data protection impact assessment are you implementing … › content › uploads › 2020 › 01...
TRANSCRIPT
![Page 1: DATA PROTECTION IMPACT ASSESSMENT Are you implementing … › content › uploads › 2020 › 01 › ... · This clause will be in the contract. 2.6 Describe in as much detail why](https://reader033.vdocuments.mx/reader033/viewer/2022052803/5f1fb659e2851b644e61406a/html5/thumbnails/1.jpg)
PAM Part 2 DPIA Ref: CSI075
DATA PROTECTION IMPACT ASSESSMENT
Data Protection Impact Assessment Flowchart
Are you implementing a new system, or service, or changing the way you work?
Note: where no personal identifiable information is used, DPIA is not necessary.
DPIA Screening Process- please provide project details and answer the ten
screening questions to determine whether there is a high risk to personal data and a DPIA is required - Stage 1
If a full DPIA is not required, please retain a copy of the screening questions with
the project documentation and send a copy to the IG Department (e-mail: [email protected]).
If a full DPIA is required, please complete Part 1 and Part 2 of this document. Please
note you may wish to provide supporting information e.g. contract, system specification, consent forms - Stage 2
Send the completed Part 1 and 2 of the DPIA to the IG Department for review (e-
mail: [email protected]). The IG Team will complete Part 3 Assessment of Compliance.
The IG Team will contact the project lead to collaboratively complete Stage 3. If
necessary, an action plan will be produced in conjunction with the IG Department- Stage 3
All stages of the DPIA together with any necessary action plans are sent for
approval by the Data Protection Officer Where the project changes what data it is using, the way it is using data etc. a review of
the DPIA should be conducted with a new DPIA as appropriate.
![Page 2: DATA PROTECTION IMPACT ASSESSMENT Are you implementing … › content › uploads › 2020 › 01 › ... · This clause will be in the contract. 2.6 Describe in as much detail why](https://reader033.vdocuments.mx/reader033/viewer/2022052803/5f1fb659e2851b644e61406a/html5/thumbnails/2.jpg)
PAM Part 2 DPIA Ref: CSI075
DATA PROTECTION IMPACT ASSESSMENT – Transfer of OH contract to PAM Part2
Full DPIA
This Data Protection Impact Assessment must be completed wherever there is a change to
an existing process or service, a new process or information asset is introduced that is likely
to involve a new use or significantly changes the way in which personal data is handled or
there is a change in the type or volume of personal data.
PIA Reference (Dept- Project Title):
CNTW, TEWV, NTW S Occupational Health PAM
Project Description:
People Asset Management (PAM) LTD-
Occupational Health and Employee Assistance Programme (EAP) service to
Trust staff
Implementing Organisation:
Cumbria, Northumberland ,Tyne and Wear NHS Trust, Tees and Esk Wear Valley NHS
Foundation Trust and NTW Solutions (excludes Cumbria region staff until April
2020)
Project Manager details: Name Designation Contact details
CNTW/NTW Solutions Jacqueline Tate
Workforce and OD Ashgrove
St Nicholas Hospital Jubilee Road
Gosforth Tel 0101 2456816
TEWV
Angela Collins Deputy Director of HR
Flatts Lane Tel: 01642 516410
Overview: (Summary of the proposal) What the project aims to achieve
PAM will be providing a full OH and EAP service to the organisations above. The
service will include pre-employment checks, management referrals, management
advice, health surveillance, immunisations and vaccinations, EAP and physiotherapy.
This DPIA is completed to look at the
![Page 3: DATA PROTECTION IMPACT ASSESSMENT Are you implementing … › content › uploads › 2020 › 01 › ... · This clause will be in the contract. 2.6 Describe in as much detail why](https://reader033.vdocuments.mx/reader033/viewer/2022052803/5f1fb659e2851b644e61406a/html5/thumbnails/3.jpg)
PAM Part 2 DPIA Ref: CSI075
sharing of information by the Trust to PAM and vice versa.
State the purpose of the project – e.g. patient treatment, administration, audit, research etc.
Provision of Occupational Health Service and Counselling, plus advice and reporting information to managers (NB. In relation to CNTW, does not include Cumbria locality at this time)
Key stakeholders (including contact details)
People Asset Management Ltd Cumbria, Northumberland Tyne and Wear NHS Foundation Trust Tees and Esk Wear Valley NHS foundation Trust NTW Solutions
Implementation Date:
1 December 2019
![Page 4: DATA PROTECTION IMPACT ASSESSMENT Are you implementing … › content › uploads › 2020 › 01 › ... · This clause will be in the contract. 2.6 Describe in as much detail why](https://reader033.vdocuments.mx/reader033/viewer/2022052803/5f1fb659e2851b644e61406a/html5/thumbnails/4.jpg)
PAM Part 2 DPIA Ref: CSI075
Stage 1 – Initial Screening Questions
A Data Protection Impact Assessment (DPIA) must be carried out where the proposed
processing of personal data is likely to result in a high risk to rights and freedoms of those to
whom the personal data relates. Please answer the below ten screening questions to identify
the appropriateness of a DPIA:
Q Screening Question Yes/No
1.1 Will the process involve evaluating or scoring (including profiling and predicting) information relating to the data subject? For example, evaluating the individual's performance at work, economic situation, health, personal preferences or interests, reliability or behaviours, location or movements? This could include offering genetic tests to patients in order to assist and predict health risks.
Yes
1.2 Does the processing involve automated decision making (i.e. will a decision be made solely by automated means without any human involvement)? If so, will the automated decision making produce a legal or similar significant effect on the data subject?
No
1.3 Are you performing systematic monitoring of data subjects, including in a publicly accessible area? For example, through CCTV? PAM use telephone recording and will require a policy to describe how this information is held and processed and retained (see risks below)
No
1.4 Does the processing involve sensitive data such as: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data; health data; information relating to an individual's sex life or sexual
orientation; or criminal offences.
Yes - Health Data of
staff
1.5 Is the data being processed on a large scale? For example: does the personal data relate to a large number of individuals; does the personal data involve a large volume of data and/or
range of different data items being processed;
Yes Relates to all staff.
![Page 5: DATA PROTECTION IMPACT ASSESSMENT Are you implementing … › content › uploads › 2020 › 01 › ... · This clause will be in the contract. 2.6 Describe in as much detail why](https://reader033.vdocuments.mx/reader033/viewer/2022052803/5f1fb659e2851b644e61406a/html5/thumbnails/5.jpg)
PAM Part 2 DPIA Ref: CSI075
will the personal data be carried out on a medium to long term basis; or
will the processing be carried out over a large geographical scale?
PAM will hold this data for
the duration of
the contract
1.6 Will personal data be matched or combined with other datasets? For example, are you combining different sets of personal data that have been processed for different purposes?
No
1.7 Does the personal data being processed relate to vulnerable data subjects? For example, will it involve the use of information relating to employees, children or patients?
Yes Employees
1.8 Does the processing involve new or innovative technologies or organisational solutions? For example, combining use of fingerprint and facial recognition?
No
1.9 Will personal data be transferred outside the UK?
No
1.10 Will the processing itself prevent data subjects from exercising a right or using a service or a contract? This includes where processing is being undertaken in a public area that people passing by cannot avoid, or processing that is aimed at allowing modifying or refusing individuals access to a service or contract.
No
If you have answered “Yes” to two or more of the questions above please proceed and
complete stage 2.
![Page 6: DATA PROTECTION IMPACT ASSESSMENT Are you implementing … › content › uploads › 2020 › 01 › ... · This clause will be in the contract. 2.6 Describe in as much detail why](https://reader033.vdocuments.mx/reader033/viewer/2022052803/5f1fb659e2851b644e61406a/html5/thumbnails/6.jpg)
PAM Part 2 DPIA Ref: CSI075
Stage 2 – Data Protection Impact Assessment
Part 1
2.1 Is this a new or changed use of personal information that is already collected
Changed- new provider will be carrying out the service previously
provided by Team Prevent and Care First (North Tees for TEWV)
2.2 What data will be collected? Administration data Forename: Yes Surname: Yes DoB: Yes Age: Yes Gender: Yes Address: Yes Postcode: Yes NHS No: No Another unique identifier (please specify) : N/A Other data (Please specify): Sensitive data - Yes - Health information Racial or ethnic origin No Political opinion No Religious belief No Trade Union membership No Physical or mental health or condition Yes Sexual life No Commission or alleged commission of an offence No Proceedings for any offence committed or alleged No Will the dataset include clinical data? No (information may be requested with permission of staff member but would not be provided by the referring manager) Will the dataset include financial data No (as above) Description of other data collected: Referrals and information retained by PAM may include special category of personal data (as above). There is a clear separation (legal separation within one system) between the instances of PAM relating to the different organisation identified within this DPIA.
2.3 Are other organisations involved in processing the data?
No If yes, list below
![Page 7: DATA PROTECTION IMPACT ASSESSMENT Are you implementing … › content › uploads › 2020 › 01 › ... · This clause will be in the contract. 2.6 Describe in as much detail why](https://reader033.vdocuments.mx/reader033/viewer/2022052803/5f1fb659e2851b644e61406a/html5/thumbnails/7.jpg)
PAM Part 2 DPIA Ref: CSI075
Name and Notification
Number
Data Controller (DC) or Data
Processor (DP)?
Completed and compliant with the IG Toolkit
Complete Y/N
Overall Rating
PAM DC Y Top grade 95% pass ISO 270001
compliant (provided proof of accreditations with
some gaps)
CNTW DC Y Fully met (action plan)
TEWV DC Y Fully met (no action plan)
NTWS DC Y Fully met (action plan)
Note: Where the processing is wholly or partly performed by any identified data processor, the data processor should assist the Trust in carrying out the DPIA.
2.4 Has a data flow mapping exercise been undertaken? If yes, please provide a copy- template attached, if no, please undertake Part 2.
Yes attached at Part 2
2.5 Does the work involve employing contractors external to the Organisation?
Yes associates are procured as
needed. Information about current arrangements has been provided and
PAM will engage with TEWV and CNTW for all future associate
procurements. This clause will be in the contract.
2.6 Describe in as much detail why this information is being collected/used?
Managers make an online referral for support and a health opinion.
Staff complete a health questionnaire so assessment of fitness for employment can be undertaken.
Management receive trend information about reasons for referrals.
2.7 Is the information being used for a different purpose than it was originally collected for?
No
2.8 Will the information be collected electronically, on paper or both?
Electronic only
2.9 Where will the information will be stored?
![Page 8: DATA PROTECTION IMPACT ASSESSMENT Are you implementing … › content › uploads › 2020 › 01 › ... · This clause will be in the contract. 2.6 Describe in as much detail why](https://reader033.vdocuments.mx/reader033/viewer/2022052803/5f1fb659e2851b644e61406a/html5/thumbnails/8.jpg)
PAM Part 2 DPIA Ref: CSI075
Electronically by PAM – designated secure servers. Reports will be accessed by Managers from the OHIO system. It will be possible for TEWV and CNTW staff to hold a copy of the report on their shared or personal drives. However, this will not be encouraged. PAM staff will never hold reports anywhere except on the OHIO system. TEWV – An exit plan will be agreed between North Tees, TEWV and PAM so that all appropriate information is transferred in a timely manner.
2.10 Will this information being shared outside the organisations listed above in question 3? If yes, describe who and why:
Associates are procured is a service is needed that PAM do not provide. PAM have provided details of contracts for current associates and will engage with TEWV and CNTW for any future procurements.
2.12 Does the system involve new links with personal data held in other systems or have existing links been significantly changed?
PAM will not connect to any TEWV or CNTW systems such as ESR
2.13 How will the information be kept up to date and checked for accuracy and completeness (data quality)? PAM will receive monthly reports from ESR outlining Trust hierarchy/staff list via a secure portal. This will identify where there have been staffing changes i.e. new starters, termination or moving departments etc. The record held by PAM will be updated accordingly. Monthly reports will not be linked to ESR automatically. Reports will be produced and shared via the PAM safe transfer protocol.
2.14 Who will have access to the information? (list individuals or staff groups) Operates with a hierarchy for access- there will be a legal separation between the data relating to each organisations ‘instance’ of PAM. For example, CNTW will not have access to any information relating to NTW S or TEWV employees. PAM staff and Workforce Planning Team will have access to the information within PAM. Referring managers will have access to reports and other relevant documentation via the portal (access with a username and password).
2.15 What security and audit measures have been implemented to secure access to and limit use of personal identifiable information?
![Page 9: DATA PROTECTION IMPACT ASSESSMENT Are you implementing … › content › uploads › 2020 › 01 › ... · This clause will be in the contract. 2.6 Describe in as much detail why](https://reader033.vdocuments.mx/reader033/viewer/2022052803/5f1fb659e2851b644e61406a/html5/thumbnails/9.jpg)
PAM Part 2 DPIA Ref: CSI075
Username and password for any members of staff to access information within PAM. The system is only accessed by a hierarchy as defined within ESR. Ie managers can only access their own staff. Full audit tables are available and can be interrogated should a question arise. However, they are not routinely monitored by PAM.
2.16 Will any information be sent offsite – i.e. outside of the organisation and its computer network?
PAM have a system for authorising 3rd party associates where their own staff cannot provide a service. A copy of the
information and contracts that they implement have been made available. Going forward TEWV and CNTW will
be made aware of proposed new associates and will be able to object to
their selection for their staff if appropriate.
2.17 Are you transferring personal data to a country or territory outside of the EEA or UK?
No
2.18 Please state by which method the information will be transferred?
Website access via PAMS OHIO portal.
2.19 Are disaster recovery and contingency plans (data and transfer) in place?
Yes reference is made to their
creation. 3rd party audit will check their appropriateness.
2.20 Is Mandatory Staff Training in place for the following? (please provide dates)
Data Collection:
Use of the System or Service:
Collecting Consent (if appropriate):
Information Governance:
Yes
Yes
PAM seek consent when they first see a staff member. Managers will always discuss a OH referral with staff prior to referral.
Yes – statutory training for NHS Orgs and CNTW S. contract requires PAM
staff to undertake IG training and
![Page 10: DATA PROTECTION IMPACT ASSESSMENT Are you implementing … › content › uploads › 2020 › 01 › ... · This clause will be in the contract. 2.6 Describe in as much detail why](https://reader033.vdocuments.mx/reader033/viewer/2022052803/5f1fb659e2851b644e61406a/html5/thumbnails/10.jpg)
PAM Part 2 DPIA Ref: CSI075
provide evidence.
2.21
Are there any new or additional reporting requirements for this
project?
Who will be able to run reports?
Who will receive the report or where will it be published?
Will the reports be in person-identifiable, pseudonymised or anonymised format?
Yes
PAM Workforce and OD staff/Managers Trust activity reports do not contain PID.
2.22 If this new/revised function should stop, are there plans in place for how the information will be retained / archived/ transferred or disposed of?
Yes – All records are held in line with NHS retention and disposal guidelines. When the contract comes to an end all
records will be returned to TEWV or the new provider and deleted securely
by PAM.
2.23 Will individuals be informed about the proposed uses of their personal data? (e.g. privacy notices)
Yes- privacy notices for NHS Orgs, generalised communication to be
distributed.
2.24 Are arrangements in place for recognising and responding to employee requests for access to their personal data?
Yes- information held by PAM will be signposted to PAM as data controller to process. Where it is data held by
NHS orgs, this will be dealt with in line with respective processes in place at
each Trust.
2.25 Will service users be asked for consent for their information to be
collected and/or shared? If no, list the reason for not gaining consent e.g. relying on an existing agreement, other legal basis, the
project has s251 approval or other.
No. For Trust and NTW S rely upon conditions for processing under the
Act. N/A
2.26 Will service user dissent be managed appropriately?
N/A
![Page 11: DATA PROTECTION IMPACT ASSESSMENT Are you implementing … › content › uploads › 2020 › 01 › ... · This clause will be in the contract. 2.6 Describe in as much detail why](https://reader033.vdocuments.mx/reader033/viewer/2022052803/5f1fb659e2851b644e61406a/html5/thumbnails/11.jpg)
PAM Part 2 DPIA Ref: CSI075
Data Mapping
Part 2
The collection, use and deletion of personal data should be described here and it may also
be useful to refer to a flow diagram or another way of explaining data flows.
NTW Solutions manage the recruitment process on behalf of the Trust. Individuals sent clearance form to complete and return electronically to OH. Clearance is given
electronically via secure portal to recruitment.
Managers make referrals direct to PAM for advice, absence mgmt etc, responses go back to manager via portal.
OHIO Information
Flows.xlsx
![Page 12: DATA PROTECTION IMPACT ASSESSMENT Are you implementing … › content › uploads › 2020 › 01 › ... · This clause will be in the contract. 2.6 Describe in as much detail why](https://reader033.vdocuments.mx/reader033/viewer/2022052803/5f1fb659e2851b644e61406a/html5/thumbnails/12.jpg)
PAM Part 2 DPIA Ref: CSI075
Data Protection Impact Assessment –
Assessment of Legal Compliance
Part 3
Does the PIA meet the following legal requirements? Please articulate how the principles
have been considered in respect of processing. If you have identified any limitations please
outline how these have or will be addressed.
Data Protection Legislation
Principle Assessment of Compliance
Principle 1 Lawful, transparent and fair
GDPR/DPA 2018 Article 6 1 B- performance of a contract to which the data subject is party. Article 6 1 C- legal obligation (Health and Safety Act ) Article 9 2 B- field of employment Common Law- consent / statutory obligation (failure to comply with duty of care to employees of organisations.
Principle 2 The purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and personal data so collected must not be processed in a manner that is incompatible with the purpose for which it is collected.
Data will only ever used for the purpose for which it is provided.
Principle 3 Adequate, relevant and not excessive in relation to the purpose for which it is processed.
Only sufficient information to complete the request will be provided.
Principle 4 Must be accurate and, where necessary, kept up to date.
Data Quality principles will be embedded within all processes
Principle 5 Must be kept for no longer than is necessary for the purpose for which it is processed.
Retention and Destruction timeframes will be set
![Page 13: DATA PROTECTION IMPACT ASSESSMENT Are you implementing … › content › uploads › 2020 › 01 › ... · This clause will be in the contract. 2.6 Describe in as much detail why](https://reader033.vdocuments.mx/reader033/viewer/2022052803/5f1fb659e2851b644e61406a/html5/thumbnails/13.jpg)
PAM Part 2 DPIA Ref: CSI075
Principle 6 Must be processed in a manner that includes taking appropriate security measures as regards risks that arise from processing personal data.
A full assessment of organisational and technical security audit will be conducted by the Trusts and reviewed every 3 years. All parties will be responsible for updating each other if systems change or incidents occur.
Principle of Accountability The controller shall be responsible for, and be able to demonstrate compliance.
Compliance checks will be reviewed annually.
Common Law Duty of Confidentiality
Common Law Assessment of Compliance
Has the individual to whom the information relates given consent?
Yes (if possible)
Is the disclosure in the overriding public interest?
No
Is there a legal duty to do so, for example a court order
Yes – statutory duty of care to employment
Is there a statutory basis that permits disclosure such as approval under Section 251 of the NHS Act 2006
N/A
Human Rights Act 1998
The Human Rights Act establishes the right to respect for private and family life. Current
understanding is that compliance with the Data Protection Act and the common law of
confidentiality should satisfy Human Rights requirements.
Will your actions interfere with the right to privacy under Article 8? – have you identified the social need and aims of the project? Are your actions a proportionate response to the social need?
All Human Rights impacts in relation to a staff members rights under the HRA have been reviewed and compliance with DPA confirmed.
Stage 3- Identified Risks and Agreed Actions and Sign Off Forms
(To be completed in collaboration with the IG & Medico Legal Department)
![Page 14: DATA PROTECTION IMPACT ASSESSMENT Are you implementing … › content › uploads › 2020 › 01 › ... · This clause will be in the contract. 2.6 Describe in as much detail why](https://reader033.vdocuments.mx/reader033/viewer/2022052803/5f1fb659e2851b644e61406a/html5/thumbnails/14.jpg)
PAM Part 2 DPIA Ref: CSI075
Identified Risks, Agreed Actions
1. What are the key privacy issues and
associated compliance and corporate risks? (Some Privacy Issues may have more than
one type of risk i.e. it may be a risk to individuals and a corporate risk.
2. What is the likelihood and impact of the risk?
3. Describe the actions you could take to reduce the risk and any future steps which would
be necessary (e.g. new guidance)
4. Wherever sufficient measures cannot be put in place to mitigate, it is necessary to
consult with the Information Commissioners Office (ICO).
1. Risk/Privacy Issue
2. Severity 3. Measures Result: Is the risk reduced, eliminated or accepted?
Subcontractors without due authorisation
High Copies of contracts held with current associates have been provided. In future TEWV and CNTW will be involved with any additional associates.
Reduced
Lack of informing employees re how their data is to be used.
High Updated privacy notices for NHS Orgs, and also a generalised communication to be distributed.
Reduced
Reports may be downloaded from PAM and held on local drives
Medium Dives are secure but need to understand where all records are held about a person. 3rd Party audit will assess PAM system and then create instruction for staff
Accepted if processes in place
It is unclear whether PAM will connect directly to any NHS systems such as ESR
Medium No connection to ESR will be made at the moment. STP used is PAM
Eliminate
It is unclear if there are audit trails for Privacy monitoring of the system
Medium System relies on access controls and hierarchy. No formal audits are routinely conducted unless an incident or alert makes this necessary.
Reduced
It is unclear how High Safe Transfer Reduce
![Page 15: DATA PROTECTION IMPACT ASSESSMENT Are you implementing … › content › uploads › 2020 › 01 › ... · This clause will be in the contract. 2.6 Describe in as much detail why](https://reader033.vdocuments.mx/reader033/viewer/2022052803/5f1fb659e2851b644e61406a/html5/thumbnails/15.jpg)
PAM Part 2 DPIA Ref: CSI075
monthly reporting will work and who will have access to this function and the content of reports
Protocol will be used. Hosted by PAM.
The use of telephone recording is undertaken by PAM
Medium Callers are informed when the staff members make the call. PAM have a policy around the use of telephone recordings
Reduce
Sign Off
Data Protection Officer/Deputy Data Protection Officer – CNTW/NTW S
Name Angela Faill
Job Title Head of Information Governance & Medico-Legal/Data Protection Officer
Signature Angela Faill
Date 29 November 2019
Lead/Project Manager – CNTW/NTW S
Name Jacqueline Tate
Job Title Workforce Projects Manager
Signature
Date 16 October 2019
Data Protection Officer/Deputy Data Protection Officer - TEWV
Name Louise Eastham
Job Title Head of Information Governance/Data Protection Officer
Signature Louise Eastham
Date 16 January 2020
Lead/Project Manager - TEWV
Name Angela Collins/Lesley Hodge
Job Title Deputy Director of HR&OD/Senior HR Manager
Signature Angela Collins/Lesley Hodge
Date 29 November 2019