questions which arise at CQC inspections.

DSPT Requirements & Evidence

This will probably the most commonly used document in submitted your response to the question, assertions and evidence required under each of the 10 sections in the DSPT.

Some of the DSPT requirements need you to demonstrate the presence of robust cybersecurity measures. A number of those relate to the policies and practices provided through centrally provided IT services. Those elements have also been responded to and can be found under the relevant sections in this document.

Fair Process Notifications

The NWL Collaboration have designed two GDPR compliant fair process notices for your patients in poster form, which are on their way to you. We are required to present this information in tiered levels, simplest first, with the ability to drill down on progressive detail. The posters represent the simplest and the most detailed information is found in your A4 fair processing notice which should be published on your practice website. They should be displayed in your surgery to inform you patients about how we use their data in NWL. The more details A3 posted has space for stickers which should be printed to show (as below):

  • Practice Address
  • Practice Website URL
  • Detailed FPN URL (from practice website)
  • DPO contact norman-williams@nhs.net

 

 

 

 

 

 

There are electronic versions which can be uploaded to your NUMED/Call board screens.  NHS NWL Medical Information Sharing Poster

Please use the latest version 1.07 of the detailed A4 Fair Processing Notice which can be downloaded here: http://www.nwlgp-gdpr.uk/2018/09/12/layered-fair-processing-no-10/

Email Policy

SAR requirements can become complex if clinical correspondence is sent by email and an email policy which addresses this has been produced. It requires staff to migrate clinical data to your clinical system and delete the original email. In this way when you respond to an SAR you only need to interrogate a single data source.

Staff training around data sharing

The Staff Training & Support document is for all staff to enable them to understand Data Sharing across NWL.  This also includes the read codes (CVT-3 and READ2) that are required to opt in or opt out of data sharing. Staff Information – Data Sharing . We have also included an IG spotcheck template which practices can use to record the spot checks on compliance with these policies as required in 1.5.1.

Practice Hardware Asset Template

Section 1.4.4 of the DSPT requires a list of the hardware assets that you have within your practice. See: Asset Template for GPs

Business Continuity Plan

Remember, to make sure that you have updated your business continuity plan. These will vary from area to area but we have attached a template which covers the required sections. You should ensure that copies of the plan are kept out of the business and that you know who to contact in an emergency. Make sure that you have the correct contact details for the IT team which is  Tel: 020 3350 4050 and email nwlccg.servicedesk@nhs.net as is now provided by North West London Collaboration of Clinical Commissioning Groups.

Anti Virus

This links to question 6.3.2 – Number of alerts recorded by AV tool in last three months.  

AV-Alerts-Last3Months   ⇐ for NHS Brent, Central, West, H&F, Hounslow & Ealing CCGs This was last updated on 15th March 2019.

190319 – Harrow  ⇐ for NHS Harrow CCG This was last updated on 19th March 2019.

Please note: for Hillingdon CCG Practices, it is advised that you contact the Hillingdon IT service desk for responses to questions that relate to your IT Service Provider.

Resources

Learning Points

  • The two main documents which will support your DSPT submission are the Data Security Policy and the DSPT Requirement & Evidence
  • There is now just one main page for DSPT support (this one).
  • Please ask any questions by email using infogovernance@nhs.net

 

Work planned for next session

There will be no new blogs, but in response to any incomplete sections and to the questions which you submit, we will continue to update the contents on this page. Any updated documents will be included in the relevant section of the DSPT Requirement & Evidence document. Any new discussion topics discuss will be added below the work covered in this session section.

We plan next to review your feedback and cover support for Subject Access Requests (SARs) and Staff Training for 2019/20.

DSPT Introduction – No. 12

DSPT Introduction – No. 12

Introduction

This is a follow on from the GDPR blog which will look at the the Data Security and Protection Toolkit which all GP practices need to submit by the 31st March 2019. The DSPT is a sequel to the IG Toolkit and whilst many parts are similar, there are also new sections and the sum total is a more comprehensive undertaking.  There is a focus on cyber-security which will enable our IT systems to be more robust in response to malware such as virus infections, or the cryptoworm Wanncry ransomware which caused such disruption in May 2017. Much of the information needed for these sections will be common across NWL, for example specifying the type of antiviral software in use. Where these question are identified we will provide the information you need here. Some of the GDPR work outlined in prior blogs on this website will also support your submission and the DSPT action plan (see output documentation below) identifies where there are common areas and links to them.

Is there a pass fail process or a scoring system? When the IG Toolkit was first released, the idea was to encourage organisations to simply take part. Over time there was an aspiration to agreed levels of IG competence and our NWL IG sharing agreements asked all health care organisations to achieve level 2 of the IG toolkit before they could share electronic patient records. In a similar way the first step with the DSPT will be to register and complete those sections which are identified as compulsory. In time your organisation may want to document their IG competence in some of the non-compulsory sections.

Who will see our DSPT returns? As we learn to  share information in our health care communities in more integrated ways there will be sharing agreements which require mutually agreed standards. It will be possible to sign up to those agreements electronically on the Data Control Console DCC. In addition to being a repository for Information Sharing Agreements and Data Processing Agreements it will also be a place where you can share your standards of IG competence with other organisation who want to work with you.

When your practice is inspected by QCQ you may be expected to demonstrate that that your organisation is compliant with GDPR and to to show evidence to support this.  The DSPT is one way of benchmarking this and may be used for corroboration. Likewise if your practice is ever the subject of a complaint related to the management of personal data, the ICO may want to see evidence of the standards of IG which you are achieving. The results of the DSTP are also available to NHS Digital who may audit and analyse the scores in order to identify organisations who need further support.

Review of Action Points from the Previous Session

  • To do 42 – Review GDPR action plan and schedule activities into work plans
  • To do 43 – Review DPST action plan and ensure activities are scheduled in to meet compliance by 31 March 2019

Work covered this week

1) How to register with the DSPT?

If you have not already done so you can register your practice here: https://www.dsptoolkit.nhs.uk/Account/Register

You will need to provide an nhs.net email address and also give a your practice code in the form E85074

2) What Sections should I complete?

There are a large number of sections, but in the first instance you should start with those items which are identified on the site as compulsory

3) Where can I find further support?

There are a number of different support options which include

  • Workshops
  • Webinars (to be advised)
  • This blog
  • NWL IG team
  • IT Team
  • DPO

Workshops:

A number of practices have started working through the DSPT sections. In the first instance we have agreed to put our head together to see which areas practices might need help with and which ones require specific input from the IT teams. We want to draw from the experience of those who have completed various sections or who have drawn up policy documents so that we can share good practice and avoid the need for many practices to ‘reinvent the wheel’. Once we have looked at the requirements in the compulsory sections we plan to hold a workshop, initially with some of the Ealing  practices to walk through the process. There will be an expert panel from the IG and IT teams and a question and answer session.  We are planning similar workshops across the other CCGs and as we develop a better understanding of the requirements we will use this blog to share:

  • learning points
  • policies, protocols or template documents which can be shared
  • webinars or other online learning resources

Over the next few months we plan to develop and add to a DSPT Support Page.

NWL IG and IT teams:

You can ask questions from the NWL IG team through the support email below and we will put these and the answers in a DSTP section into the FAQ. You can also get support from your IT team using the same email.

Data Protection Officers*:

Working through the DSPT and the final sign off of the DSPT will require input from your DPO. The current situation with a single interim DPO covering NWL will not allow that level of engagement at practice level. GPs need to take early action to appoint DPOs and as data controllers they are responsible for the costs of employing them and will need to budget something in the order of £1500 to £2500 per average practice to cover this. There has been some consensus among GPs that it would make little sense for individual practices to recruit their own DPOs and it will be better to deploy a shared DPO service at borough level or across NWL.

If either the federations or NWL were to undertake this role, they would levy their GPs for provision of the service.  This has been discussed in some of your networks and is also being debated in Federations and NWL CCGs who are looking into the most efficient and cost effective way of providing such a service.  We are also seeking further national guidance on this and are in contact with the LLMC and will update practices at Network level and on this blog as more information become available.

*[Update March 2019 – Since the details of the new GP contract have been released, the responsibility of providing and employing DPOs will rest with CCGs who are currently exploring ways to augment the current service]

Resources

Output Documentation

Learning Points

  • The DSPT (Data Data and Security Protection Toolkit) must be completed by 31/03/2019 and work towards this and GDPR compliance will require a minimum of 2-3 months preparatory work.
  • You should appoint a DPO (Data Protection Officer) at Practice, CCG or Federation level early in the New Year to support your work towards signing off the DSTP.

Practice Checklist

  • To do 44 – Identify a lead practice member for the DSPT and allocate some regular time for them to do this work
  • To do 45 – Register your practice for the DSPT here https://www.dsptoolkit.nhs.uk/Account/Register
  • To do 46 – Start working though the sections completing only the compulsory sections in the first instance
Summary Blog – No. 11

Summary Blog – No. 11

Introduction

The past 10 weeks have seen us work through the core aspects of good information governance, which will allow you to demonstrate that your GP practice is compliant with GDPR and the new Data Protection Act 2018. We have stressed that this is not a one-off exercise but a process which needs to be kept under constant review and that you need to have systems in place which monitor and maintain the standards you apply in managing your patient and staff data.

This week we looked at what we have covered, key timescales, and support you will have going forward.

Review of Action Points from the Previous Session

  • To do 38 – Review your current fair processing material
  • To do 39 – Ensure that all purposes identified in your information asset register are replicated on your privacy notice
  • To do 40 – Ensure fair processing material is available in both electronic and paper form
  • To do 41 – Ensure you have both high-level information for patients and detailed information available for those who require it

Work covered this week

1) How will your compliance with GDPR be assessed?

As yet we do not know what exact form this will take but there are three scenarios where it may be put to the test.

  1. At your next CQC inspection, you will be asked to show evidence to support your compliance with GDPR.
  2. If you are the subject of a complaint related to how you manage personal data, the ICO (Information Commissioner’s Office) will want to look into your compliance with the GDPR.
  3. Your practice needs to complete the DSPT (Data and Security Protection Toolkit) by the 31st March 2019. This is the successor to the IG Toolkit.

Your next CQC inspection may not be imminent and you might never be the subject of a complaint as a result of a data breach. However, the DSPT deadline on this coming 31st March is a certainty for which you MUST ALLOW TIME AND RESOURCE TO PREPARE. See below.

2) Compliance with GDPR

As the GDPR came into effect on the 25th May 2018, the Information Commissioner’s Office (ICO) would expect organisations to already be putting policies and procedures in place to meet the requirements, however, they have stated they did not expect every organisation to be compliant as of the 25th May. If an incident did occur, however, they would take into account what your organisation has done and is pro-actively doing to ensure the protection of personal data. Evidence of the work undertaken within these blogs would, therefore, serve as a strong indicator to the ICO that you as an organisation takes data privacy seriously, and would take this into consideration when deciding any regulatory action.

3) Compliance with the new Data Security and Protection Toolkit

Whilst compliance with GDPR is not a set date or pass/fail monitoring system, the new Data Security and Protection Security Toolkit (DSPT) is a replacement for the old NHS Information Governance Toolkit. All organisations which process NHS data must complete this for 31 March 2019. The good news is that this follows many of the principles of GDPR, so the majority of what is covered in these blogs is what is required by the DPST. The two main areas which aren’t are IT security and compliance with the National Data Guardian reports, the former of which you will be able to gain evidence for from your IT supplier. In effect, the DPST will be the first tangible hurdle which will formally assess practices’ compliance with GDPR.

In order to assist you with this, we have put together a work plan for the Toolkit and matched the requirements against the relevant blog post. You should, therefore, be in a strong position once the work identified in this blog has been completed. This work plan can be found in the output documentation of this blog.

4) Allow a minimum of 3-months preparatory work to become GDPR compliant

The requirement may vary from practice to practice, but our two small practices (4000-5000 patients each) have required the following per practice:

These figures are not definitive and will vary depending on your practice set up. We have provided a more detailed spreadsheet listing specific tasks and personnel which can also be used to track and monitor allocated work to completion (below). The headline figure is that you should allow a bare minimum of 3 months to complete this work and so if you have not yet started, you must make plans to be underway by the New Year.

The other important requirement here will be to have a DPO in place who at the end of the year should be in a situation where he can assess and “sign off” the work you have done towards GDPR compliance and the DSPT. The DPO who is currently holding an interim post will not have the resource to cover all NWL practices and our advice is that you should also plan to appoint a DPO at CCG or Federation level by the New Year.

5) Support going forward

This will be our final blog in conjunction with our external IG experts, however, there is still support available to you going forward.

  • FAQ document which can be found in the resource area of this blog. This should be your first port of call in the event you have a question.
  • NWL Information Governance Blog, this will continue to be monitored and updated
  • nwl.infogovernance@nhs.net email if you have any questions which are not answered in the blog or FAQ. The response will then be added to the FAQ.
  • The Data Protection Officer for all General Practices across NWL will continue in post and can be contacted at the email address above. You will be notified of any changes to this arrangement. It is important to recognise that this role will not provide the capacity to sign off all DSPTs at the end of March 2019, before which there will be a need for practices to appoint DPOs either at practice, federation or CCG level.

Finally, we have created a shortened summary version of the blog, and an action plan against each to-do requirement with the anticipated resource this will take.

Resources

Output Documentation

Learning Points

  • You should have systems in place which monitor and maintain the standards you apply in managing your patient and staff data
  • You will be required to show evidence of your GDPR compliance at your next QCQ inspection
  • The DSPT (Data Data and Security Protection Toolkit) must be completed by 31/03/2019 and work towards this and GDPR compliance will require a minimum of 3 months preparatory work.
  • You should appoint a DPO (Data Protection Officer) at Practice, CCG or Federation level by the New Year to support your work towards signing off the DSTP

Practice Checklist

  • To do 42 – Review GDPR action plan and schedule activities into work plans
  • To do 43 – Review DPST action plan and ensure activities are scheduled in to meet compliance by 31 March 2019
Layered Fair Processing – No. 10

Layered Fair Processing – No. 10

Introduction

Being transparent with individuals about how their personal data is used is a key aspect of privacy and confidentiality law. GDPR introduced transparency as a new requirement into the first data protection principle, it states that processing must be ‘fair, lawful and transparent’. Information communicated to individuals should be provided in a layered approach, in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The first “layer” is an A3 notice containing the headline principles of sharing which then signposts documents which contain progressively detailed information on both your website and also CCG based sites.

To meet common law duty of confidentiality expectations, patients should also be aware and have a reasonable expectation that their information will be used for specified purposes if implied consent is to be used as the lawful basis.

Patients should have confidence about how their medical information is used, be aware of which purposes it’s used for, and understand the rights that they have in relation to their information. The NHS Constitution states that patients have the right to be informed about how their information is used. It is vital that patients trust how we use their data.

This week we looked at what information we need to provide our patients and the methods we can use. We have provided exemplars to help practices meet these requirements. We have updated the Fair Processing Notice (synonymous with ‘Privacy Notice’) in poster form and revised the more detailed document which can now replace your interim privacy notices on your websites. Where possible, when explaining how we use their data, we should use principles rather than specifics and try to give consistent advice, so that patients get the same message across a range of community healthcare settings. We have based the updated Privacy Notices on a detailed assessment of the data flows, information asset registers and records of processing in two local practices. We believe these will now cover most of the bases for how GPs in NWL share patient data. However, it is important, if you are sharing data in ways which are different from the norm, that your own Privacy Notices reflect this. Please let us know if you identify any omissions which you think should be included for yours or for other practices.

As with other GDPR undertakings, Fair Processing Notices are not just a tick box exercise. We need to be having a rolling “conversation” with our patients explaining how their personal data is used to support their healthcare and this can and should be delivered through a variety of different media which include but are not limited to:

  • Direct conversation
  • Paper and electronic documents
  • YouTube videos
  • Social media
  • Radio/TV and other ‘broadcasting’
  • Public engagement meetings

Meaningful and regular communication through various media and in different settings is one of the most important aspects of GDPR. Once our patients understand how their information is processed and know how to exercise choice, consent becomes almost academic. This remains an area we need to improve on and in addition to your input at the practice level, there are plans for a London wide campaign to promote better understanding of how we share records.

Talking about record sharing in our practice meetings will help improve staff understanding and enable them to better signpost and support patients.

Review of Action Points from the previous session

  • To do 34 – Ensure your access to record policy is up to date with new data protection legislation
  • To do 35 – Review current procedure for granting access to online patient records
  • To do 36 – Ensure  you have sufficient verification processes in place for access to records
  • To do 37 – Ensure responsible staff members know how to grant permissions on the organisation’s online system, and how to redact information when required

 

Work covered this week

Content

Where information is collected from the data subject, GDPR details the information that needs to be provided to data subjects in Article 13, including:

  • Contact details of the controller and the controller’s data protection officer
  • Purposes of processing
  • The lawful basis for processing
  • Recipients of personal data
  • Retention of data
  • Data subject rights

Much of this information should already be held in the organisation’s Information Asset Register and records of processing, which helps to inform the fair processing material. GDPR mandates that all this information is provided albeit in a manner of ways and varying levels of detail.  Therefore, all this information does not have to be provided in every single document, but it is essential that all this information is provided and easily accessible somewhere. How this can be presented is discussed below.

Content should be aimed at differing levels of understanding and capacity, especially when it relates to processing of children’s data. Therefore, consideration should be given not only to the content but the language used to provide the content. Fair processing information could be provided and discussed in patient engagement groups to ensure it is understood by patients with no NHS or privacy background.

Method

Providing information to data subjects can take many forms and can no longer only be a statement on a website. In Practices, one of the most effective methods to provide high-level detail to patients is via easily readable posters in the waiting rooms or offices. This can include the basics which patients need to know, including the purposes their information is used for, who it may be shared with, and the key rights associated to their data, such as an objection to processing and access to their records. Such high-level materials can then provide information on where to get more information if required.

To ensure all information that is referred to in the Content section (above) is available, a larger document can then be produced which covers this. This can be made available on organisation websites as well as available in print form for those data subjects that do not have access to the internet. Given information must be provided to all, it would also be advantageous to have this available in different languages, either translated and provided in a separate document or via the use of a software on a browser such as google translate allowing the data subject to have it translated at the point of use.

These methods will primarily focus on those on who either actively visit Practices or Practice websites, so consideration should also be given to reaching those who may have limited contact but of whom their personal data is still processed. This could include taking out high-level advertisements in local media, use of local advertisements in public areas or postal campaigns. A simple way of informing patients of where to access such information could be a statement in the footer of all headed letter sent out by the Practice.

Resources

Output Documentation

A number of documents have been produced to give Practices a starting place to inform their patients of the processing taking place. These include:

PLEASE NOTE: These are based on information analysis from two GP Practice. You should review this to ensure that they include all data flows within your own practices, and check that all the purposes you use data for are covered. If you identify other data flows or other purposes which have not been included please let us know (nwl.infogovernance@nhs.net). We will wait for a further 2 weeks to receive any feedback before finalising the content of the A4 Fair Processing Notice and printing (and formatting with updated links) the A3 posters for use across NWL GP practices.

Learning Points

  • Your Practice should have an up to date fair processing campaign
  • This information should be available to patients in both electronic and paper form
  • Fair processing information must be available at both high level and detailed level

Practice Checklist

  • To do 38 – Review your current fair processing material
  • To do 39 – Ensure that all purposes identified in your information asset register are replicated on your privacy notice
  • To do 40 – Ensure fair processing material is available in both electronic and paper form
  • To do 41 – Ensure you have both high-level information for patients and detailed information available for those who require it
Right of Access – No. 9

Right of Access – No. 9

Introduction

Obtaining access to their own information is one of the most exercised rights afforded to data subjects. Those rights have changed under the new data protection legislation, making it easier for them to access their medical records.  Controllers can no longer charge for providing data subjects with their personal data and have to respond within a month when previously they had 40 calendar days.

This week we look at how to manage these requests, how GP systems can be utilised to help compliance, and how to manage requests which aren’t always straightforward.

What would be the cost to your practice of a large number of patients requesting Subject Access Requests (SARs), to which you are obliged to respond without charge? Those costs will be minimised by not having to print out and post reams of paper records, and this can be achieved by allowing patients access to their full record – electronically. There remains a resource issue related to checking the records, but the effort of doing so would have other benefits. How much time would be freed at reception if your patients had instant access to their results without having to telephone first?  Could we train non-clinical staff to identify (and flag) third party or harmful data and might such a role be centralised?  Why not consider these issues at your practice and discuss ways of delivering solutions at scale in your network meetings and with your CCG and Federation? More below.

Review of action points from prior session

  • To do 26  Check whether information risks have been recorded in your risk registers and that mitigating controls are in place. Look at your data flow mapping and DPIAs.
  • To do 27   Conduct a physical audit in your practice – test staff awareness and processes, to see if there are any potential information risks or training needs
  • To do 28  Review the example information risk register and update for your practice
  • To do 29  Review the Information Governance Staff Handbook to check you are following best practice, if not update your information risk register
  • To do 30  Discuss the future provision of a DPO for your practice (at a practice or CCG or Federation level) and if you have not done so already make arrangements to appoint one in 2019.
  • To do 31  Ensure you have decision-making function and approval process in place (Practice Caldicott Guardian)
  • To do 32  Make sure you have an incident reporting policy in place. The policy should include the reporting mechanism and roles the breach is reported to.
  • To do 33  Review the NHS Digital’s Incident Reporting guidance, and ensure you follow guidance.

Work covered this week

Right of Access

GDPR provides a right of access to individuals for a copy of their personal data held by a Data Controller. As Data Controllers, GP Practices must now supply a copy of all information they hold about an individual on request for no fee and within a month.

Since March 2016, it has been a contractual obligation to allow patients access to their medical records via the organisation’ Patient Online system (SystemOne or EMIS). Both clinical systems allow patients to register and access all information held about them, which will ensure they have up to date and timely information at hand. Many patients currently use Patient Online to book for appointments and obtain prescriptions through the Electronic Prescription Service (EPS), but a smaller proportion uses this system to access their medical record. Allowing access to electronic records is not a binary decision and there are significant resource implications. You should have a system in place for allowing patients to apply for access their records online and any system you have should take into account the resources required. The priority you place on this process will be decided by the practice partnership. If resources are limited, you can and should have a waiting list. However it is worth recognising that if a patient does request electronic access to their record, and if this is declined (put on a waiting list), they are entitled to request a SAR and practically speaking the quickest and easiest way of responding to this within one month will be to provide them with full access to their record through Patient Online. If your practice requires help in providing this service there is a wealth of useful information from the RCGP which is signposted below in the Resources section.

Where an adult patient is requesting access to their own records online, you should be assured that they are who they say they are. In most cases this will be by them providing two forms of ID, one photographic (such as a driving license or passport); and one showing their address (such as a recent utility bill). If you can vouch the person is who they say they are (for example they regularly come to the surgery) then this can also be a form of assurance before granting access.

Coded Data or Free Text?

SystemOne system allows the patient to have access to either only their read-code data or a copy of the full record including free text. Each Controller should make a decision regarding whether they want to patients to access just coded information or additionally the free text. As we have already noted, patients have a right to request the full record, and the coded information on its own would be insufficient to provide a response to a SAR.

Before access is granted, it is essential that the information on the record is reviewed to ensure that it is suitable to be disclosed to the patient. The right of access is not an absolute right, and information can be withheld in a number of limited scenarios, including where it is regarding third parties, or where it could be considered harmful or distressing to the patient to disclose. It is noted that this could cause resource issues, however, this is something that should be weighed up against the resource of handling requests for access in paper form now that no fee can be charged.

Specific data entries can be hidden from the patients’ view of online access, so it is important to ensure each query in a given consultation is recorded as a separate entity (a new section) so that if the information does need to be redacted later then this can be done at a more granular level.

Access by Proxy

Access to children’s records

It is important to note that the right of access always applies to the data subject, so there is no automatic right for a parent to access a child’s record. However, if an adult has parental responsibility of a child or is a legal guardian, a GP can make a decision about whether to allow the individual access to the child’s record if it is the child’s best interest. There is no statutory age in England and Wales where a child is considered to have sufficient knowledge to exercise their right of access, however, the new data protection legislation does stipulate that from the age of 13, a child will be deemed to have the capacity to consent to use ‘information society services’ which online access to records can be considered.

Therefore, any request for access to records by a parent or legal guardian where the child is under the age of 13 should be considered on a case by case basis, taking into account whether the child may have the capacity to understand the effects this may have and request their information is not shared with their parents.

Where a child is between the age of 13 and 18, again this should be on a case by case basis but it is generally assumed the child will have the capacity to decide whether the parent/legal guardian can access their record. Such requests should be granted and the parent’s consent only asked if the child is deemed to lack capacity or if the clinician feels that it is in the best interest of the child.

Access to elderly patients/adult lacking capacity

Where a request comes to access the records of an elderly individual (such as a mother or daughter requesting access to their elderly parents’ records) the individual should always be assessed as to whether they have the capacity to make such a decision themselves. If not, you should assure yourself the person requesting access to the record has either Power of Attorney, a court order, or it is in the patients best interest. It is important that you and your staff understand that these elderly patients are vulnerable and that on occasion such requests can be open to abuse and so where there is capacity you should ask direct questions to ensure there is no coercion and where there is not capacity, you should always be mindful of the possibility of coercion.

Real life case study

In 2016 a GP Practice was fined £40,000 for disclosing confidential information during a subject access request. The disclosure to a child’s father also included information relating to the mother (who had separated from the father and asked the Practice not to disclose her whereabouts), which included her contact details, information relating to her parents and another third party. The Information Commissioners Office found that the Practice had insufficient systems in place to manage such requests.

Therefore, in circumstances where they may be concerns regarding either safeguarding, domestic violence or other such situations which could cause harm to individuals, every effort should be made to ensure the disclosure is appropriate and lawful.

Do remember, before allowing a patient or guardian access to clinical records you must be certain that:

  • They are who they say they are
  • They are allowed access to the requested record
  • The record given to them does not contain harmful or third party data

Resources

There are a series of eLearning modules available via the RCGP eLearning website below. These include courses on coercion, identity verification, proxy access, children & young people, overview and benefits protecting patients and practice and online access for clinical care.

General Resources

Output Documentation

Learning Points

  • Your practice should have an up to date access to records policy
  • You should have a system in place for allowing patients to apply for access their records online
  • That system should take into account the resources required

Practice Checklist

  • To do 34 – Ensure your access to record policy is up to date with new data protection legislation
  • To do 35 – Review current procedure for granting access to online patient records
  • To do 36 – Ensure  you have sufficient verification processes in place for access to records
  • To do 37 – Ensure responsible staff members know how to grant permissions on the organisation’s online system, and how to redact information when required

Next session on 04.09.18

(Blog No. 9 due 11.09.18)

Taking all of the patient data identified in earlier blogs which is being processed through the practice, and looking at the ways in which we use that information we can now draw up a final Fair Process Notification.

 

Managing Risk – No. 8

Managing Risk – No. 8

Introduction and comments

Information is valuable to primary care and the NHS as a whole as it allows us to treat and protect patients, as well as to design and provide them with the best possible services. It is important for practices to understand what information they hold, why they hold it and what safeguards are in place to protect the data. By doing so we can ensure that information is used in a secure and lawful manner to prevent information breaches, as well as keeping our patient’s trust.

This week we looked at information risk management and revisited the role of the Data Protection Officers (DPOs) and the reporting of breaches and serious incidents.

Review of action points from prior session

  • To do 22 Review your DPIA to see what technical and organisational measures are required for your Practice
  • To do 23 The list of contracts you have listed for Blog No. 5 will require an assessment of compliance against the Data Security and Protection Toolkit or against the questions asked within the template checklist. If the latter send letter and checklist template to provider/supplier to complete and follow the process outlined within the blog.
  • To do 24 Review information on the new Data Security & Protection Toolkit and sign up for Webex training sessions
  • To do 25 Log-in or register for the Data Security & Protection Toolkit to start completing your submission before 31 March 2019

Work covered this week

Information Risk Management

Information risk should not be treated differently to any other risk to the practice, whether it is financial or workforce risk. You will already have risk management processes set up. We need to check whether information risks have been recorded within your risk registers and that mitigating controls have been put in place.

 

Where will information risks arise prior to a breach happening?

From the activities noted in Blog No.2 – Information Asset and Data Flow Mapping and Blog No.3 – Data Protection Impact Assessments (DPIAs), we have added possible risks to the practice and / or have identified risks from the DPIAs undertaken.

You may also conduct a physical audit of the practice to test staff awareness and processes to establish whether there are any potential information risks or training needs. These activities will enable you to identify risks and also demonstrate good evidence for your Data Security and Protection Toolkit.

We have developed an information risk register. This lists the information risks we have identified at this practice and shows examples of the different types of risks. The Information Governance Staff Handbook should also be reviewed as this also details good practice for mitigating information risk to your Practice.

 

Data Protection Officer (DPO) in relation to GP Practices

To support the Information Risk Management process, there is a need to establish a structured framework and reporting mechanism. To meet the requirements of GDPR and the Data Security and Protection Toolkit, each Practice is required to appoint individuals to roles to support this framework and to deliver compliance.

GP Practices are considered Public Authorities under the provisions set out within schedule 1 Freedom of Information Act 2000. This is due to the processing of Personal Confidential data for the NHS. GDPR specifies that all Public Authorities are required to appoint a Data Protection Officer (DPO).

The activities of the DPO within General Practice are detailed within the Information Governance Alliance GDPR guidance note for GPs and also their GDPR: Guidance on the Data Protection Officer.

Primarily the DPO should deliver independent advice and monitor processing activities and practice. Due to the independent nature of the role, here are some activities the DPO can and can’t do:

It is a requirement for the DPO to monitor processing activities to ensure compliance with GDPR. The Practice is required to submit their DPIAs, Information Assets and Data Flow registers, risk registers and incident logs to the DPO on a regular basis so that the DPO can monitor compliance with the Data Protection legislation and prevent personal data breaches.

For the activities that the DPO cannot undertake, the Practice should ensure that there is a decision-making function and approval process in place. This is likely to be your Practice Caldicott Guardian.

As part of the Caldicott function, the Caldicott Guardian should be aware of processing activities, information risks to the Practice or any risks that would have any privacy implications to data subjects. The Caldicott Guardian can approve information sharing agreements, contracts and breach investigation reports. The Caldicott Guardian should be the Practice’s first point of contact on Information Governance/GDPR matters.

Your Practice’s DPO [Action point]

As you are aware NWL CCGs have appointed a single DPO as an interim measure to help meet this responsibility, until Practices decide on how they wish to provide this service themselves. This arrangement can only work in the short-term in conjunction with the provision of GDPR support through this blog and our ability to access subject matter expert opinion through an IG consultancy. This is a time-limited resource and one which will reduce after November 2018. Whilst further support will continue to be available, this will be limited. It is essential that practices understand that it is a legal requirement for them to appoint a DPO who will be able to provide the services outlined in this blog.

Practices may decide to provide a DPO themselves, or consider a shared role across a CCG or federation. We have reminded CCGs about the limited timescale for implementation of DPOs to cover their GP practices in 2019, and are canvassing them for further support. We encourage NWL primary care health care communities discuss this important issue at their CCG member meetings.

Information Governance Breaches and Serious Incidents

The Practice should ensure that robust mechanisms are in place for the reporting and monitoring of information breaches, whether they are serious or near misses. GDPR defines a breach:

Article 4(12) “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Here are some examples of breaches or near misses:

In the event of a personal data breach, the individual should follow the Practices Incident Reporting policy. The policy should include the reporting mechanism and roles the breach is reported to. The Practice should also follow NHS Digital’s Incident Reporting guidance.

The table below details the severity of breach which is required to be reported to the ICO or whether it can be dealt with locally. This is the reporting detailed within the new NHS Digital Incident Reporting guidance. It is a requirement that all Practices follow NHS Digital’s guidance on incident reporting.

 

The reporting mechanism is through the Practice’s Data Security and Protection Toolkit.

Reporting Structure:

GP Practices are required to report breaches through several mechanisms/bodies.

All levels of breach are required to be logged within the Serious Incident to the Strategic Executive Information System (StEIS) as a learning portal for the NHS, and at the Practice-level through incident report forms/logs. Subsequent risks should also be included within the information risk register. These will need to be provided to the DPO on a regular basis to assess whether the mitigating actions are effective, and the risk minimised.

Should a potential or actual breach occur, please consult the Caldicott Guardian and the DPO.

Resources Used

Output Documentation

 

Learning points

  • The earlier data flow mapping exercise and DPIA should provide much of the information required for information risk management.
  • Your practice must appoint a DPO.
  • Be aware of what your DPO can and can’t do and ensure your Caldicott Guardian is aware of their responsibilities.
  • NHS Digital has issued a guide on incident reporting which must be followed.
  • All levels of breach are required to be logged on StEIS and on Practice incident report forms/logs.

 

Practice checklist

  • To do 26 Check whether information risks have been recorded in your risk registers and that mitigating controls are in place. Look at your data flow mapping and DPIAs.
  • To do 27 Conduct a physical audit in your practice – test staff awareness and processes, to see if there are any potential information risks or training needs
  • To do 28 Review the example information risk register and update for your practice
  • To do 29 Review the Information Governance Staff Handbook to check you are following best practice, if not update your information risk register
  • To do 30 Discuss the future provision of a DPO for your practice (at a practice or CCG or Federation level) and if you have not done so already make arrangements to appoint one in 2019.
  • To do 31 Ensure you have decision-making function and approval process in place (Practice Caldicott Guardian)
  • To do 32 Make sure you have an incident reporting policy in place. The policy should include the reporting mechanism and roles the breach is reported to.
  • To do 33 Review the NHS Digital’s Incident Reporting guidance, and ensure you follow guidance.

 

Next session on 30.08.18

(Blog No. 9 due 04.09.18)

We will be looking at how we provide electronic access to patient records in routine circumstances and the issues around providing proxy access for children and patients who may lack capacity.

 

GDPR Accountability – No. 7

GDPR Accountability – No. 7

Introduction and comments

We made a change to our schedule this week, and instead of fair processing we have looked at the levels of accountability which we are required to demonstrate following GDPR:

  1. Practice accountability – the technical and organisation measures that need to be in place in order for us to be able to demonstrate this.
  2. 3rd party supplier accountability and contract management.

We will cover fair processing in a later blog and you can view the updated timetable here.

As an aside, we have continued to get many questions related to GDPR, and a recurring theme has been how to respond to various scenarios related to Subject Access Requests (SARs). I wanted to take this opportunity to clarify an important principle related to whether or not practices can levy a charge for SARs. We had previously, and in retrospect incorrectly, reflected an observation that it should be the purpose of the information which guides the decision to charge and if that purpose is the production of a medical report (regardless of who generates the report) then the practice can make a charge. We have now discussed this with the ICO and have had clarification that practices should only charge when they themselves are creating a medical report. In summary, then, we cannot charge a lawyer or insurance company who are requesting information on behalf of the patient even if that purpose is for the production of a medical report unless we have been asked to generate that report.

How to manage the significant resource which will fall to general practice as a result of SARs remains a thorny problem. We believe that the best way forward in the longer term will be to prepare our medical records and share them widely with our patients so that SARs can be responded to through this mechanism. Here is a thoughtful blog about that subject which we recommend you read, which recognises that this is not a straightforward process and highlights some of the challenges ahead.

Access to your Medical records online – It’s hard work for practices, even to do the right thing….

Review of action points from prior session

  • To do 18 Check your renewal data for registration with ICO, you will need to change to the new payment regime on renewal.
  • To do 19 Complete the Template Record of Processing
  • To do 20 Check the legal bases for processing for different categories of data
  • To do 21 Using the Policy Document Template, create a Policy Document for each category of data

Work covered this week

1)   Measures to demonstrate Practice accountability

Accountability is one of the data protection principles of GDPR.  Not only are we responsible for complying with GDPR but we must also be able to demonstrate our compliance. Whilst this is not a new principle, it is now a legal requirement.

This week we looked at technical and organisational measures which allow us to do this over a range of activities including:

Data Protection Impact Assessments (DPIAs) which we covered in Blog no3 can be excellent examples for showing the controls we have in place within our organisation which demonstrate our compliance.

The old IG toolkit provided a way of evidencing accountability, and this will continue with the new Data Security and Protection Toolkit.  It is now a mandatory requirement for all organisations that process NHS data to complete the Data Security and Protection Toolkit, which has been updated to include GDPR and also contains new recommendations to increase cybersecurity.

The new toolkit can be found here https://www.dsptoolkit.nhs.uk/ and this must be completed and submitted by 31st March 2019. As before your IG lead will be required to sign your practice up to the toolkit. The difference this year is that instead of this being a process of self-declaration “Yes we have done it”, there will now need to be external validation “Show us how you are compliant with the following requirement”.

CCGs are required to ensure that GP Practices are compliant with the Data Security and Protection Toolkit, so will be monitoring GP Practice compliance on an annual basis (after 31st March of each year). The specific nature of the external validation processes is yet to be clarified, but CQC inspection will almost certainly require evidence that the IG toolkit has been assessed and validated by an external assessor. The toolkit itself will help practices to demonstrate the actions they have taken to meet GDPR requirements and will be a repository which will allow scrutiny of any supporting evidence.

We will be revisiting the IG toolkit in a later blog and will provide templates to help you collate evidence for your Data Security and Protection Toolkit submission, which will be shared on this website.

2)   3rd Party Supplier and Contract Monitoring

As part of the principle of accountability, there is a requirement for data controllers to show that they monitor the performance of their data processors. This links in with the work we have done on DPIAs (Blog No.3 DPIAs) and Contract Reviews (Blog No.5 ISA & DPA)

Where processing is taking place, you should ask the third-party supplier for the independent audit of their Data Protection and Security Toolkit (this should be in the contract Terms and Conditions). The Template Data Processing Terms and Conditions (Crown Commercial service templates) was provided in Blog No. 5.

Some of these data processing services may have been commissioned by the CCG and will have had contractual details as part of the commissioning process. In these circumstances, compliance should be monitored by the CCG as the organisation which has commissioned the service. You should ask the CCG for their validation/review of provider/supplier compliance.

When working on the contract reviews we stated that Practices should be using the Crown Commercial service templates which would include those Terms & Conditions.  Whilst there is a processing agreement between GPs and EMIS as their data processor, there is not a similar arrangement with TPP.  NHS digital has advised that in the case of TPP this has been covered by local call offs that are signed by CCGs, in addition to a signed deed of undertaking which protects individual GPs against supplier data protection breaches.

Most data processors will be using the Data Protection and Security Toolkit (previously IG Toolkit), and the monitoring should be a simple matter of them providing you with their Toolkit compliance report.

If they are not taking part in the Toolkit or have not done an audit and you need further assurance, you can use a Provider Assurance Monitoring Checklist.  We have included two checklists – one for NHS data and one for non-NHS data (employee). Note that most processors will be using Toolkit and the monitoring should be a simple matter of them providing their Toolkit compliance report. The checklist below is more detailed but should not be required in the majority of cases of processors dealing with NHS data.  We have also included a letter template for you to send to your third-party processors with the checklist.

Practices must monitor responses (you can use Contract Log), and if there is sufficient assurance set an annual review date. If the response is inadequate and shows a level of non-compliance, send a second letter detailing the specific requirements by a given date. State that if the requirements are not met that you will consider termination of contract, financial penalty (if included in TOCs) or reporting data security concerns to the ICO.

Resources Used

Output Documentation

Learning points

  • This weeks activity provides an opportunity to review any DPIAs to make sure they are comprehensive and meet the accountability requirements by detailing the technical and organisational measures in place in your practice.
  • The Data Security & Protection Toolkit must be submitted by 31 March 2019
  • Evidence of assurance must be obtained from third-party data processors either through a Data Security and Protection Toolkit assessment or from the response to the checklists stated above.

Practice checklist

  • To do 22 Review your DPIA to see what technical and organisational measures are required for your Practice
  • To do 23 The list of contracts you have listed for Blog No. 5 will require an assessment of compliance against the Data Security and Protection Toolkit or against the questions asked within the template checklist. If the latter send letter and checklist template to provider/supplier to complete and follow the process outlined within the blog.
  • To do 24 Review information on the new Data Security & Protection Toolkit and sign up for Webex training sessions
  • To do 25 Log-in or register for the Data Security & Protection Toolkit to start completing your submission before 31 March 2019

Next session on 23.08.18

(Blog No. 8 and No. 9 due 28.08.18)

We will be covering two topics next week – reporting mechanisms through the DPO and access to records by children. There will be two separate blogs covering these subjects.

 

Record of Processing – No. 6

Record of Processing – No. 6

Introduction and comments

This week we looked at ‘record of processing’ which is a new requirement under the latest data privacy legislation. We also looked at the production of a Policy Document for the special categories of personal data (Data Protection Act 2018).

In case anyone is wondering where the timetable posting in “What, When and How” has gone, as it slipped off the list of recent blogs it has now been put as a menu item at the top of each page.

 

Review of action points from prior session

  • To do 14  Using the Information Asset Register you made in Blog No. 2, draw up a table identifying the contracts/DSAs/ISAs required for review.
  • To do 15  Review the contracts you have in the practice to ensure they are GDPR compliant using the exemplars and the checklist (see resources used).
  • To do 16  Where contracts should be in place but have not been found use the template letter to write to the contracted organisation requesting a GDPR compliant contract.
  • To do 17  Check the returned contracts from any external organisations you have contacted against the checklist provided.

Work covered this week

 

1) Record of Processing

What is a ‘record of processing’?

Under the new data protection regime, data controllers must now pay the Information Commissioner’s Office (ICO) a data protection fee. This fee replaces the need to ‘ notify’ or register (what was the case in the DPA 1998).  For further information on data protection fees, please visit the Information Commissioner’s website: https://ico.org.uk/media/for-organisations/documents/2259094/dp-fee-guide-for-controllers-20180601.pdf

There is a new requirement for Data Controllers to retain records of processing. This includes the purpose of processing, data sharing and retention. The Record of Processing must be made available to the Information Commissioner if required.

What information needs to go into a record of processing?

The following items must be included in your record of processing:

  • The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer).
  • The purposes of your processing.
  • A description of the categories of individuals and categories of personal data.
  • The categories of recipients of personal data.
  • Details of your transfers to third countries including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of your technical and organisational security measures.

You can also use the record of processing to document your compliance with other aspects of GDPR and Data Protection Act 2018.

How do we complete a record of processing?

Your Information Asset and Data Flow registers (see Blog No.2) contain the information needed to complete the Record of Processing.

Use the template provided.

If you add a new information asset or flow, you will also need to update your record of processing at the same time.

You can publish your record of processing on your website. It can support your transparency requirements (Fair Processing/Privacy information to data subjects).

What do you need to consider?

Public authorities (including GP practices) cannot use ‘legitimate interest’ as a legal basis for processing.

You must identify the legal basis (Article 6 GDPR) for processing personal data from the list below.

You will need to consider lawful bases in relation to the assets and flows and this needs to be incorporated within the record of processing.

Processing shall be lawful only if and to the extent that at least one of the following applies:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

Special categories of data

For processing special categories of data (such as racial or ethnic origin, data concerning health etc) you also need one of the following legal bases (Article 9 GDPR).  The legal bases in bold are the ones which you are most likely to use.

  1. the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
  2. processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  3. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  4. processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
  5. processing relates to personal data which are manifestly made public by the data subject;
  6. processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  7. processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  8. processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards
  9. processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
  10. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

 

For certain other types of data e.g. DBS checks for employment and Health Data, you require another legal basis under the Data Protection Act 2018. These are detailed in Schedule 1 of the Data Protection Act 2018. Most likely it will be one of the following, but it is important to check when carrying out this exercise.

Employment, social security and social protection

1.1 This condition is met if —

(a) the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and

(b) when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule

Health or social care purposes

2.1  This condition is met if the processing is necessary for health or social care purposes.

2.2  In this paragraph “health or social care purposes” means the purposes of

(a) preventive or occupational medicine,
(b) the assessment of the working capacity of an employee,
(c) medical diagnosis,
(d) the provision of health care or treatment,
(e) the provision of social care, or
(f) the management of health care systems or services or social care systems or services.

Template Record of Processing

2) Policy Document

There is a legal requirement for you to have a policy document for the special category of data listed within Schedule 1, DPA 2018 that you process.  This policy document must be referred to within your Record of Processing. This policy document demonstrates that you meet the requirements of the Data Protection Act 2018 and must be retained according to the data retention period plus six months.

What is needed within the Policy Document?

  1. Explain how the Data Controller’s procedures (for this asset) complies with the six GDPR principles (see the Policy Document Template for the list of six principles); and
  2. Retention and erasure information.

If it is decided that you will not comply with the retention and erasure processes, you will need to record the reason why within the record of processing.

 Policy Document Template

 

Resources Used

Output Documentation

Learning points

  • There is no longer any need to notify/register with ICO, but on renewal, you will still need to pay a fee as a Data Controller.
  • There is a legal requirement to keep a record of processing.
  • Legal bases for processing must be documented in the record of processing.
  • New data assets and flows must be updated in the record of processing.
  • There is a legal requirement to have a policy document for each category of data processed.


Practice checklist

  • To do 18 Check your renewal data for registration with ICO, you will need to change to the new payment regime on renewal.
  • To do 19 Complete the Template Record of Processing
  • To do 20 Check the legal bases for processing for different categories of data
  • To do 21 Using the Policy Document Template, create Policy Document for each category of data

Next session on 16.08.18

(Blog No.7 due 21.08.18)

We have a three-week break, and the next session will be mid-August when we will be looking at our fair processing notices (privacy notices).

 

The ISA and DPA – No.5

The ISA and DPA – No.5

Introduction and comments

This week we looked at Information Sharing Agreements (ISAs) and Data Processing Agreements (DPAs). A note first on definitions and terminology. Whilst information is often considered processed data, in this context they mean the same thing: so, an ISA might also be referred to as a Data Sharing Agreement (DSA) or a Data Sharing Protocol (DSP).

Under the section “work covered this week” we are discussing the basic difference between ISAs and DPAs in general practice. We consider when processing is done on our behalf directly – which requires an agreement or contract – and when it is done indirectly where a deed may be needed.

The main thrust of this week’s work is: to know when we need agreements or contracts in place for sharing or processing data; and to develop a checklist which identifies those agreements and ensures they are up-to-date and compliant with data protection legalisation (DPA2018 and GDPR). Creating the checklist can be done easily as part of this week’s work. Identifying the necessary contracts and agreements may involve contacting external organisations and reviewing existing documentation and is more likely to be a process which happens over a period of months. We will revisit this task in one of the later sessions to ensure that it is ‘closed’.

This week we cover a lot of information and work and there are two sections:

  • Theory; and
  • Practical.

Please read the theory section, but if you are keen to identify the work ahead, this is in the practical section.

Review of action points from prior session

  • To do 12  Review your Individual Rights Policy and procedures and update using advice and examples provided.
  • To do 13  Review and update your SAR policies and procedures.

Work covered this week (the theory)

Information Sharing Agreements

Information Sharing Agreements are used when two or more data controllers share data. For example, shared care records where GP Practices and Trusts share the data they have collected to use either for a joint purpose or for their sole benefit.

ISAs facilitate the sharing of personal confidential data by setting out good governance mechanisms and each party’s expectations of each other. They are not usually legally binding unless incorporated within a contract but are intended to define good practice. The Information Commissioner’s Office (ICO) has published a Data Sharing: Code of Practice which includes details on what is required within an ISA. Wherever possible, be guided by these codes of practice. They show that you have considered all the necessary elements, and in the worst-case scenario of managing a complaint, you get the additional assurance that the ICO will support your approach.

From a DPA/GDPR perspective, little has changed with regard to ISAs, as they are not a statutory requirement. However, they should be considered a useful technical mechanism, which enables organisations to have secure and lawful controls to share and process data. It is important to update current ISAs to reflect the changes within GDPR and the 2018 Data Protection Act (DPA 2018). For example, organisations which previously documented ‘legitimate interests’ as a legal basis within their ISA will now need to use ‘processing as necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’. This is because public authorities are no longer permitted to use the legitimate interest legal basis for their core functions.

GDPR also removes the term ‘Data Controllers in Common’ as defined within the Data Protection Act 1998. Under GDPR, the definition of Data Controller only includes ‘sole’ or ‘joint’. You may need to change these terms, depending on which is more appropriate for a given situation. For an integrated care record, the parties will share their data but may allow each other to read and write into the system. In this system, it is likely that the parties would be joint data controllers. If you search ‘In Common’ in your DSA that should bring up the term you need to review each time.

Data Processing Agreement or Contract

What is processing?

Processing includes a wide range of activity: creating, handling, storing, conducting analytics, retaining and destruction of data and it doesn’t matter whether it is electronic or paper records.

Data Processing Agreement/Contract

Data Processing Contracts are used when the Data Controller asks another party to process data on their behalf. For example, the GP Practice is a Controller, but a contracted-out IT team provide technical services to GPs e.g. implement systems to hold personal confidential data. Another example would be where a GP Practice wishes to write to their patients about a new service. The GP Practice may want to outsource this activity and ask an external company to write to them on their behalf. In order to do this, the external company, perhaps their Federation, will have access to patient names and address details. In this case, the external company is processing the GP Practice’s personal data and a data processing agreement or contract is required by law to detail the parties and processing activity. Note, that the GP Practice isn’t sharing the data with GP Federation, they are asking the GP Federation to process on their behalf – under their instruction. These examples are Data Controller to Data Processor relationships. Data Processing Contracts or Agreements (DPCs/DPAs) are legally binding and these types of contract have always been a requirement of privacy legislation. GDPR stipulates what needs to be included within such contracts, and these requirements are listed in Article 28.

To be valid, contracts require the following three elements:

  • Offer
  • Acceptance
  • Consideration (usually payment for services – see below)

What happens when you do not have consideration?

There may be a scenario where there is no monetary exchange (‘consideration’), e.g. a CCG purchases a service or software which processes personal confidential data on behalf of the GP Practice. There is no exchange of payment between the GP (the Data Controller) with the Data Processor. In this case, a Data Processing Deed will need to be put in place between the Data Controller and the Data Processor (making a formal link between them even though the contract and consideration are handled by another party). A Data Processing Deed is a legal document and binding on both parties. The deed needs to be explicitly ‘executed as a deed’ within the document and signatures on the deed must be witnessed.

From a GDPR perspective, processors may only process personal data on behalf of a controller where a written contract is in place which imposes a number of mandatory terms on the data processor, as set out in the GDPR. The Data Processor is not permitted to deviate from this instruction.

Contract reviews

Dame Fiona Caldicott, in her Information Governance Review, noted that the contract mechanism is key in providing protection and must be legally enforceable, and so practices should undertake a contract review. This will allow you as Data Controllers to see if there are adequate data protection and confidentiality within any given contract for the type of processing which is being undertaken.

The contracts should be reviewed, and the risks assessed, based on the organisational context. For example, a cleaner who inadvertently sees personal confidential data for an individual would have a different level of risk than that of a software provider which processes personal confidential data like SystmOne. So, the cleaning contract would not necessarily have the same terms and conditions when compared to a contract with SystmOne.

You only need to undertake a contract review when a processor has provided you with a contract, or you have contracts in place which will need updating in order to comply with the UK’s data protection legislation and the requirements of GDPR.

Work covered this week (practical)

  1. Identify the ISAs and DPAs required for review from our Information Asset Register.
  2. The contracts in our possession are being reviewed as exemplars and when this work has been done they will be published in the ‘Output Documentation’ section.
  3. Draft letters have been sent to companies to provide us with the contracts where the need has been identified.
  4. Once the contracts have been received we will review them against the checklist provided and they will be published under ‘Output Documentation’ in due course
  5. When these activities have been completed, we will have an up to date Contracts register and/or Data Sharing Agreement register.

We focussed on contracts where the data processor is processing personal confidential data on behalf of a GP Practice. Our first port of call was to review our Information Asset Register which was drawn up in Data Mapping Blog No.2. This shows whether the assets which have been listed require a contract/Data Sharing Agreement and also possibly a Data Protection Impact Assessment (DPIA) as explained in The DPIA Blog No. 3.  The table below lists the circumstances where we need either a GDPR compliant Data Sharing Agreement or an Information Processing Agreement.

DPA/ISA list exemplar

Not every item on this spreadsheet will apply, and each practice will have to check their own asset register. We have included this table as an exemplar (as completed to date by us) in the ‘output documentation’ section and also as a blank template in the ‘resources used’ section. We will need to revisit this document over the coming months as the information becomes available and each contract is confirmed as GDPR compliant. The responsibility for doing so will always rest with the practice, but you can expect services commissioned through the CCG to have a GDPR compliant Data Sharing Protocol (DSP) provided. When looking at contracts between the local provider and your surgery, many of these providers will have their own GDPR compliant contract for you to sign. If your contract is with a small cleaning company, for example, the practice would be required to provide the contract. In this event, the Caldicott contract checklist will detail those sections which are required.

Note: NHS Contracts is more than likely to have NHS Standard Contract clauses, and these will not need to be reviewed.

You will only need to review external contracts if there are any variations or changes to the law (as now in the case of DPA2018/GDPR) or when you undertake a new contract. When a service/product is commissioned by the CCG or other parties, you should ask them for the review they have completed on the contract by way of assuring GDPR compliance.

To assess whether the contracts are GDPR compliant, we have used the checklist recommended by Dame Fiona Caldicott in conjunction with the Template Data Processing Terms and Conditions document (see below under Resources Used).

A significant amount of work has been identified in this week’s blog and that this will take some months to complete. As we update our contracts we will publish them for information. Whilst you cannot use these as is, if you are using the same service or company it will inform you that the contract is available and GDPR compliant and can be signed in your name.

Resources Used

General:

Specific to this blog:

Output Documentation

Learning points

  • ISAs are used when there are two or more Data Controllers sharing data jointly or as a sole data controller.
  • ISAs a usually not legally binding. They are good practice and demonstrate the controls you have in place to secure and lawfully process personal confidential data.
  • GDPR does not change how we use ISAs as they are not a statutory requirement under the law. However, GDPR does change the legal basis for sharing data used by public authorities and also removes the ‘data controllers in common’ definition from the law.
  • GDPR places stricter statutory requirements on Data Processors and all processing undertaken by a Data processor requires a Data Processing Contract.
  • Data Processing Contracts are used when the Data Processor is processing personal confidential data on behalf of and with instruction from the Data Controller. These types of scenarios are more likely when one party provides services to another.
  • Data Processing Contracts are legally binding and if there is no consideration, a deed may be used and is legally binding if ‘executed as a deed’ and witnessed.

Practice checklist

  • To do 14  Using the Information Asset Register you made in Blog No. 2, draw up a table identifying the contracts/DSAs/ISAs required for review.
  • To do 15  Review the contracts you have in the practice to ensure they are GDPR compliant using the exemplars and the checklist (see resources used).
  • To do 16  Where contracts should be in place but have not been found use the template letter to write to the contracted organisation requesting a GDPR compliant contract.
  • To do 17  Check the returned contracts from any external organisations you have contacted against the checklist provided.

Next session on 19.07.18

(Blog No.6 due 24.07.18)

Next week we will be looking at records of processing and how data controller and their representatives need to maintain a record of the activities they undertake in managing the data which they are responsible for.

Individual Rights & SARs – No. 4

Individual Rights & SARs – No. 4

Intro and comments

This week we looked at the individual rights of data subjects, which GPs as data controllers must now be able to provide under GDPR. They are detailed below. Discussing these new rights in practice meetings can be a good way of helping your team to understand and meet them. We have now reviewed our practices’ current policies and procedures to bring them up-to-date.

We also covered the topic of Subject Access Requests (SARs), again to ensure that we meet the latest requirements.

SARs have been the source of much discussion. There is some anxiety that if we are expected to respond to them in volume, without being able to charge, that the time and effort they require might overload our practices. It is possible to negotiate the terms of a SAR and also in a certain circumstance to charge a fee (e.g. where the purpose is for the production of a medical report). But the concern is understandable because it does seem likely that a significant number of SARs will need to be provided without charge, and the effort needed, other than in a tiny minority of cases where they are “unfounded and excessive”, is not a consideration of the law.

Fear of the unknown plays a part here, and as yet there has been no sign of the floodgates opening, although we are still in early stages post-GDPR. However, if there is any potential for a torrent of SARs, we should be considering any possible mitigation. Perhaps the most promising option will be to respond to a SAR by making patient records available to them electronically. We already have the means for doing this through our clinical systems, but the work required to make patient records fit for purpose (excluding 3rd party and potentially harmful data) is potentially a daunting one. However, the SAR scenario now adds to the imperative of a task which has been our mark on the horizon for some time. The bonus to this approach is that there will be clear benefits both to patients and practices. Consider the advantage to your patients, and the saving in reception and GP time if they were able to obtain their path results on-line and could be pointed to an NWL resource explaining the finer details of blood tests in plain English.

Historically the job of excluding 3rd party and harmful data has been the remit of GPs, and it is now law that a health professional needs to review the response prior to disclosure, but does this need to be the GP? The inclusion of third-party data in records is not that common and the presence of harmful data is exceptionally rare. It would not be difficult to train non-clinical staff to identify this information and defer to a clinician where identified and doing so would significantly reduce the clinical workload in this process. If we wish to share patient data widely with our patients (and there are many other reasons beyond the scope of this blog why we should), this work may become one of our high priorities following on from GDPR.

Review of action points from the prior session:

Below are last week’s action points, but please don’t forget to work through the blogs and actions points in order.  For instance, our first action point is to assign appoint a GDPR lead for your practice and let us know their name and email address by sending this and your practice details to nwl.infogovernance@nhs.net.

  • To do 08  Assess whether you need to complete a DPIA using the DPIA Process Flow Map
  • To do 09  Complete the DPIA (only if necessary)
  • To do 10   Practice Data Protection Officer to review and approve DPIA (if complete Action 09)
  • To do 11    Action and document mitigation actions from DPIA (if complete Action 09)

Work covered this week:

Below are details of the new rights which patients can expect you to deliver post-GDPR. After reviewing these we have updated our Individual Rights Policy and procedures and have published an Individual Rights Policy Document. Guided by the information below on the requirements for SARs and using a Managing SARs Flowsheet we have updated our SAR process and also produced a SAR template response to patients. You may wish to use these as templates for your own practice.

A) Individual Rights

  1. The right to be informed

Individuals have the right to be informed about the collection and use of their personal data. Privacy notices must provide individuals with information regarding the organisation’s purposes for processing their personal data, the retention periods for that personal data, and who it will be shared with. The organisation is required by law to provide its privacy notice to individuals at the time you collect their personal data from them. Your response to a request for personal data from other sources must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month. The information the organisation provides to individuals must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

  1. The right of access – Subject Access Requests (SARs)

EU GDPR provides individuals with the right to access their information. Subject access requests can be made verbally or in writing and the organisation has one month to respond to the request. It is important to note, that under GDPR, organisations are not permitted to charge the data subject in most circumstances. We cover SARs in more detail below in Section B this week.

  1. The right to rectification

EU GDPR and the Data Protection Act 2018 provides a right for individuals to have inaccurate personal data rectified or completed if it is incomplete. The right to rectification can be applied for verbally or in writing and the organisation is required to respond within one month to a request. Some rights are not absolute and there are circumstances where a request can be refused. This will need to be reviewed on a case by case basis or advice sought from the legal team (your medical defence organisation).

  1. The right to erasure – doesn’t apply to Health Records

The EU GDPR and the Data Protection Act 2018 introduces a right for individuals to have personal data erased. The right to erasure can be applied for verbally or in writing and the organisation is required to respond within one month to a request. As noted, some rights are not absolute and there are circumstances where a request can be refused. This will need to be reviewed on a case by case basis or advice sought from the legal team (your medical defence organisation).

  1. The right to restrict processing

The EU GDPR and the Data Protection Act 2018 gives individuals the right to request the restriction or suppression of their personal data. For example, if the Data Controller is holding incorrect information on an individual, the individual can ask for the restriction of processing their data until the data is accurate or complete (restricted to store the information but not use it). The right to restrict processing can be applied for verbally or in writing and the organisation is required to respond within one month to a request. The right to restrict processing is not an absolute right and there are circumstances where a request can be refused. This will need to be reviewed on a case by case basis or advice sought from the legal team (your medical defence organisation).

  1. The right to data portability – doesn’t apply to health records

… unless it is an explicit consented process/pathway and/or if you are conducting automated decision making.

EU GDPR and the Data Protection Act 2018 allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The organisation must respond without undue delay, and within one month. This can be extended by two months where the request is complex or you receive a number of requests. The organisation must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Where the organisation is not taking action in response to a request, they must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

  1. The right to object

Under the EU GDPR and the Data Protection Act 2018, individuals have an absolute right to object, unless there is a compelling reason that the organisation is required to continue processing.

Individuals must have an objection on “grounds relating to his or her particular situation” and if they do, the organisation must stop processing the personal data unless:

  • the organisation can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
  • the processing is for the establishment, exercise or defence of legal claims.

The organisation is required to inform individuals of their right to object “at the point of first communication” and in the organisation’s privacy notice and this must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.

The organisation must stop processing personal data for direct marketing purposes as soon as it receives an objection. There are no exemptions or grounds to refuse.

The organisation must deal with an objection to processing for direct marketing at any time and free of charge and the organisation must inform individuals of their right to object “at the point of first communication” and in your privacy notice.

  1. Rights in relation to automated decision making and profiling

Individuals have the right to object to automated decision making and profiling. Automated decision making means a process/pathway whereby the decision is based on automated means (e.g. electronic decision). Profiling means where an organisation is using personal data to evaluate certain things about an individual and includes using automated means to do this. Both scenarios do not have or only partly have a human component to the decision making. There are additional requirements to meet if you are solely utilising automated means without intervention – but GDPR restricts this processing if the processing has a legal or similar significant effect on the individual e.g. the decision would have a serious negative impact on the individual. The impact would impact the individual’s legal rights or something similar which would have an impact e.g. refusal of online loan application or using automated means for recruitment based on algorithms. In a health context, if you profile a group of patients (based on their sensitive health data) to whom you automatically provide a service, a patient may be able to object if there has not been any human input into the decision making process.

GDPR considers this type of processing as high risk, therefore, a Data Protection Impact Assessment (DPIA) is required to be completed. This is in order to identify the risks and document the mitigating actions which are to be implemented.

If there is a human component to the automated decision making, you will still be required to have a lawful basis to do so.  And ensure you have a process in place to process the request for objecting to this type of processing. GDPR states that it is important to bring this to the attention of the Data Subject and how they could object to this processing. To honour the data subject’s right to object to automated decision making, it is important to put in place an independent human review process.

Whilst this external resource is not related specifically related to health services, but it goes into more detail to explain the underlying principles related to rights in automated decision making.

Action Point: Through our review, we have developed an Individual rights policy which covers all rights and associated processes which you can adapt to your practice process. Please ensure that you have appropriate mechanisms in place to honour individual rights. 

B) Subject Access Requests (SARs)

EU GDPR provides individuals with the right to access their information which an organisation may hold on them. Subject access requests can be made verbally or in writing and the organisation has one month to respond to the request. The data subject is required to know the following:

  • Confirmation that you are processing their data
  • A copy of their personal data
  • Other supplementary documentation e.g. correspondence

There hasn’t been much change in how you process the request in itself, the following points still apply:

  • You can ‘stop the clock’ of the one-month time frame when you a) ask for identification and b) any further information to support the request e.g. ask for specific dates and times of information they are asking for.
  • You still need to verify the identification of the data subject
  • You still need to redact third-party information if you risk disclosing the third-party identity unless you have received consent from them or it is reasonable to comply with the request without the third-party consent.
  • It was a good standard practice that a clinician would review the requestor’s information prior to disclosure to the data subject. This is now a requirement in law under the provisions of the Data Protection Act 2018 (Schedule 3, Part 2(6) Data Protection Act 2018).

Changes to the SAR process:

The previous timeframe for responses was 40 days, which has now been decreased to one month. One month means:

  • An organisation receives a request on 3 September. The time limit will start from the next day (4 September). This gives the organisation until 4 October to comply with the request.
  • An organisation receives a request on 30 March. The time limit starts from the next day (31 March). As there is no equivalent date in April, the organisation has until 30 April to comply with the request.
  • If 30 April falls on a weekend or is a public holiday, the organisation has until the end of the next working day to comply.

It is important to note that under GDPR, in most cases, organisations are no longer permitted to charge a fee for subject access requests. However, where the request is ‘manifestly unfounded or excessive’ you may charge a fee for administrative costs to comply with the request. You may also charge if you receive a request for further copies of their data following their request. Again, the charge must be based on administrative costs. Determining whether a request is unfounded or excessive must be made by the practice and decisions will be required to be documented. Should the practice decide not to comply with the request, the practice is required to explain the rationale and notify the data subject how to make a complaint to the Information Commissioner if they wish to do so.

We have received some questions from practices regarding when they can and can’t charge and what about AMRA (Access to Medical Reports Act 1988) where you are permitted to charge. The Access to Medical Reports Act 1988 is explicit in that where the medical reports produced are for insurance or employment purposes, the data controller is allowed to charge for the report. It is the purpose for requesting the SAR which is pivotal here. Subject access requests may come from a third party acting on behalf of the data subject with their consent, therefore, any request for information unrelated to a medical report and not creating information should be processed in line with the subject access request process which will not be chargeable.

You are now also required to provide certain information to the data subject regarding the information you hold on them. This includes:

  • The purpose(s) of the processing (this could be treatment and care or for the performance of a contract (e.g. employment)
  • The categories of personal data being processed (special category of data e.g. physical and mental health, ethnicity, Sexual Life, Trade Union membership)
  • The recipients or categories of recipients (who receives the data e.g. clinicians from the acute trust, the data subject)
  • The envisaged retention period or the criteria that determine it (as per your practice retention schedules which should reflect Information Governance Alliance: Records Management Code of Practice).
  • The rights of rectification, restriction, objection and where applicable erasure.
  • The right to complain to the ICO (Contract details can be found on the Information Commissioner’s website).
  • The right to know more about the source if it is not from the Data Subject (has the information come from a third party other than what the data subject has provided you).
  • The existence of and logic behind and consequences of any automated processing (why you are utilising automated decision processing, what are the benefits, what are the consequences).

It would be beneficial if you utilise the templates provided and use the bullet list in order to fulfil the requirements specified within GDPR.

There is further detail in the two blogs (below under resources used) by Dr Paul Cundy in relation to SARs which make essential reading.

Action point: Update your Subject Access Request Process and the other Individual Rights processes.

Resources used

Output documentation:

Learning points:

  • Patients have a series of new rights related to how data controllers manage their data
  • Discussing these new rights at practice meetings can be a good way of helping your staff to understand and meet them
  • GDPR has made significant changes to the timescales, fees and content of Subject Access Requests
  • Many SARs will no longer be chargeable. However, when a third party (e.g. an insurance company or lawyer) request a SAR, you should be told the purpose. If that purpose is for the provision of a medical report then you are entitled to charge for the service under the Access to Medical Reports Act (AMRA)
  • To date, there has not been a massive increase in the number of requests for SARs. However, you may wish to consider making your patients’ data available to them online (after excluding 3rd party and harmful data) as one way of meeting the potential demand.

Practice checklist:

  • To do 12  Review your Individual Rights Policy and procedures and update using advice and examples provided
  • To do 13  Review and update your SAR policies and procedures

Work planned for next session on 12.07.18

  • Next week will be focused on contract reviews. We will be looking at the requirements for processing contracts and what to look out for.
The “DPIA” – No. 3

The “DPIA” – No. 3

Intro and comments

In order to meet the latest privacy legislation, we need to consider data risks early in the design stage of any project. This week we will be looking at the Data Protection Impact Assessment (DPIA) which is a tool which allows us to do this and which supports ‘privacy by design’.

A data protection impact assessment (DPIA) is an evaluation and analysis of the risk to data privacy which might result from any action carried out in your practice. It is often done in projects where personal data is being shared, but it can and should be considered in any significant undertaking where there may be a risk to sensitive data.

Most practices will not need to undertake a DPIA, as one has already been commissioned by the NWL IG group for the sharing of personal information for direct health care.  Please ask your CCG for a copy of this when a new service is procured where you are sharing data. But if there are any changes to the way you process or share data, or if you are looking to share data in new ways, you will be required to do one. We have listed the criteria you need to assess whether or not a DPIA needs to be done and given some examples.

Our practices will shortly be moving to new premises, so we decided to carry out a DPIA to look at any risk to our data which might result from that move. You can see this as an example DPIA in the output documentation section.

Lastly, before we move into the nitty-gritty of DPIAs I wanted to close a point related to last weeks blog on data registration and mapping. Do remember that the mitigation of any significant risks identified through our data maps will, in due course, be reflected in our practice policies, protocols, guidelines and procedures (which will be dealt with in blog 9).

Review of action points from the prior session:

If you have not already completed them, here is a reminder of the actions from last week:

  • To do 01: Appoint a GDPR lead for your practice and let us know their name and email address by sending this and your practice details to infogovernance@nhs.net.
  • To do 02: Review the email and GP GDPR resource pack sent on 24th May
  • To do 03: If you are happy to use the interim FPN supplied (which we recommend) then publish this to a Fair Process Notice section on your practice website, with links to your local CCG sharing website. Please note that even if you had already uploaded the interim FPN to your website, you should repeat this process with the latest document (v1.03) which contains minor revisions as per the version control section.
  • To do 04: Add a link to the A3 poster which points to the FPN section on your practice website and display the A3 Poster in your practice.
  • To do 05: Build an information asset register and map the flows of data in and out of your practice
  • To do 06: Consider using an online resource (e.g. Blue Stream Academy, there are others) which has a module on GDPR theory which practice staff can go through
  • To do 07: Let us know at intervals how you are progressing on these checklists

Work covered this week:

Our Practice Managers are learning each week, as well as doing!  So below is some background about the importance of privacy by design and Data Protection Impact Assessments.

A) Privacy by Design and DPIAs – a bit of background

The DPIA enables data controllers to ensure that services are compliant with GDPR and Data Protection Act 2018. It integrates core privacy considerations into existing project management and risk management methodologies and policies.

DPIAs identify the information risks in relation to personal data and special categories of data but can also be used to assess information risk surrounding business sensitive data.

Complete a DPIA:

  • when you are sharing information between organisations; or
  • for any new or changes made to projects, services, products or systems.

By incorporating the privacy by design approach, data controllers are able to use it as an essential tool to minimise privacy risks and build trust.

Benefits of a DPIA include:

  • potential problems are identified at an early stage when addressing them will often be simpler and less costly;
  • increased awareness of privacy and data protection across an organisation;
  • organisations are more likely to meet their legal obligations and less likely to breach GDPR and Data Protection Act 2018;
  • actions are less likely to be privacy intrusive and have a negative impact on individuals; and
  • establish data processing instructions required within contracts or if Data Sharing Agreements need to be drafted.

B) Should I do a Data Protection Impact Assessment (DPIA)?

We used a data processing flow map, to assess if we needed to complete a DPIA.  Our two GP practices will be moving to new premises and under GDPR, this significant change requires us to complete a DPIA.

Below are some examples of when you need to complete a DPIA and when you don’t, and the DPIA Process Flow map we used.

Action point: 

Check to see if you need to undertake a DPIA, using the DPIA Process Flow Map and examples above.

If you are not sure if you need to complete a DPIA, enquire through the  Support Email

C)  How do I complete a Data Protection Impact Assessment?

Our consultants provided us with a DPIA template, and we worked through each of the tabs in turn to identify the information risks.  We have included a copy of our completed DPIA to help guide you through the process, as well as a template for you to complete (if necessary).

  • Complete tab one – Project details and provide an explanation of the new or change to process, service, product or system.
  • Complete the screening questions. If you have a ‘red’ answer you will need to complete each DPIA sheet/tab. If your answers are ‘green’ you do not need to complete the other DPIA sheet/tabs. This will be your evidence to demonstrate there are no information risks.
  • Complete DPIA Questionnaire 1 – and make notes against your answers.
  • Complete DPIA Questionnaire 2 – using the information you answered within screening ‘red’ and questionnaire 1, complete the questions (questionnaire 2) providing as much information as possible.

With all your answers, you should have identified the information risks. Complete the information risks and associated mitigating actions within sheet/tab 4.

Your Practice Data Protection Officer would normally review and approve the completed DPIA. However, as we are currently using an interim DPO we suggest that you engage your practice Caldicott Guardian in this process. If there are problems or questions please make any enquiries through the Support Email

. We anticipate that most practices will not need to undertake a DPIA, but where one has been done and requires formal approval this can be obtained through their DPO.

Actions must be completed and documented, to show compliance with GDPR and the Data Protection Act 2018.

Resources used

Output documentation:

Learning points:

  • Consider any changes or new projects that might have an impact on how you share or process information – always check to see if you need to complete a DPIA

Practice checklist:

  • To do 08  Assess whether you need to complete a DPIA using the DPIA Process Flow Map
  • To do 09  Complete the DPIA (only if necessary)
  • To do 10   Practice Data Protection Officer to review and approve DPIA (if complete Action 09)
  • To do 11    Action and document mitigation actions from DPIA (if complete Action 09)

Work planned for next session on 05.07.18

  • Review current processes for meeting individual rights to ensure compliance with GDPR and Data Protection Act 2018
Data Mapping – No. 2

Data Mapping – No. 2

Intro and comments

We have met with the team who will be taking us through the process of becoming GDPR compliant and have made some plans. This week we are sharing those plans and giving you a chance to think about who in your practice will be needed, for how much time and over what duration.  This will be a process rather than a tick box exercise, but you will see a number of key actions points below. Some of these actions will be one-offs and others will need to be maintained at intervals and we will point those out as we go along.

We started the ball rolling by looking at baseline data mapping. “We” are two practices in Hammersmith who are planning to co-locate and eventually merge in new premises. Both practices wanted to go through our GDPR requirements as a single unit, which we think will form a good foundation for us as we start working together. Our two PMs got together for one-half day this week and were taken through how to identify what sort of data we collect, why we collect it and who it is shared with.

Review of action points from the prior session:

No action points today, but this section will be updated in subsequent blogs.

Work covered this week:

A) Interim Fair Processing Notices – please don’t skip this bit!

The GP GDPR resource pack sent to you on the 24th of May contained examples of an A3 poster to be displayed in your surgeries with basic details about sharing for you to show your patients, and also an interim Fair Processing Notice (the same as a Privacy Notice).

Please note these have now all been updated as part of the work undertaken in this blog.  All the details about the latest Fair Processing Notices including A3 posters can be found in the Layered Fair Processing Blog No.10

 

Action point: Fair Processing Notice

Publish the updated Fair Processing Notice section on your practice website. Make sure the URL which links to CCG sharing websites is the one pertinent to your CCG. Please note that even if you had already uploaded the interim FPN to your website, please repeat this process with the latest document in Blog No.10.

Action point: A3 Poster

Go to Layered Fair Processing Blog No.10 for A3 posters that you can display in your practice.

B) Baseline Data Mapping

All GP practices need to go through a process of identifying the data they hold by building an information asset register as well as mapping the flows of data which come into and out of the practice. Excel-based templates giving examples of this can be found in the GP GDPR guidance pack.  The Information asset register is a spreadsheet called “Electronic Documents” and the other is the “Data flow mapping template”. Don’t open these just yet, because we have populated those examples (see below Output documentation:) which may be a better starting point.

Action point: Information asset register

List all types of electronic data held in the practice, the use, owner, access control etc. By allocating the risk of a breach (1-5) and the likelihood of this occurring (1-5), a combined overall risk >10 can be qualified with mitigations to reduce the risk. If the potential loss of any data identified is mission critical then this should be addressed in a business continuity plan.

Action point: Data flow mapping template

The Data flow maps are broadly divided into data coming into and data leaving the practice. The headers on each document are self-explanatory and include the type of data, the medium, the recipient, the protection, the frequency and volume of the send. On the right side of the table, the purpose and legal basis under GDPR are also recorded. As with the Information Asset register, it is possible to attribute and quantify an overall risk. For those flows associated with a high risk >10 (colour coded amber or red), you should outline any mitigation you have taken to reduce this.

Having been through this process, the purposes of the data (and applied attributes) are likely to be the same for practices offering a standard range of services to NHS patients in NWL.  So you may prefer to use the output documents from our work as your template and I would anticipate that over 90% of the identified types of data and data flows will be the same. The details of where you store data may vary. So too will the type of data, depending on which services you offer. So for example, if you see private patients and manage their data differently from your NHS patients this may need a revised entry. Likewise, if you offer nursing home care, or are doing research projects, or are acting as a hub for out of hours service delivery, these should all be considered as separate lines of data in their own right.  It is possible that we may have missed a category of data which you decide needs to be identified. If this is the case, please let us know on nwl.infogovernance@nhs.net and we will share this information. If you have identified different types of data use and are not sure how to classify this (e.g. the legal purpose) please ask and we will put the answer in the FAQ.

** The assessed risks in the two output documents which we have generated (Information Asset Register and the Data Flow Mapping Register) are specific to our practice and these are judgement decisions which have been taken by our partners. It is the responsibility of each practice to assess and manage their own risks based on their own local circumstances. **

This data mapping information is needed in order to draw up a Fair Processing Notice (the same as a Privacy Notice) which is a task being done centrally for all GP practices across NWL. In addition to the data mapping, the FPN requires input from a Data Protection Impact Assessment (DPIA), which will also be provided centrally and will cover this need for most practices.  If your practice is undertaking research or pilot studies or sharing data in new ways, you are likely to need to do you own DPIAs; we will look at this in more detail in next week’s blog.

The data mapping and registration process show us what data we have, why we use it, the flow of data into and out of our practices and the relative risks in any given situation. In order to “Close the loop” and use this information to good effect, we need to mitigate those identified risks where they are significant and those mitigations should be manifest in our practice policies around data security. So, for example, many of the worst case scenarios relating to data loss should be detailed and addressed in our business continuity plans (more on this in Blog 9).

C) Staff GDPR training

Talk about GDPR at your practice meetings to raise the profile of this subject. Encourage your staff to ask questions and refer them to the FAQ if needed. If there are questions which are not answered by the FAQ you can email requests to the support email: nwl.infogovernance@nhs.net. We will talk in a later blog about more specific and practical staff training. However, as an adjunct to this, do consider using an online resource (e.g. Bluestream Academy, there are others) which has a module on GDPR theory which practice staff can go through.

D) Keeping track of progress

Please note that the practice checklists (see below) will be numbered sequentially across all the blogs. When we have finished, it will form a complete list of all the tasks required for your practice to have reached GDPR compliance. This can be revisited and undertaken by practices who wish to follow this process later.

Every time there is a blog update we will email your Practice Manager and your nominated GDPR lead if they are different.

We are keen to identify and help practices who may need more support and so it would be useful for us if you could let us know once a week when you have completed any of the itemised checklists. We can collate this information against your practice and will share it with the CCG whose IT teams or GDPR lead may contact you. This is a request for information which will help us to help you. However, we do not have the resource to follow up those practices who do not send it.

E) Structure and format of this Blog

In the interests of usability we have agreed on a consistent structure for each of the blogs:

 

 

 F) Estimated timetable

Resources used

  • GP GDPR resource pack. Please use this on-line document rather than the document sent to you by email, as it will change over time and this one contains the most up-to-date links and resources.
  • FAQ-V2.1
  • Support Email

 

Output documentation

Learning points

  • There will be a standard structure to the blog, with checklists which practices can go through and share with us.
  • An FPN and a DPIA have been commissioned across NWL and practices will be able to use and point to these when completed. Interim A3 posters and FPNs have been provided which should be displayed in your practices and published on your websites, pointing to your local CCG sharing website.
  • You should build an information asset register and map the flows of data in and out of your practice
  • The mitigation of any significant risks to data which we have identified through data registration and mapping should in due course be reflected in our practice policies, protocols, guidelines and procedures (this will be dealt with in blog 9)
  • Practice Staff can use online training modules to learn about GDPR

 

Practice checklist

  • To do 01  If you have not already done so please appoint a GDPR lead for your practice and let us know their name and email address by sending this and your practice details to nwl.infogovernance@nhs.net.
  • To do 02  Review the email and GP GDPR resource pack sent on 24th May
  • To do 03  Publish the new Fair Processing Notice section on your practice website (with links to your local CCG sharing web site). Please note that even if you had already uploaded the interim FPN to your website, you should repeat this process with the new Fair Processing Notice in Blog 10
  •  To do 04   Display the new A3 Poster in your practice (see Blog 10)
  •  To do 05  Build an information asset register and map the flows of data in and out of your practice
  • To do 06  Consider using an online resource (e.g. Blue Stream Academy, there are others) which has a module on GDPR theory which practice staff can go through
  •  To do 07  Please let us know at intervals how you are progressing on these checklists

Work planned for next session on 28.06.18

  • DPIA assessment and review
  • Check shared data mapping and asset registers
  • Patient rights process review
Inaugural Blog – No. 1

Inaugural Blog – No. 1

GDPR compliance for NWL GPs (TPP)

Welcome to this inaugural blog which is going to follow the process of taking our GP practice through to GDPR compliance. There has been some understandable anxiety around the concept of a deadline on the 25th May, but most practices nationwide will not be compliant by then. Rather than being a tick box process, this should be considered as a journey.

The clinical system we use to provide patient care is TPP SystmOne. We had initially thought about providing an EMIS version of the blog as well, but as things have turned out the activities you need to engage in  to meet GDPR requirements are not really system specific.

What is GDPR and why this blog? 

I’m a GP working in Hammersmith. One of my roles is to support the safe and secure sharing of medical records so that we can improve the care we provide for our patients. How we manage the private and personal data we hold and process on our patients has been redefined by new European regulations GDPR:

General Data Protection Regulation

These outline similar requirements to the Data Protection Act, but set higher standards, which if unmet can carry fines of up to 4% of the annual turnover of your practice.

Delays in guidance and the implementation of the statute made the goal of compliance by the 25th May unachievable. But the Information Commissioner’s Office (ICO) who will police the process has made it clear that they do not intend to be implementing punitive measures. Such actions are only likely if there is clear evidence of a significant breach which demonstrates a blatant disregard for a data controller’s responsibilities. However, practices must be able to show that they understand these new responsibilities and are taking actions to meet them.

So this is serious stuff and whilst you are unlikely to fall foul of the ICO it is important not to leave the work undone. It will need extra resources, at a time when we are all busy, but this is not just some dictat passed down from NHSE … it’s the law.

The NWL Journey towards Compliance

Our practice will be advised by a team of IG experts about the actions they need to take and this blog will mirror each stage. Where for example we need to undertake data flow mapping, there will be a detailed description of what information is needed, who collects it, how is it presented and how long this took. If a process requires a search then that search will be recorded and made available to all practices who want to use it. Likewise for audits or other activities. If an action results in the output of a practice policy, protocol, guideline or procedure, those documents will be made available to share. It may be possible to use some of them as is, others may require modifications to make them relevant to your practice. At the end of each blog, we will highlight the learning points and give a bullet list of actions which you need to take before moving on.

We will be working one day a week here, but some of this will be preparatory work which will not take you as long and we are also likely to make some mistakes which we hope you will be able to learn from. The blog will be divided into weekly sections and we hope that by sharing our experience in this way, practices across the North West London (NWL) CCGs will be able to go through a near-identical process.

How long will it take and what resource?

We are not entirely sure but hope to reach compliance over something in the order of 10 weeks, during which time our Practice Manager and or a dedicated lead will devote between one half to one day per week. We are mindful that this is starting off just before the holiday period and we plan to do four weekly blogs up until the 23rd July, followed by a three-week break after which we will restart. There will be an update on the 21st June.

We look forward to you coming along on the journey with us!

What, When and How

What, When and How

The Purpose

This blog will document the process of two Hammersmith GP practices who are being taken through the tasks required to become GDPR compliant.

Timetable

Below is the planned schedule. It may be updated depending on how we progress.

Format of blog

To help usability each weekly blog will follow a standard structure: