Section One (PIA Completion Guidance)
Clinical Commissioning GroupInformation Governance Guidance
TITLE: Privacy Impact Assessments
Document Number: / IG40
Version Number: / V1.0 / Release Date: / 25/09/2015
Document Authors: / Paul Gardner, Head of Information Governance NHS Nottingham City CCG and Alexis Farrow Information Governance Consultant Arden and GEM CSU
Approved By: / IGMT Committee
Document Location: / G:\Rushcliffe CCG\Governance and Integration\Corporate Governance\Policies and procedures\APPROVED Rushcliffe CCG policies\Information Governance
Who should use this: / All staff, especially those involved with service transformation and redesign or with secondary use of data for research or evaluation
Related policies: / Confidentiality & Data Protection Policy, Information Security Policy and Records Management Policy
Why is a Privacy Impact Assessment (PIA) needed?
Privacy Impact Assessments (PIAs) are an integral part of new projects or where there are significant changes to how data is processed and enables a privacy by design approach.
“PIAs are a tool which can help organisations identify the most effective ways to comply with their data protection obligations and meet individuals’ expectations of privacy.”[1]
Privacy impact assessments can therefore be used to identify, evaluate and reduce the privacy risks of your project or activity. A PIA can reduce the risks of harm to individuals through the misuse of their personal information by identifying risks and ways to mitigate those risks. It can also help you design more efficient and effective processes for handling personal confidential data.
When is a PIA needed?
A project or activity which involves the processing of data must have a Privacy Impact Assessment (PIA) as part of the due diligence process. The completion of the PIA should be led by the project or activity lead as part of the overall project management process in consultation with key internal and external stakeholders. The PIA process should be scaled to fit the nature of the project; a PIA should be completed early in the life of a project but can run alongside the project development process.
For a CCG a PIA is required when a project or activity;
· Leads to significant changes in processing person-identifiable data (PID) for which the Clinical Commissioning Group (CCG) is the ‘data controller’ for. This will include all information relating to employed staff and any patient-identifiable data held by the CCG (e.g. data received for performance management or data analysis and commissioning functions, outsourcing business processes, changes to an existing system which involves collection of new personal confidential data, changes within continuing healthcare, management of personal health budgets, complaints, safeguarding cases, medicines management etc.
· ).
· Involves collection of new data where the CCG will be receiving or sending person-identifiable data (PID) about patients and or staff.
· The project or activity is CCG led and will involve significant changes in processing of PID by providers (e.g. commissioning of new services, transfer of services or decommissioning of a service).
· The project or activity is CCG led and will impact on the way GP’s will process or share PID (commissioning a new information sharing portal/solution, providing guidance to GPs about sharing patient information).
What information do I need to provide in the PIA assessment template?
Stage 1
1. Information about the project and or activity (including project documentation/attachments)- briefly explain project aims, purpose and benefits to the organisation. Outline also project rationale and approval process.
2. Description and details of data affected (including frequency of transfers)- describe the data/data fields and identify if it is personal confidential data, summarise whose records are being processed and how (e.g. transferred out due to change of provider). How many records are being processed (approximate is fine, order of magnitude is required i.e. ‘tens’, ‘hundreds’, ‘thousands’).
3. Data retention- Length of time that the records/information will be retained. Please refer to NHS retention schedules (on the POD), consulting the IG Lead for advice if required. For example, will paper data be archived off-site – and where? What are the arrangements for destroying paper, or electronic media containing data, or deleting records?
4. Processing data for secondary use (not related to direct care)- does the objective mean that anonymised data can be used instead of personal identifiable/confidential data. Highlight if the data will be:
a. Anonymised: all non-essential identifiable information removed. Risks of potential re-identification need to be considered, for example, small numbers in certain categories (for example, rare health conditions/combinations of health conditions, incidents relating to care, minority ethnic groups, transgender, etc).
b. Pseudonymised: as anonymised, except that this is usually used when data processing is at individual service user level to support risk stratification or pathway design. NHS numbers/identifiers and other non-essential information are replaced with a key to protect privacy and prevent identification.
c. Fully identifiable (PID) – Individuals are easily identifiable.
5. The organisations involved in the project and activity- Please state full legal names of organisations who will be involved in sending or receiving data and or be signatories to any contract/information sharing agreement, or who have a service level agreement with the CCG. These can be ‘grouped’ on the PIA template form and listed separately as an appendix/attachment e.g. ‘GP practices’; ‘voluntary sector organisations’.
Include contact: name of project manager/lead on the request at each organisation, address if at a different base from the one in organisation details, telephone and email.
6. Data security arrangements- if you are acting purely within a commissioning capacity and not receiving any data which is managed by providers or the only data involved is anonymised data being shared with organisations who have a legitimate reason to receive the data please highlight any security or risk considerations.
7. Information sharing agreement- even if the data is anonymised please outline whether you have an information sharing agreement in place or intend to put one in place between the organisations involved in the project or activity.
Stage 2 (continue to complete stage 2 questions if the CCG is sending or receiving personal identifiable data, involves collection of new data, CCG led project which involves significant changes in processing of PID by providers, CCG led project which will impact on the way GP’s will process or share PID)
8. Information/data flows- explain how information will be obtained, transferred, shared and retained- there may be several options to consider. It is useful to develop a flow diagram as a way of explaining data flows. You should also state how many individuals are affected by the project. Completing this process helps to identify ‘function creep’- unforeseen or unintended uses of data.
9. Collection of new personal confidential data or compel individuals to provide data- please describe if any new data will be collected as a result of the project or activity. Also outline if individuals will be compelled to provide personal confidential data.
10. Data sharing with organisations who did not previously have routine access to the information- highlight any new organisations who may be sending or receiving data as a result of the project or activity. Remember that organisations hosting data should also be captured as an organisation with access to the information.
11. Use of data for a different purpose in which it was originally collected- in line with the Data Protection Act 1998 data should not be used for another purpose without seeking additional approval or consent from the organisation providing the data or individual(s). Confirm whether the intended purpose is the same as when the data was collected.
12. Legal basis (e.g. consent) and contacting data subjects- confirm if you have consent from the data subjects to use their information in this way, explicit consent can be verbal or written and must be recorded to be valid. If you don’t have consent what legal basis are you relying on to process personal confidential data?
13. Additional security measures to protect personal confidential or pseudonymised data- outline all the appropriate security measures that will be in place to protect the data involved. These should meet NHS and industry standards and be consistent for organisational policies and procedures.
14. Impact of decisions brought about by the project or activity (including positive and adverse impacts)- details of benefits expected from meeting objectives. These can be anything/everything from improved services, improved knowledge/learning, financial savings to the CCG and social care economy, etc. They can also include the impact of not doing the project/processing.
15. Identify privacy and related risks- record the risks to individuals, including intrusions on privacy where appropriate. Assess the corporate risks, including regulatory action, reputational damage and loss of public trust. Consider as part of the risk rating the likelihood and severity of privacy risks. Refer to CCG risk management policy and guidance. Consider if risk needs to be incorporated on the organisational risk register?
16. Staff or service user consultation- ensure you document who you have consulted with, internally and externally or and who you will consult with as part of the project or activity. If you don’t intend consulting with stakeholders then rationale behind this should be documented here.
Stage 3 (once you have completed stage 2 of the PIA this should be sent to your IG lead for review and comment)
17. Approval/sign off and recording of PIA outcomes- obtain appropriate senior level sign off, this should be the Senior Information Risk Owner (SIRO) or Caldicott Guardian. For smaller projects the Caldicott Guardian or SIRO may delegate decisions to the IG Lead. Complete and manage action plan and privacy solutions (where appropriate). Consider publication of the PIA template. A PIA report or summary should be made available to appropriate stakeholders.
The boxes (in section 3 of the PIA template) for IG Lead, Caldicott and SIRO recommendations will only be used at ‘final draft’ stage: before this point, any reviews will be discussed through project meetings/fed back informally/via track changes as appropriate to size and scale of project.
It is the Project Manager’s responsibility to track changes appropriately through project and change management processes appropriate to size and scale of project.
18. Completion and management of action plan and privacy solutions- identify the risks and evaluate privacy solutions. Integrate the PIA outcomes back into the project. The aim is to reduce the impact to an acceptable level while still allowing a useful project or activity to be implemented. Part of this assessment may consider the costs and benefits of each approach. The action plan should be continually referred back to until completion of all actions or you can be satisfied with the overall privacy impact. Ensure all adverse impacts are addressed and the steps/actions recommended by the PIA are implemented and recorded. The PIA is a fluid document and should be revisited if the project or activity is reviewed or expanded in the future.
19. Information Sharing Agreement, Data Processing Agreement, Contract and/or Records Transfer Agreement- in discussion with the IG lead consider if such documents need to be developed and put in place between all organisations involved in the project or activity.
Where can I seek further advice and support with completing PIA?
Please contact your Information Governance Lead for further advice and support in completing the PIA.
Author:
Date of Issue: Page 2 of 5
[1] Conducting Privacy Impact Assessments Code of Practice, Information Commissioner’s Office, February 2014.