| Please identify the conditions under the Data Protection Act 2018 (see Appendix 1 for legal basis under data protection legislation).
If you have a Section 251 approval under the NHS Act 2006– please include the approval reference number. If you are relying on consent as your lawful basis, please include a copy of your consent form and identify when and how will this be obtained and recorded? [1] Where there isn’t Section 251 approval, please can you explain how the duty of confidentiality will be met. |
Explicit consent |
| Where will the data be stored (by the controller(s) and processor(s)? | Data is stored only by GPnetworks, within a MySQL database, on a service within a UK based dedicated server, hosted by Digital Ocean. No other party has access to this server. Technical details concerning the hosting and system security are available with GPnetworks. |
| How will the data be stored (by the controller(s) and processors(s)? | Data is stored in a structured manner, within MySQL database. Some elements are encrypted to provide additional security. Data is also archived in backups, held with an Amazon AWS storage bucket. |
| What confidentiality and security measures will be used to store the data? | Security
GPnetworks use PHP session and cookies to handle user sessions. GPnetworks use a secure one-way hash and salt to store and validate user passwords. All data is always transmitted over secure protocol. (HTTPS). User data is stored in a Cloudways MySQL database which has a password and IP whitelist*, accessed over SSH.
Confidentiality Access to user data stored within the GPnetworks ecosystem is limited to System Administrators of the company. Personal user data does not leave the system nor is it accessed by any external 3rd parties. Within the system front-end accounts, access to user data is controlled and limited to hub administrators on an access rights and permissions basis, determined by the organisation itself. Users cannot access each other’s personal user data
|
| Who will be able to access personal identifiable data? Please specify the teams (and job titles if possible). | Information is accessed via a private account login
Data is removed from the system at the point that a User cancels their account. A user can delete their data at any time from within their account. Only a System Admin or a hub Admin designated by the client organisation can access users personal data. |
| How will you consult with the relevant stakeholders? For example, where health data is being processed, has there been a clinical review to consider clinical or ethnical impacts/risks of the project? | N/A No Health data used. |
| How will you ensure the accuracy and quality of the personal data (including rectification or erasure where necessary)? | Quality check undertaken at registration process via verification process. No editing will take place. |
| Will the data be linked with any other data collections? If yes, please explain what data will be linked and what the other data collections are. | Financial, operational output, individual output, Operational data such as rosters. Also pay rates and workforce data. For the purpose of understanding operational needs, output and efficiencies |
| How will this linkage be achieved? | Users enters data on GP Networks Tempo Portal. System creates operational solutions by combining the attributes of individuals within organisation |
| Is there a legal basis for these linkages? i.e. is the Controller/s responsible for the data expected to co-operate/link data to carry out their legal obligations. | Explicit Consent |
| Do you have a process in place and/or system functionality to respond to the right to data portability requests?
Please note this only applies where: · We are relying on the legal bases of consent or contract · The personal data is sent to us electronically directly by the data subject
A definition of ‘data portability’ is included in Appendix A. |
To be queried |
| What security measures will be used when the data is in transit? | N/A |
| How long will the data be retained in identifiable form?
How will it be de-identified or destroyed? Who will be responsible for ensuring the data is de-identified or destroyed? |
Some parts of data are retained longer than other. Generally, 10 years will be enough for most data types, or requested to remove
On request database records deleted or person data anonymised by GP Networks
|
| What governance and assurance measures are in place to ensure the confidentiality, security and appropriate use of the data? E.g. policies and procedures, system security policy, information asset register, accountability roles identified | GP Networks use PHP session and cookies to handle user sessions. We use a secure one way hash and salt to store and validate user passwords. All data is always transmitted over secure protocol (HTTPS). User data is stored in a Cloudways MySQL database which has a password and IP whitelist*, accessed over SSH. |
| What are the contractual arrangements for this project? E.g. NHS standard contract, data processing agreement, data sharing agreement | Data Sharing Agreement, Service Level Agreement |
| Where there are sub-processors engaged for the project, do you have assurance that the processor(s) has a contract with their sub-processor(s)? | There are no sub-processors that we use. |
| Do you need to consider consulting information technology experts as part of this change process/project? i.e. IT Infrastructure or software deployment, ICT resources/knowledge and skills. | No |
| Please embed a copy of the System Level Security Policy (SLSP) for the project/service.
This policy needs to identify the technical controls that enable you to demonstrate that you have ensured privacy by design has been addressed by ensuring you have information on the controls required to protect the data. |
To be queried |
| If holding personal i.e. identifiable data, are procedures in place for subject access requests? | Yes. Staff can place a request with Practice manager regarding data held on GP Networks Tempo portal |
| Are there any plans to allow the information to be used elsewhere either in the wider NHS or by a third party? If so, please explain. | No |
| Will the privacy notices in relation to this data be updated and ensure it includes:
• ID of controller • Legal basis for the processing • Categories of personal data • Recipients, sources or categories of recipients of the data: any sharing or transfers of the data (including to other countries) • Any automated decision making • Retention period for the personal data • Existence of data subject rights, including access to their data and/or withdrawal of consent and data portability |
Yes |
| Where consent or contractual arrangements is the lawful basis for processing and your project involves automated processing, how will you ensure you can separate some data from other datasets if required, to enable data portability? |
[1] See NHS Confidentiality Code of Practice Annex C for guidance on where consent should be gained. NHS Act 2006 s251 approval is authorised by the National Information Governance Board Ethics and Confidentiality Committee and a reference number should be provided
