data protection impact assessment are you implementing … › content › uploads › 2020 › 01...

PAM Part 2 DPIA Ref: CSI075

DATA PROTECTION IMPACT ASSESSMENT

Data Protection Impact Assessment Flowchart

Are you implementing a new system, or service, or changing the way you work?

Note: where no personal identifiable information is used, DPIA is not necessary.

DPIA Screening Process- please provide project details and answer the ten

screening questions to determine whether there is a high risk to personal data and a DPIA is required - Stage 1

If a full DPIA is not required, please retain a copy of the screening questions with

the project documentation and send a copy to the IG Department (e-mail: [email protected]).

If a full DPIA is required, please complete Part 1 and Part 2 of this document. Please

note you may wish to provide supporting information e.g. contract, system specification, consent forms - Stage 2

Send the completed Part 1 and 2 of the DPIA to the IG Department for review (e-

mail: [email protected]). The IG Team will complete Part 3 Assessment of Compliance.

The IG Team will contact the project lead to collaboratively complete Stage 3. If

necessary, an action plan will be produced in conjunction with the IG Department- Stage 3

All stages of the DPIA together with any necessary action plans are sent for

approval by the Data Protection Officer Where the project changes what data it is using, the way it is using data etc. a review of

the DPIA should be conducted with a new DPIA as appropriate.


DATA PROTECTION IMPACT ASSESSMENT – Transfer of OH contract to PAM Part2

Full DPIA

This Data Protection Impact Assessment must be completed wherever there is a change to

an existing process or service, a new process or information asset is introduced that is likely

to involve a new use or significantly changes the way in which personal data is handled or

there is a change in the type or volume of personal data.

PIA Reference (Dept- Project Title):

CNTW, TEWV, NTW S Occupational Health PAM

Project Description:

People Asset Management (PAM) LTD-

Occupational Health and Employee Assistance Programme (EAP) service to

Trust staff

Implementing Organisation:

Cumbria, Northumberland ,Tyne and Wear NHS Trust, Tees and Esk Wear Valley NHS

Foundation Trust and NTW Solutions (excludes Cumbria region staff until April

2020)

Project Manager details: Name Designation Contact details

CNTW/NTW Solutions Jacqueline Tate

Workforce and OD Ashgrove

St Nicholas Hospital Jubilee Road

Gosforth Tel 0101 2456816

TEWV

Angela Collins Deputy Director of HR

Flatts Lane Tel: 01642 516410

Overview: (Summary of the proposal) What the project aims to achieve

PAM will be providing a full OH and EAP service to the organisations above. The

service will include pre-employment checks, management referrals, management

advice, health surveillance, immunisations and vaccinations, EAP and physiotherapy.

This DPIA is completed to look at the


sharing of information by the Trust to PAM and vice versa.

State the purpose of the project – e.g. patient treatment, administration, audit, research etc.

Provision of Occupational Health Service and Counselling, plus advice and reporting information to managers (NB. In relation to CNTW, does not include Cumbria locality at this time)

Key stakeholders (including contact details)

People Asset Management Ltd Cumbria, Northumberland Tyne and Wear NHS Foundation Trust Tees and Esk Wear Valley NHS foundation Trust NTW Solutions

Implementation Date:

1 December 2019


Stage 1 – Initial Screening Questions

A Data Protection Impact Assessment (DPIA) must be carried out where the proposed

processing of personal data is likely to result in a high risk to rights and freedoms of those to

whom the personal data relates. Please answer the below ten screening questions to identify

the appropriateness of a DPIA:

Q Screening Question Yes/No

1.1 Will the process involve evaluating or scoring (including profiling and predicting) information relating to the data subject? For example, evaluating the individual's performance at work, economic situation, health, personal preferences or interests, reliability or behaviours, location or movements? This could include offering genetic tests to patients in order to assist and predict health risks.

Yes

1.2 Does the processing involve automated decision making (i.e. will a decision be made solely by automated means without any human involvement)? If so, will the automated decision making produce a legal or similar significant effect on the data subject?

No

1.3 Are you performing systematic monitoring of data subjects, including in a publicly accessible area? For example, through CCTV? PAM use telephone recording and will require a policy to describe how this information is held and processed and retained (see risks below)

No

1.4 Does the processing involve sensitive data such as: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data; health data; information relating to an individual's sex life or sexual

orientation; or criminal offences.

Yes - Health Data of

staff

1.5 Is the data being processed on a large scale? For example: does the personal data relate to a large number of individuals; does the personal data involve a large volume of data and/or

range of different data items being processed;

Yes Relates to all staff.


will the personal data be carried out on a medium to long term basis; or

will the processing be carried out over a large geographical scale?

PAM will hold this data for

the duration of

the contract

1.6 Will personal data be matched or combined with other datasets? For example, are you combining different sets of personal data that have been processed for different purposes?

No

1.7 Does the personal data being processed relate to vulnerable data subjects? For example, will it involve the use of information relating to employees, children or patients?

Yes Employees

1.8 Does the processing involve new or innovative technologies or organisational solutions? For example, combining use of fingerprint and facial recognition?

No

1.9 Will personal data be transferred outside the UK?

No

1.10 Will the processing itself prevent data subjects from exercising a right or using a service or a contract? This includes where processing is being undertaken in a public area that people passing by cannot avoid, or processing that is aimed at allowing modifying or refusing individuals access to a service or contract.

No

If you have answered “Yes” to two or more of the questions above please proceed and

complete stage 2.


Stage 2 – Data Protection Impact Assessment

Part 1

2.1 Is this a new or changed use of personal information that is already collected

Changed- new provider will be carrying out the service previously

provided by Team Prevent and Care First (North Tees for TEWV)

2.2 What data will be collected? Administration data Forename: Yes Surname: Yes DoB: Yes Age: Yes Gender: Yes Address: Yes Postcode: Yes NHS No: No Another unique identifier (please specify) : N/A Other data (Please specify): Sensitive data - Yes - Health information Racial or ethnic origin No Political opinion No Religious belief No Trade Union membership No Physical or mental health or condition Yes Sexual life No Commission or alleged commission of an offence No Proceedings for any offence committed or alleged No Will the dataset include clinical data? No (information may be requested with permission of staff member but would not be provided by the referring manager) Will the dataset include financial data No (as above) Description of other data collected: Referrals and information retained by PAM may include special category of personal data (as above). There is a clear separation (legal separation within one system) between the instances of PAM relating to the different organisation identified within this DPIA.

2.3 Are other organisations involved in processing the data?

No If yes, list below


Name and Notification

Number

Data Controller (DC) or Data

Processor (DP)?

Completed and compliant with the IG Toolkit

Complete Y/N

Overall Rating

PAM DC Y Top grade 95% pass ISO 270001

compliant (provided proof of accreditations with

some gaps)

CNTW DC Y Fully met (action plan)

TEWV DC Y Fully met (no action plan)

NTWS DC Y Fully met (action plan)

Note: Where the processing is wholly or partly performed by any identified data processor, the data processor should assist the Trust in carrying out the DPIA.

2.4 Has a data flow mapping exercise been undertaken? If yes, please provide a copy- template attached, if no, please undertake Part 2.

Yes attached at Part 2

2.5 Does the work involve employing contractors external to the Organisation?

Yes associates are procured as

needed. Information about current arrangements has been provided and

PAM will engage with TEWV and CNTW for all future associate

procurements. This clause will be in the contract.

2.6 Describe in as much detail why this information is being collected/used?

Managers make an online referral for support and a health opinion.

Staff complete a health questionnaire so assessment of fitness for employment can be undertaken.

Management receive trend information about reasons for referrals.

2.7 Is the information being used for a different purpose than it was originally collected for?

No

2.8 Will the information be collected electronically, on paper or both?

Electronic only

2.9 Where will the information will be stored?


Electronically by PAM – designated secure servers. Reports will be accessed by Managers from the OHIO system. It will be possible for TEWV and CNTW staff to hold a copy of the report on their shared or personal drives. However, this will not be encouraged. PAM staff will never hold reports anywhere except on the OHIO system. TEWV – An exit plan will be agreed between North Tees, TEWV and PAM so that all appropriate information is transferred in a timely manner.

2.10 Will this information being shared outside the organisations listed above in question 3? If yes, describe who and why:

Associates are procured is a service is needed that PAM do not provide. PAM have provided details of contracts for current associates and will engage with TEWV and CNTW for any future procurements.

2.12 Does the system involve new links with personal data held in other systems or have existing links been significantly changed?

PAM will not connect to any TEWV or CNTW systems such as ESR

2.13 How will the information be kept up to date and checked for accuracy and completeness (data quality)? PAM will receive monthly reports from ESR outlining Trust hierarchy/staff list via a secure portal. This will identify where there have been staffing changes i.e. new starters, termination or moving departments etc. The record held by PAM will be updated accordingly. Monthly reports will not be linked to ESR automatically. Reports will be produced and shared via the PAM safe transfer protocol.

2.14 Who will have access to the information? (list individuals or staff groups) Operates with a hierarchy for access- there will be a legal separation between the data relating to each organisations ‘instance’ of PAM. For example, CNTW will not have access to any information relating to NTW S or TEWV employees. PAM staff and Workforce Planning Team will have access to the information within PAM. Referring managers will have access to reports and other relevant documentation via the portal (access with a username and password).

2.15 What security and audit measures have been implemented to secure access to and limit use of personal identifiable information?


Username and password for any members of staff to access information within PAM. The system is only accessed by a hierarchy as defined within ESR. Ie managers can only access their own staff. Full audit tables are available and can be interrogated should a question arise. However, they are not routinely monitored by PAM.

2.16 Will any information be sent offsite – i.e. outside of the organisation and its computer network?

PAM have a system for authorising 3rd party associates where their own staff cannot provide a service. A copy of the

information and contracts that they implement have been made available. Going forward TEWV and CNTW will

be made aware of proposed new associates and will be able to object to

their selection for their staff if appropriate.

2.17 Are you transferring personal data to a country or territory outside of the EEA or UK?

No

2.18 Please state by which method the information will be transferred?

Website access via PAMS OHIO portal.

2.19 Are disaster recovery and contingency plans (data and transfer) in place?

Yes reference is made to their

creation. 3rd party audit will check their appropriateness.

2.20 Is Mandatory Staff Training in place for the following? (please provide dates)

Data Collection:

Use of the System or Service:

Collecting Consent (if appropriate):

Information Governance:

Yes

Yes

PAM seek consent when they first see a staff member. Managers will always discuss a OH referral with staff prior to referral.

Yes – statutory training for NHS Orgs and CNTW S. contract requires PAM

staff to undertake IG training and


provide evidence.

2.21

Are there any new or additional reporting requirements for this

project?

Who will be able to run reports?

Who will receive the report or where will it be published?

Will the reports be in person-identifiable, pseudonymised or anonymised format?

Yes

PAM Workforce and OD staff/Managers Trust activity reports do not contain PID.

2.22 If this new/revised function should stop, are there plans in place for how the information will be retained / archived/ transferred or disposed of?

Yes – All records are held in line with NHS retention and disposal guidelines. When the contract comes to an end all

records will be returned to TEWV or the new provider and deleted securely

by PAM.

2.23 Will individuals be informed about the proposed uses of their personal data? (e.g. privacy notices)

Yes- privacy notices for NHS Orgs, generalised communication to be

distributed.

2.24 Are arrangements in place for recognising and responding to employee requests for access to their personal data?

Yes- information held by PAM will be signposted to PAM as data controller to process. Where it is data held by

NHS orgs, this will be dealt with in line with respective processes in place at

each Trust.

2.25 Will service users be asked for consent for their information to be

collected and/or shared? If no, list the reason for not gaining consent e.g. relying on an existing agreement, other legal basis, the

project has s251 approval or other.

No. For Trust and NTW S rely upon conditions for processing under the

Act. N/A

2.26 Will service user dissent be managed appropriately?

N/A


Data Mapping

Part 2

The collection, use and deletion of personal data should be described here and it may also

be useful to refer to a flow diagram or another way of explaining data flows.

NTW Solutions manage the recruitment process on behalf of the Trust. Individuals sent clearance form to complete and return electronically to OH. Clearance is given

electronically via secure portal to recruitment.

Managers make referrals direct to PAM for advice, absence mgmt etc, responses go back to manager via portal.

OHIO Information

Flows.xlsx


Data Protection Impact Assessment –

Assessment of Legal Compliance

Part 3

Does the PIA meet the following legal requirements? Please articulate how the principles

have been considered in respect of processing. If you have identified any limitations please

outline how these have or will be addressed.

Data Protection Legislation

Principle Assessment of Compliance

Principle 1 Lawful, transparent and fair

GDPR/DPA 2018 Article 6 1 B- performance of a contract to which the data subject is party. Article 6 1 C- legal obligation (Health and Safety Act ) Article 9 2 B- field of employment Common Law- consent / statutory obligation (failure to comply with duty of care to employees of organisations.

Principle 2 The purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and personal data so collected must not be processed in a manner that is incompatible with the purpose for which it is collected.

Data will only ever used for the purpose for which it is provided.

Principle 3 Adequate, relevant and not excessive in relation to the purpose for which it is processed.

Only sufficient information to complete the request will be provided.

Principle 4 Must be accurate and, where necessary, kept up to date.

Data Quality principles will be embedded within all processes

Principle 5 Must be kept for no longer than is necessary for the purpose for which it is processed.

Retention and Destruction timeframes will be set


Principle 6 Must be processed in a manner that includes taking appropriate security measures as regards risks that arise from processing personal data.

A full assessment of organisational and technical security audit will be conducted by the Trusts and reviewed every 3 years. All parties will be responsible for updating each other if systems change or incidents occur.

Principle of Accountability The controller shall be responsible for, and be able to demonstrate compliance.

Compliance checks will be reviewed annually.

Common Law Duty of Confidentiality

Common Law Assessment of Compliance

Has the individual to whom the information relates given consent?

Yes (if possible)

Is the disclosure in the overriding public interest?

No

Is there a legal duty to do so, for example a court order

Yes – statutory duty of care to employment

Is there a statutory basis that permits disclosure such as approval under Section 251 of the NHS Act 2006

N/A

Human Rights Act 1998

The Human Rights Act establishes the right to respect for private and family life. Current

understanding is that compliance with the Data Protection Act and the common law of

confidentiality should satisfy Human Rights requirements.

Will your actions interfere with the right to privacy under Article 8? – have you identified the social need and aims of the project? Are your actions a proportionate response to the social need?

All Human Rights impacts in relation to a staff members rights under the HRA have been reviewed and compliance with DPA confirmed.

Stage 3- Identified Risks and Agreed Actions and Sign Off Forms

(To be completed in collaboration with the IG & Medico Legal Department)


Identified Risks, Agreed Actions

1. What are the key privacy issues and

associated compliance and corporate risks? (Some Privacy Issues may have more than

one type of risk i.e. it may be a risk to individuals and a corporate risk.

2. What is the likelihood and impact of the risk?

3. Describe the actions you could take to reduce the risk and any future steps which would

be necessary (e.g. new guidance)

4. Wherever sufficient measures cannot be put in place to mitigate, it is necessary to

consult with the Information Commissioners Office (ICO).

1. Risk/Privacy Issue

2. Severity 3. Measures Result: Is the risk reduced, eliminated or accepted?

Subcontractors without due authorisation

High Copies of contracts held with current associates have been provided. In future TEWV and CNTW will be involved with any additional associates.

Reduced

Lack of informing employees re how their data is to be used.

High Updated privacy notices for NHS Orgs, and also a generalised communication to be distributed.

Reduced

Reports may be downloaded from PAM and held on local drives

Medium Dives are secure but need to understand where all records are held about a person. 3rd Party audit will assess PAM system and then create instruction for staff

Accepted if processes in place

It is unclear whether PAM will connect directly to any NHS systems such as ESR

Medium No connection to ESR will be made at the moment. STP used is PAM

Eliminate

It is unclear if there are audit trails for Privacy monitoring of the system

Medium System relies on access controls and hierarchy. No formal audits are routinely conducted unless an incident or alert makes this necessary.

Reduced

It is unclear how High Safe Transfer Reduce


monthly reporting will work and who will have access to this function and the content of reports

Protocol will be used. Hosted by PAM.

The use of telephone recording is undertaken by PAM

Medium Callers are informed when the staff members make the call. PAM have a policy around the use of telephone recordings

Reduce

Sign Off

Data Protection Officer/Deputy Data Protection Officer – CNTW/NTW S

Name Angela Faill

Job Title Head of Information Governance & Medico-Legal/Data Protection Officer

Signature Angela Faill

Date 29 November 2019

Lead/Project Manager – CNTW/NTW S

Name Jacqueline Tate

Job Title Workforce Projects Manager

Signature

Date 16 October 2019

Data Protection Officer/Deputy Data Protection Officer - TEWV

Name Louise Eastham

Job Title Head of Information Governance/Data Protection Officer

Signature Louise Eastham

Date 16 January 2020

Lead/Project Manager - TEWV

Name Angela Collins/Lesley Hodge

Job Title Deputy Director of HR&OD/Senior HR Manager

Signature Angela Collins/Lesley Hodge

Date 29 November 2019

data protection impact assessment are you implementing … › content › uploads › 2020 › 01...

Documents