Search the DPIA Q&A
Firewall
Our managed server comes with a firewall that allows access only to specific ports that are required for applications to function.
System admin login
For our Admin users, rate-limiting for SSH and SFTP logins is a simple yet effective method to dealing with brute-force login attacks.
Access to our platform is protected with industry standard Two-Factor Authentication (2FA) to strengthen platform security and minimize the incidents of unauthorized access to user account.
Definitions and Glossary
Definitions
DPIA Data Protection Impact Assessment
UK GDPR UK General Data Protection Regulations
ICO Information Commissioners Office
DPO Data Protection Officer
Glossary
Anonymisation
Anonymisation is the process of rendering data into a form which does not identify individuals, and where identification is not likely to take place. By definition, anonymised data do not relate to a particular individual any more than they relate to anyone else in the underlying population.
Biometric data
‘Biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (finger print) data;
Business sensitive data
“Business sensitive” relates to information and documentation which is created, that requires confidentiality due to the legal, ethical or commercial content. Information that, if disclosed, could prejudice, or cause reputational or financial damage to an organisation.
Consent
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Cyber Essentials
A government accredited set of basic technical controls to help organisations protect themselves against common online security threats. The scheme enables organisations to gain one or two Cyber Essential badges and is suitable for organisations of any size, in any sector https://www.cyberessentials.ncsc.gov.uk/
Data portability
‘The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability’.
Genetic data
‘Genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
ISO 27001
ISO 27001 is the international standard that provides specification for best-practice information security management systems (ISMS). It provides a certificated accreditation and is supported by a code of practice for information security management.
Lawful basis for processing
The lawful bases for processing are set out in Article 6 of the General Data Protection Regulations. At least one of the lawful basis for processing must apply whenever you process personal data. (see appendix B for a full list).
Personal data
“Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Pseudonymisation
Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Special categories of data
Special categories of data are considered as more sensitive data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
Risk Management and action plan
The risk score will determine the level of authorisation needed for any DPIA completed that requires a full DPIA.
Any risk score that is verified by the IG team to be in the upper range of a medium risk score (9 to 12) or in the range of high risk will require referral to the relevant Data Protection Officer for review and comment.
DPIA risks that score as high risk will only have the processing of the data approved by the relevant SIRO and Caldicott Guardian once the risk has either mitigated to reduce the risk to medium as a minimum. Where this is not possible, a high-risk score will also require escalation to and a response from NHSE&I and the Information Commissioner’s Office before any processing can commence.
The escalation process also includes a review to enable the risk to be lowered to within tolerance, if possible. The table below identifies the ranges for the scores and the risk level associated with each range of scores.
Additional Information
We provide a copy of Information sharing agreement if applicable (draft acceptable if not yet agreed)
Direct marketing
Will any personal data be processed for direct marketing purposes?
If Yes, please describe how the proposed direct marketing will take place:
If you would like further information about what direct marketing is, please refer to the ICO guidance:https://ico.org.uk/media/1555/direct-marketing-guidance.pdf
Yes – email addresses and email messages for rota allocation
How will this be used for direct marketing?
We would not use any third party marketing. We keep current users up to date with product and new features.
Access and reporting
How many members of staff will have access to the data? Please can you also explain the access controls in place.
Information is accessed via a private account login
Own data seen by individual users. Practice Manager and Senior Partners will have access to all data.
What access controls will you have in place to ensure there is only authorised access to the data?
Please include your procedure for enabling access, removing access, monitoring access and identifying any inappropriate access.
Answer needed here?
Are there any new or additional reporting requirements from the system/software being used for this project/service?
If “No” move to section 5 below: Business Continuity planning
No
Will the reports be in sensitive or redacted format (removing anything which is sensitive) format?
Answer needed here?
Will the reports be in person-identifiable, pseudonymised or anonymised format?
Answer needed here?
What roles will be able to run reports? E.g. service activity reports, reports on individual people.
Answer needed here?
What roles will receive the report or where will it be published? Please can you also clarify the names of the organisations.
Answer needed here?
If this new/revised reporting function should stop, are there plans in place for how the information will be retained / archived/ transferred or disposed of?
Answer needed here?
What plans are in place in relation to the internal reporting of a personal data breach?
(NB A personal data breach may need to be reported to the ICO within 72 hours. Therefore, it is recommended that plans are in place to report a data breach to the relevant organisations within 24-48 hours.)
Personal data breach will be reported to the ICO within 72 hours[DG1] [AJ(HL2]
What plans are in place in relation to the notification of data subjects should there be a personal data breach?
Duty of Candour templates in place to notify staff of any data breaches.
How will the personal data be restored in a timely manner in the event of a physical or technical incident?
Answer needed here?
How business critical is the system you are using?
X Tier 2 – Significant (restoration within 24-48 hrs)
The processing of Personal Confidential Data – Q&A
| Please identify the conditions under the Data Protection Act 2018 (see Appendix 1 for legal basis under data protection legislation).
If you have a Section 251 approval under the NHS Act 2006– please include the approval reference number. If you are relying on consent as your lawful basis, please include a copy of your consent form and identify when and how will this be obtained and recorded? [1] Where there isn’t Section 251 approval, please can you explain how the duty of confidentiality will be met. |
Explicit consent |
| Where will the data be stored (by the controller(s) and processor(s)? | Data is stored only by GPnetworks, within a MySQL database, on a service within a UK based dedicated server, hosted by Digital Ocean. No other party has access to this server. Technical details concerning the hosting and system security are available with GPnetworks. |
| How will the data be stored (by the controller(s) and processors(s)? | Data is stored in a structured manner, within MySQL database. Some elements are encrypted to provide additional security. Data is also archived in backups, held with an Amazon AWS storage bucket. |
| What confidentiality and security measures will be used to store the data? | Security
GPnetworks use PHP session and cookies to handle user sessions. GPnetworks use a secure one-way hash and salt to store and validate user passwords. All data is always transmitted over secure protocol. (HTTPS). User data is stored in a Cloudways MySQL database which has a password and IP whitelist*, accessed over SSH.
Confidentiality Access to user data stored within the GPnetworks ecosystem is limited to System Administrators of the company. Personal user data does not leave the system nor is it accessed by any external 3rd parties. Within the system front-end accounts, access to user data is controlled and limited to hub administrators on an access rights and permissions basis, determined by the organisation itself. Users cannot access each other’s personal user data
|
| Who will be able to access personal identifiable data? Please specify the teams (and job titles if possible). | Information is accessed via a private account login
Data is removed from the system at the point that a User cancels their account. A user can delete their data at any time from within their account. Only a System Admin or a hub Admin designated by the client organisation can access users personal data. |
| How will you consult with the relevant stakeholders? For example, where health data is being processed, has there been a clinical review to consider clinical or ethnical impacts/risks of the project? | N/A No Health data used. |
| How will you ensure the accuracy and quality of the personal data (including rectification or erasure where necessary)? | Quality check undertaken at registration process via verification process. No editing will take place. |
| Will the data be linked with any other data collections? If yes, please explain what data will be linked and what the other data collections are. | Financial, operational output, individual output, Operational data such as rosters. Also pay rates and workforce data. For the purpose of understanding operational needs, output and efficiencies |
| How will this linkage be achieved? | Users enters data on GP Networks Tempo Portal. System creates operational solutions by combining the attributes of individuals within organisation |
| Is there a legal basis for these linkages? i.e. is the Controller/s responsible for the data expected to co-operate/link data to carry out their legal obligations. | Explicit Consent |
| Do you have a process in place and/or system functionality to respond to the right to data portability requests?
Please note this only applies where: · We are relying on the legal bases of consent or contract · The personal data is sent to us electronically directly by the data subject
A definition of ‘data portability’ is included in Appendix A. |
To be queried |
| What security measures will be used when the data is in transit? | N/A |
| How long will the data be retained in identifiable form?
How will it be de-identified or destroyed? Who will be responsible for ensuring the data is de-identified or destroyed? |
Some parts of data are retained longer than other. Generally, 10 years will be enough for most data types, or requested to remove
On request database records deleted or person data anonymised by GP Networks
|
| What governance and assurance measures are in place to ensure the confidentiality, security and appropriate use of the data? E.g. policies and procedures, system security policy, information asset register, accountability roles identified | GP Networks use PHP session and cookies to handle user sessions. We use a secure one way hash and salt to store and validate user passwords. All data is always transmitted over secure protocol (HTTPS). User data is stored in a Cloudways MySQL database which has a password and IP whitelist*, accessed over SSH. |
| What are the contractual arrangements for this project? E.g. NHS standard contract, data processing agreement, data sharing agreement | Data Sharing Agreement, Service Level Agreement |
| Where there are sub-processors engaged for the project, do you have assurance that the processor(s) has a contract with their sub-processor(s)? | There are no sub-processors that we use. |
| Do you need to consider consulting information technology experts as part of this change process/project? i.e. IT Infrastructure or software deployment, ICT resources/knowledge and skills. | No |
| Please embed a copy of the System Level Security Policy (SLSP) for the project/service.
This policy needs to identify the technical controls that enable you to demonstrate that you have ensured privacy by design has been addressed by ensuring you have information on the controls required to protect the data. |
To be queried |
| If holding personal i.e. identifiable data, are procedures in place for subject access requests? | Yes. Staff can place a request with Practice manager regarding data held on GP Networks Tempo portal |
| Are there any plans to allow the information to be used elsewhere either in the wider NHS or by a third party? If so, please explain. | No |
| Will the privacy notices in relation to this data be updated and ensure it includes:
• ID of controller • Legal basis for the processing • Categories of personal data • Recipients, sources or categories of recipients of the data: any sharing or transfers of the data (including to other countries) • Any automated decision making • Retention period for the personal data • Existence of data subject rights, including access to their data and/or withdrawal of consent and data portability |
Yes |
| Where consent or contractual arrangements is the lawful basis for processing and your project involves automated processing, how will you ensure you can separate some data from other datasets if required, to enable data portability? |
[1] See NHS Confidentiality Code of Practice Annex C for guidance on where consent should be gained. NHS Act 2006 s251 approval is authorised by the National Information Governance Board Ethics and Confidentiality Committee and a reference number should be provided
Describe the information flows The collection, use and deletion of personal data must be documented.
| Does any data flow in identifiable form? If so, from which organisation, and to which organisation/s?
Please include a data flow map and confirm the flow has been added to your organisation’s Information Asset and Data flow register. |
Data is added to the Tempo GP networks system by Practice Users and Practice Manager.
Practice Users register and enter their personal information on The System. |
| What media will you use for the data flow?
(e.g. email, post, courier, encrypted hard drive, secure electronic means [e.g. SFTP], other – please specify all that will be used) |
All data is always transmitted over secure protocol (HTTPS). User data is stored in a Cloudways MySQL database which has a password and IP whitelist*, accessed over SSH.
|
Lawfulness of the processing
| The processing of information must be lawful, and therefore requires a lawful basis. You must choose one or more lawful bases from Article 6 below for processing personal information and one or more from Article 9 below if you are processing special category data (i.e. race, ethnicity, religion, health, sexual orientation, genetic and biometric data, political opinion).
Please note:
For additional help in deciding the legal basis you can use this interactive tool from the ICO: Your IG Team are available to help you identify the legal route for processing data. |
|||
| Article 6 | Article 9 | ||
| 1(a) Consent
Consent of the data subject ONLY use where another legal basis is not applicable, or for secondary use of the information. |
☒
|
2(a) Consent
Explicit consent of the data subject unlessreliance on consent is prohibited by EU or Member State law. ONLY used where another legal basis is not applicable, or for secondary use of the information. |
☐ |
| 1(b) Contract
Necessary for the performance of a contract with the data subject or to take steps preparatory to such a contract. |
☐ | 2(b) Legal obligation
Necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement. |
☐ |
| 1(c) Legal obligation
Necessary for compliance with a legal obligation (not including contractual obligations). |
☐ | 2(c) Vital interests
Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent. |
☐ |
| 1(d) Vital interests
Necessary to protect the vital interests of a data subject or another person. |
☐ | 2(d) Not-for-profit bodies
Legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim. Only processing data of individuals in regular contact with the not-for-profit body. It is anticipated that this lawful basis would very rarely apply. |
☐ |
| 1(e) Public task
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This lawful basis is usually selected for projects to support direct care which process PERSONAL information. |
☐ | 2(e) Made public by the data subject
Processing relates to personal data which is made public by the data subject. It is anticipated that this lawful basis would very rarely apply. |
☐ |
| 1(f) Legitimate interests
Necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Please note, public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority. |
☐ | 2(f) Legal claims
Purpose of the processing is to establish, exercise or defend legal claims or when the courts is acting in their judicial capacity. It is anticipated that this lawful basis would very rarely apply. |
☐ |
| 2(g) Substantial public interest
‘Necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the right to data protection and provide suitable and specific measures to safeguard the fundamental rights and the interests of the data subject’. It is anticipated that this lawful basis would very rarely apply. |
☐ | ||
| 2(h) Medical treatment
Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of an employee, medical diagnosis, the provision of health or social care treatment or management of health or social care systems or a contract with a health professional. This lawful basis is usually selected for projects to support direct care which process PERSONAL information. |
☐ | ||
| 2(i) Public Health
‘Necessary for the reason of public interest in the area of public health, such as protecting against serious cross border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices’. |
☐ | ||
| 2(j) Archiving, research and statistics
‘Necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject’. It is anticipated that this lawful basis would very rarely apply. |
☐ | ||
| If you have chosen consent as your legal basis, describe how you will record consent and its removal if the patient changes their mind?
Note: Consent has to be verifiable and cannot be inferred from silence, pre-ticked boxes or inactivity. |
Explicit consent is recorded when staff creates their account on Tempo portal. |
Description of data: National and local data flows containing personal and identifiable personal information. What are the required personal data items?
| Personal Data | Please tick all that apply | Special Category Data | Please tick all that apply |
| Name | ☒ | Racial or ethnic origin | ☐ |
| Gender | ☒
|
||
| Address (home or business) | ☒ | Political opinions | ☐ |
| Postcode | ☒ | Religious or philosophical beliefs | ☐ |
| NHS No | ☐ | Trade union membership | ☐ |
| Email address | ☒ | Physical or mental health | ☐ |
| Sexual orientation | ☐ | ||
| Date of birth | ☒ | Sexual life | ☐ |
| Payroll number | ☒ | Criminal offences | ☐ |
| IP address (GP Practice and Consultants) | ☐ | ||
| Driving Licence or ID card [shows date of birth and first part of surname] | ☒ | Biometrics; DNA profile, fingerprints | ☐ |
| Bank, financial or credit card details | ☒ | Health, adoption, employment, school, Social Services, housing records | ☐ |
| Mother’s maiden name | ☐ | Child protection | ☐ |
| National insurance number | ☒
|
Genetics | ☐ |
| Tax, benefit or pensions record | ☒
|
Safeguarding adults | ☐ |
Use of personal information
If you are intending to use personal data, why would it not be possible to do without personal data?
System creates operational solutions by combining the attributes of individuals with organisations and deeper are wide insights by combining organisational data generated within the system.
Please confirm that you will be using only the minimum amount of personal data that is necessary.
Yes
Would it be possible for the Controller/s to use pseudonymised data for any element of the processing?
No
If Yes, please specify the element(s) and describe the pseudonymisation technique(s) that you are proposing to use and how you will prevent any re-identification of individuals.
N/A
Are there any other organisations involved in this project that are not processing personal data?
None
Has a data flow mapping exercise been undertaken?
Data is added to the GP networks system by Blackheath Standard Surgery Practice Users.
- Practice Users register and enter their personal information on The System
- Practice User connect with PCN practices in the system and by doing so, make their profile data available to that PCN practices
- PCN Practices make use of user data in their operational workflows and, by doing so, organisations data is often shared back to the user, where it relates to the user in an operational way
- Email and SMS messages are generated by GP networks and sent to Users as necessary
- The employing organization access financial details for the User, raise an invoice and make payment using their bank details
Will all of the information be truly anonymised information1? Anonymised data must meet the ICO code of practice.
No – some of the information will relate to an identified or an identifiable person (either directly or indirectly)
Will the project involve the collection of information about individuals?
No
Does the project introduce new or additional information technologies that can substantially reveal business sensitive information, or have a high impact on the business, whether within a single function or across the whole business?
Yes
Will the project compel individuals to provide information about themselves?
No
Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information?
No
Are you using personal data/special category data about individuals for a new purpose or in a new way that is different from any existing use?
No
Does the project involve you using new technology which might be perceived as being privacy intrusive? For example, the use of data to make an automated decision about care.
No
Will the project result in you making decisions about individuals in ways which may have a significant impact on them? i.e. does the project change the delivery of direct care.
No
Will the project result in you making decisions about individuals in ways which may have a significant impact on them? i.e. does the project change the delivery of direct care.
No
Will the project require you to contact individuals in ways which they may find intrusive?
No
Does the project involve multiple organisations, whether they are public sector agencies accessing personal data/special category data i.e. joined up government initiatives or private sector organisations e.g. outsourced service providers or business partners?
Yes
Does the project involve new or significantly changed handling of a considerable amount of personal data/special category data about each individual?
If you have answered yes, approximately how many individuals?
No
Does the project involve new or significantly changed consolidation, inter-linking, cross referencing or matching of personal data/special category data from multiple sources?
Yes
Will personal data be processed (e.g., held in a data centre) outside the UK? If yes, please specify the country.
No
Does the project relate to data processing which is in any way exempt from legislative privacy protections? E.g. section 251 of the NHS Act 2006
No
Purpose and aims of the Tempo project
Phase 1: Core operational system
GPnetworks, Workforce & Digital Primary Care
What is ‘GP networks’?
GP Networks is a community-based on-line platform that connects locum clinical staff with clinical sessions suitable to their role and expertise.
Clinical staff (‘Users’) register using GP networks. Their credentials (qualifications) are then vetted by employers – ‘Licensee’. The User is then able to book themselves into clinical sessions made available by the Licensee.
The system is branded as ‘GP Networks’, ‘Workforce’, ‘Digital Primary Care’ is provided in white label format for Blackheath Standard Surgery to apply our own branding. GP Networks provides a powerful operational toolset to Practice/PCN to manage staff capacity, rostering capabilities. All systems share the same core technology and infrastructure, and in the context of this DPIA are treated as one and the same.
- Project timeframe
On-going – starting from agreement date
- Categories of data to flow
Tempo software by GP Networks currently collect personal data, professional information, and availability and bank details.
- Use of identifiable, anonymised or pseudonymised data
Identifiable information
- Use of data for research
No
- Is this DPIA for an information system or an App (i.e. an Application for use on an ipad/iphone)? If yes, what is it called?
Tempo – Web based application
- Organisational roles
Data Controller – Client Surgery
Data Processor – Tempo/GP Networks
What is a DPIA?
The Data Protection Impact Assessment (DPIA) is a tool which helps assess data protection and privacy risks to individuals in the collection, use and disclosure of information.
The core principles of conducting a DPIA can be applied to any project, initiative, system or process change which involves the use of personal data, or to any other activity which could have an impact on the privacy of individuals.
Please note, a DPIA is a living document. Therefore, once a DPIA has been completed and signed off, it is recommended that it is reviewed when any changes are made to the project, initiative, system or process change to ensure that the DPIA is still accurate.
A project which has included a DPIA at the very start of the project, and updated as the project progresses should result in the project being less privacy intrusive and therefore less likely to affect individuals in a negative way.
Data flows
Best data protection and privacy assessments give ample consideration to flows of data. A data flow map is a graphical representation of the data flow and includes:
Incoming and outgoing data.
Organisations and/or people sending/receiving information.
Storage for the ‘data at rest’ i.e. system, filing cabinet, encryption used.
Methods of transfer.
As part of completing a DPIA, the flow mapping of data must be recorded. Any risks identified by completing the DPIA must be entered onto the relevant organisation’s suitable risk register.
To support you with completing this DPIA template, you may wish to contact your IG lead who may be able to provide copies of completed DPIAs for similar projects. This may be helpful to set out the level of information that is required when completing a DPIA.
