...
Step 1: identify the need for a DPIA
Step 2: describe the processing
Step 3: consider consultation
Step 4: assess necessity and proportionality
Step 5: identify and assess risks
Step 6: identify measures to mitigate the risks
Step 7: sign off and record outcomes
Contractual Context
A Skyline Subscription is procured by a Customer (e.g. a CCG).
The Customer has a Contract and/or a Data Processing Deed (DPD) which provides the legal basis for processing data.
A Subscription contains one or more Solutions.
Relevant Solutions within a Subscription are made available to Subscription Organisations, also known as Beneficiaries in the associated DPD.
Each Solution will have an associated Solution Agreement will include links to the DPD as appropriate; a Solution may not process sensitive data in which case such links will be for information only.
Where the Subscription Organisation is the Controller they will need to agree to Solution Agreements for each Solution they use prior to the Solution being made available to Users .
Step 1: Identify the need for a DPIA
...
Skyline processes patient data as follows:
Acquiring patient medical records from the different Principal Clinical Systems such as EMIS;
Analysing the patient medical records according to specifications to support clinical care;
Supporting clinicians to make clinical decisions by interpreting the results of the previous analysis;
Displaying the results of the patient data analysis to assist in direct clinical care, planning and research;
Where a practice is participating in, and has given explicit consent,
Extracting subsets of data from the patient medical records for provision to third parties such as SAIL or the National Diabetes Programme;
Collecting new and updated medical data about patients to support patient reviews and Public Health programmes such as the NHS Health Check;
Assisting GP practices in the day-to-day operations of patient management, for example managing the call and recall process for immunisation programmes.
Warning |
---|
Do we need to do a DPIA? The ICO publishes guidance on when a DPIA is needed. Under that guidance a DPIA is needed for various reasons:
|
Step 2: Describe the processing
...
What is the nature of the personal data? | Patient medical records. |
What is the volume and variety of the personal data? | Data held for every patient registered with the practice. |
What is the sensitivity of the personal data? | Sensitive based on these special categories:
|
What is the extent and frequency of the processing? | A patient’s personal data is processed:
The frequency of this processing depends on:
It can be expected that, when looking across these types of processing, an individual patient’s data is processed on a daily basis. |
What is the duration of the processing? | A patient’s personal data will be processed whilst they are registered at the practice. Once they are de-registered their data will continue to be processed for historic data analysis purposes. |
What is the number of data subjects involved? | This depends on the GP practice. The median number of patients in a practice in England and Wales is ~8,500. |
What is the geographical area covered. | That of the catchment area of the GP practice. |
...
Note for the Data Controller
The purposes of processing are defined in the individual Solution Agreements and Data Processing Deeds
It is the responsibility of the data controller to ensure that they have established their purpose for using Skyline to process patient data.
For the majority of Cases the following purpose will be appropriate:
Skyline provides Clinical Decision Support, Risk Stratification and Population Health Management capabilities that help GP practices to:
Improve the quality of patient care and achieve the best clinical outcomes for patients;
Manage and plan clinic services to ensure that appropriate care is in place;
Participate in health and social care research.
In most cases the The underlying purpose is provision of direct patient care.
Step 3: Consultation process
...