A group of Local Authority IG officers, data protection officers and other officers have met over a number of weeks and arrived at a data risk table with mitigations - these are given below
Identify risks, assess them and identify measures to reduce risks Identifying privacy risks to the data subjects (people who the information is about) is the key part of a Data Protection Impact Assessment. This is where we identify the risks, the severity of the risks and propose solutions to the problems. • Try and put yourself in the shoes of the person you are collecting data about, would you object or have concerns? • What can you envisage going wrong in the project? How might data be lost or misused for example? |
|||||||
Describe the source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary. |
Likelihood of Harm ● Remote ● Possible ● Probable |
Severity of Harm ● Minimal ● Significant ● Severe |
Overall Risk ● Low ● Medium ● High |
Identify measures you could take to reduce or eliminate risks |
Effect on risk ● Eliminated ● Reduced ● Accepted |
Residual Risk ● Low ● Medium ● High |
Measure Approved ● Yes ● No |
Failure to keep clients informed over how their data will be used could lead to a breach of GDPR Article 13 and 14 of the GDPR.
The current example Privacy Notice embedded into the Data Sharing Agreement, includes elements and processes which do not comply with the provisions under the Data Protection Act.
|
Possible |
Significant |
Medium |
· The example Privacy Notice from NHSX legally meets the terms of the COPI notice for COVID-19. This Tier 2 Data Sharing Agreement is governed under the COVID-19 COPI notice.
· It is at the discretion of any partner organisation in the sharing agreement to add to the privacy notice. This would further meet GDPR 13(3) beyond the COPI notice under which this DSA is covered.
· The management of the four levels of data - patient identifiable; pseudonymised; pseudonymised and non-reidentifiable; and anonymised/aggregate – are set out in the Tier 2 data sharing agreement.
· The fair processing required for a solution of this type is the privacy notice. Each organisations web site should be updated to inform data subjects that the programme is in place and the legal basis that is being used to share data.
· Consideration should be given to the use of both local media and existing communications channels to ensure transparency. · |
Reduced |
Low |
Choose an item. |
Failure to have processes in place to facilitate the following data protection rights requests could result in a breach Article 15, Article 16, Article 18 and Article 21
· Right of Access · Right to Rectification · Right to Restrict Processing · Right to Object
|
Possible |
Significant |
High |
· Each Data Controller is accountable under GDPR, and will have their own measures in place to meet the eight Rights of Data Subjects. · · If a Data Subject of any partner organisation wishes to exercise or challenge one of their Rights, they would do that with their provider organisation(s). · · Each Data Controller will remain responsible and accountable under GDPR for their clients. · · The host Trust of the platform – St Helens and Knowsley Teaching Hospitals NHS Trust – have in place their data processing and cyber policies and procedures to maintain the rights of the data subjects. · |
Reduced |
Low |
Choose an item. |
Failure to ensure that the supplier is compliant with Government and National Cyber Security Standards for cloud based computing could lead to a breach of our security obligations under Article 32 of the GDPR |
Possible |
Significant |
High |
· Data will be stored on ‘Azure cloud’, which is compliant with Information Governance standards and is safe and secure. Azure is assessed to ISO 27001, ISO 27017, ISO 27018, and many other internationally recognized standards. The scope and proof of certification and assessment reports are published on the Azure Trust Centre section for ISO certification here: https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec27001. The ISO 27001 assessment was performed by the BSI. · SystemC and Graphnet Health Ltd comply with the 13 infrastructure as a service (IaaS) principles and are accredited as such e.g. Cyber essentials. · · Details are available on request contained within the “CareCentric population health cloud assurance” document. · |
Reduced |
Low |
Choose an item. |
Failure to define the process in which direct care providers outside of an LA area can access the records of patients outside of their area could result in data being accessed inappropriately leading to a Data Protection Act Section 170 offence
|
Possible |
Severe |
High |
The following processes are in place · The supplier defines rigorous role based access (RBAC) protocols to ensure access to data is limited to those authorised and maintains a register of RBAC · The supplier maintains an audit trail of access to data sources · The programme controls access to data assets through a ‘Data Asset and Access Group’ to ensure only legitimate access is granted to individual projects (use-cases). This is linked to the RBAC process
|
Reduced |
Low |
Choose an item. |
Failure to have security processes in place to stop partners, with access to patient identifiable data, from accessing the portal from their own personal devices, this could result in a breach of each partner’s security obligations under Article 32 of the GDPR |
Possible |
Severe |
High |
The following mitigating processes are in place · Personal identifiable data can only be made available (re-identified) using the existing and approved ‘pseudo at source’ mechanism through the Data Services for Commissioners Regional Offices (DSCRO). This mechanism is obligated through the contract with the supplier · Through the RBAC processes and prior to approval to access any data those regional intelligence teams that can legitimately re-identify data using pseudo at source will be obliged to evidence their own procedures to ensure that personal identifiable information will not be accessible through personal devices · Access to the data storage service is based on best practice of whitelisting specific IP address ranges, this will reduce the risk of access via personal devices · When the service is accessed all actions are recorded within the audit trail · Access to local networks, be this direct or via virtual private network (VPN) will be subject to the acceptable usage policy of the organisation that the person making access works for. Each individual will be subject to the policies and procedures outlined by their employer
|
Reduced |
Low |
Choose an item. |
Failure to have a process in place to audit access to patient identifiable data processes could result in a breach of our security obligations under Article 32. |
Possible |
Significant |
High |
The following mitigations are in place; · The Azure SQL environment logs all SQL queries which take place against the data marts to provide an audit trial of what identifiable data has been accessed and by whom · Requests for re-identification of cohorts through the Web Client application are recorded separately and will be provided on a regular basis to the CIPHA board · Access to the data will be subject to approval from the data controllers. The existing change control process would approve access and grant permissions · All activity reports are available as outlined above and would be provided to assist audit. Audit process and timeframes will be specific to each organisation
The programme controls access to data assets through a ‘Data Asset and Access Group’ to ensure only legitimate access is granted to individual projects (use-cases).
|
Reduced |
Low |
Choose an item. |
Failure to ensure adequate controls are in place to ensure that de-identified data can’t be re-identified could result in disclosure of personal information leading to a data breach and could lead to a breach of our security obligations in relation to anonymisation / pseudonymisation processes under Article 32 |
Remote |
Severe |
High |
Direct Care data marts hold the full PID along with field level configuration for both anonymisation and sensitive clinical coding reference data. Stored procedures query tables using filed level configuration to anonymise data at the point of extract. SSIS package cross references data with sensitive clinical coding to further remove restricted data. Fully anonymised data is written to the research data mart in the same format as the direct care source. Key masking uses a customer specific SALT value + SHA2_256 hashing.
Security · Separate cloud security helpdesk with one request per user · IP addresses must be whitelisted for access to data marts · Azure AD named user access must be used · Data access can be controlled by mirroring CareCentric RBAC configuration · Full SQL row level security · Unique RBAC groups can be implemented within analytics solution if required
Anonymisation · Source is the Direct Care mart holding all data · Data is copied to the Anonymised mart · Sensitive Clinical Codes stripped out in flight · Field level configuration for anonymisation o No change o Blank o Truncate o Mask Dates · Key fields undergo one way encryption, maintaining referential integrity
Pseudonymisation o Source is the Direct Care mart holding all data o Data is copied to the Pseudonymised mart o Opted Out patients and Sensitive Clinical Codes stripped out in flight o Field level configuration for Pseudonymisation o No change o Blank o Truncate o Mask Dates o Tokenised IDs Can be re identified o National DE ID / RE ID or encrypted local values o Secured data table which stores mapping o User interface to reidentify o Key fields undergo two way encryption, maintaining referential integrity
A white box penetration test has been completed with a Black box full test scheduled for 2020.
|
Reduced |
Low |
Choose an item. |
Failure to have a process in place to verify, audit and test the merging of data from multiple data sources to ensure that data is matched correctly to ensure that a data breach does not occur |
Remote |
Severe |
High |
Graphnet merges data into it’s longitudinal patient record based on the patient NHS Number, name and date of birth. Where the NHS number is a verified number we would match on this. If this is not the case we use the three items described above. Reports are available that outline the match success and Graphnet have performed audits for clients to ensure data integrity. The tools available to client are designed to support the on going data quality process which is the responsibility of each data controller.
|
Eliminated |
Low |
Choose an item. |
Failure to provide / develop a process / technical solution to facilitate clients opting out of their data being shared could lead to a breach of the Common Law Duty of confidence, Data Protection Act and Human Rights Act |
Possible |
Significant |
High |
Type 1 opts out (those who do not want their information shared outside of General Practice for purposes other than direct care) will be upheld. This means that data for people who have objected to sharing their data will not flow from the GP record into the Graphnet solution.
Once the national solution for opt out is live with NHSD, these patients will automatically be removed from the datamart. This removal includes all data sources. The ability to opt out for direct patient care would only be instigated subject to a successful application by the data subject under article 21 of GDPR.
|
Eliminated |
Low |
Choose an item. |
Failure to ensure that a process is in place to remove a client’s data when the partner has closed the record on their systems could result in data being retained inappropriately |
Possible |
Significant |
High |
The Records Management Code of Practice for Health and Social Care 2016 sets out what people working with or in NHS organisations in England need to do to manage records correctly. It's based on current legal requirements and professional best practice.
All organisations that contribute to the solution will be governed by the above.
Each organisation will have its own records management policy and define both the duration of retentions and removal policy.
The data processor will hold data in line with the contract terms. All data will be returned and purged at contract end, or as set out in the contractual terms.
|
Reduced |
Low |
Choose an item. |
Failure to ensure that the appropriate international transfer safeguards are in place should the note data be stored on servers outside of the UK could result in a breach of Article 44-56 |
Remote |
Significant |
High |
The supplier, Graphnet Health, are a UK based company. All data is stored in the UK and there is no server storage outside of the UK. All information can be found in the CareCentric population health cloud assurance document.
|
Eliminated |
Low |
Choose an item. |
Failure to define the retention of closed records data on the system could result be held on the portal inappropriately |
Possible |
Significant |
Medium |
The Records Management Code of Practice for Health and Social Care 2016 sets out what people working with or in NHS organisations in England need to do to manage records correctly. It's based on current legal requirements and professional best practice.
Each organisation that contributes to the solution will have a record retention policy. The elements of the record, when combined, creates a holistic view of a care recipients journey. As a result this new record would be retained for the duration of the longest term for which the record is retained within the social care community, If the contract is continued beyond March 2021c then the retention period for the combined record will be subject to an agreement from the social care providers.
|
Eliminated |
Low |
Choose an item. |