Instructions to assist a Data Controller completing a DPIA |
The completion of a DPIA is the responsibility of the Data Controller (who is the GP Practice).
As Data Processor Informatica Systems Ltd provides the following information to assist in the completion of the document.
This DPIA follows the process set out in the ICO’s guidance and how-to, and should be read alongside that guidance. Their Template is available here |
A DPIA should include these steps:
Step 1: identify the need for a DPIA
Step 2: describe the processing
Step 3: consider consultation
Step 4: assess necessity and proportionality
Step 5: identify and assess risks
Step 6: identify measures to mitigate the risks
Step 7: sign off and record outcomes
A Skyline Subscription is procured by a Customer (e.g. a CCG).
The Customer has a Contract and/or a Data Processing Deed (DPD) which provides the legal basis for processing data.
A Subscription contains one or more Solutions.
Relevant Solutions within a Subscription are made available to Subscription Organisations, also known as Beneficiaries in the associated DPD.
Each Solution will have an associated Solution Agreement will include links to the DPD as appropriate; a Solution may not process sensitive data in which case such links will be for information only.
Where the Subscription Organisation is the Controller they will need to agree to Solution Agreements for each Solution they use prior to the Solution being made available to Users .
Informatica Systems is not the controller of the data being processed in this DPIA. The controllers are the GP practices who are Beneficiaries of Informatica Systems and have authorised us to process the data on their behalf. This DPIA information has been prepared for these data controllers by Informatica Systems. |
Note for the Data Controller
It is the responsibility of the data controller to establish their need for using the Skyline system.
Note for the Data Controller
It is the responsibility of the data controller to establish their need for using the Skyline system.
The Skyline system is designed to provide NHS primary care with Clinical Decision Support, Risk Stratification and Population Health Management capabilities which can be procured through the GP IT Futures framework agreement or directly from Informatica.
Skyline processes patient data as follows:
Acquiring patient medical records from the different Principal Clinical Systems such as EMIS;
Analysing the patient medical records according to specifications to support clinical care;
Supporting clinicians to make clinical decisions by interpreting the results of the previous analysis;
Displaying the results of the patient data analysis to assist in direct clinical care, planning and research;
Where a practice is participating in, and has given explicit consent,
Extracting subsets of data from the patient medical records for provision to third parties such as SAIL or the National Diabetes Programme;
Collecting new and updated medical data about patients to support patient reviews and Public Health programmes such as the NHS Health Check;
Assisting GP practices in the day-to-day operations of patient management, for example managing the call and recall process for immunisation programmes.
Do we need to do a DPIA? The ICO publishes guidance on when a DPIA is needed. Under that guidance a DPIA is needed for various reasons:
|
This diagram shows the high level data flows throughout the system ( in the diagram denotes a data store with Personally Identifiable Information): |
The system holds Personally Identifiable Information (PII) which is typically patient medical data. This is classed as sensitive personal data. This type of data requires a higher level of protection. The GDPR refers to the processing of these data as ‘special categories of personal data’.
Note for the Data Controller
It is the responsibility of the data controller to ensure that they have established their lawful basis for processing this special category data.
Note for the Data Controller
It is the responsibility of the data controller to ensure that they have established their lawful basis for processing this special category data.
How is data collected? | Patient data is collected from the Principal Clinical Systems (EMIS, TPP etc). |
How is data stored? | Personal data is stored in various AWS ‘cloud’ services. All data remains in the UK by being sited in the AWS Europe (London) Region. |
How is data used? | Patient data is analysed according to clinical guidelines to support Clinical Decision Support, Risk Stratification and Population Health Management activities. |
Who has access to the data? | Authorised staff members in the GP practice have access to the PII of patients registered at the practice. If patient PII is shared (see below) then authorised staff members in those organisations also have access to the PII of patients registered at the practice. |
Who is the data shared with? | No patient data is shared by Informatica, and the Skyline Application. The GP practice may elect to share the patient PII with other organisations that it has a data sharing agreement with. This supports scenarios such as the use of shared PCN workforce resources (e.g. clinical pharmacists), or performing NHS Health Checks in the community. The GP practice may also elect to share aggregated or anonymised data with other organisations for the purposes of planning or research. |
Who processes the data? | Informatica Systems Ltd are the main processor AWS is the sole sub-processor. |
How long is the data held? | The personal data is held for as long as the GP practice uses the Skyline system. |
What security measures are in place? | Personal data is encrypted (both at-rest and in-transit). In transit all data is protected using TLS1.2. |
Are any new technologies being used? | The data is processed using Amazon EMR which is a ‘big data’ technology. |
Are any novel types of processing being undertaken? | None. In the future Skyline may use techniques such as Artificial intelligence, machine learning or deep learning but that will generate a new DPIA. |
Which screening criteria flagged as likely high risk? | See “Do we need to do a DPIA?” above. |
What is the nature of the personal data? | Patient medical records. |
What is the volume and variety of the personal data? | Data held for every patient registered with the practice. |
What is the sensitivity of the personal data? | Sensitive based on these special categories:
|
What is the extent and frequency of the processing? | A patient’s personal data is processed:
The frequency of this processing depends on:
It can be expected that, when looking across these types of processing, an individual patient’s data is processed on a daily basis. |
What is the duration of the processing? | A patient’s personal data will be processed whilst they are registered at the practice. Once they are de-registered their data will continue to be processed for historic data analysis purposes. |
What is the number of data subjects involved? | This depends on the GP practice. The median number of patients in a practice in England and Wales is ~8,500. |
What is the geographical area covered. | That of the catchment area of the GP practice. |
What is the nature of your relationship with the individuals? | |
How far do individuals have control over their data? | |
How far are individuals likely to expect the processing? | |
Do the individuals include children or other vulnerable people? | Yes |
Does the data controller have previous experience of this type of processing? | |
Are there any relevant advances in technology or security? | The use of internet facing cloud systems is now preferred by the NHS. AWS is certified for the NHS Information Governance Toolkit. Informatica Systems is following the guidance provided by NHS Digital for the use of public cloud services. |
Are there any current issues of public concern? | |
Has the data controller considered and complied with relevant codes of practice? |
Informatica Systems, the data processor, is certified for ISO27001 Information Security Management System (ISMS), Cyber Essentials PLUS and the NHS Data Security and Protection Toolkit. |
Note for the Data Controller
The purposes of processing are defined in the individual Solution Agreements and Data Processing Deeds
It is the responsibility of the data controller to ensure that they have established their purpose for using Skyline to process patient data.
For the majority of Cases the following purpose will be appropriate:
Skyline provides Clinical Decision Support, Risk Stratification and Population Health Management capabilities that help GP practices to:
Improve the quality of patient care and achieve the best clinical outcomes for patients;
Manage and plan clinic services to ensure that appropriate care is in place;
Participate in health and social care research.
The underlying purpose is provision of direct patient care.
Note for the Data Controller
The purposes of processing are defined in the individual Solution Agreements and Data Processing Deeds
It is the responsibility of the data controller to ensure that they have established their purpose for using Skyline to process patient data.
For the majority of Cases the following purpose will be appropriate:
Skyline provides Clinical Decision Support, Risk Stratification and Population Health Management capabilities that help GP practices to:
Improve the quality of patient care and achieve the best clinical outcomes for patients;
Manage and plan clinic services to ensure that appropriate care is in place;
Participate in health and social care research.
The underlying purpose is provision of direct patient care.
Note for the Data Controller
See ICO or local guidance
Note for the Data Controller
See ICO or local guidance
What is our lawful basis for the processing? | |
How will we prevent function creep? | |
How do we intend to ensure data quality? | |
How do we intend to ensure data minimisation? | Skyline holds a maximal set of data about each patient. This data is required to satisfy the complete range of clinical data analyses that may be required. The output of each data analysis is the minimal set of data required to satisfy the clinical query it addresses. e.g. a data analysis for diabetes will only output information about the patient related to diabetes. |
How do we intend to provide privacy information to individuals? | |
How do we implement and support individuals' rights? | Skyline supports individuals' rights through the implementation of the appropriate role based access control |
What measures do we have to ensure our processors comply? | |
How do we safeguard international transfers? |
Note for the Data Controller
Informatica Systems can, on request provided an initial set of risks based on its own assessment of the technical implementation of Skyline.
You should perform your own risk assessment above and beyond this.
Note for the Data Controller
Informatica Systems can, on request provided an initial set of risks based on its own assessment of the technical implementation of Skyline.
You should perform your own risk assessment above and beyond this.
Note for the Data Controller
This will be a local procedure and Informatica are unable to advise on this.
Note for the Data Controller
This will be a local procedure and Informatica are unable to advise on this.
Below are specific questions we have been asked
Data is encypted in transit. Data is also encrypted at rest.
Bulk extracts are undertaken daily
The bulk extract includes all active patients and patient records deducted in the last 12 months.
All clinical data is classified as personal data and is considered special category personal data as it includes health and demographic data as defined in the GDPR. Data is processed in accordance with the appropriate legislation.
EU approved country (UK)
We extract all patient records including children. Where they meet the cohort definitions these patients are then displayed to clinicians.
We extract all patient records including children. Where they meet the cohort definitions these patients are then displayed to clinicians.
All actions are audited by the Skyline system. Audit records are currently available via a concierge service from Informatica; the service will be available as a self service facitily in a future release.
For audit and record purposes, data will be held up to 12 months after contract termination.
Skyline is built on the AWS service platform with high resilience and availability criteria. Informatica does not backup the data utilising instead the AWS integrated services. In the event of a catastrophic loss of data availability in Skyline the data is able to be rebulked from the Principal Clinical System.
Skyline does not include NDOO functionality as all Solutions are for Individual care; as defined in https://digital.nhs.uk/services/national-data-opt-out/understanding-the-national-data-opt-out/individual-care-and-research-and-planning-uses-of-data
Patient opt outs are managed at a practice level for sharing of patient level data downloads.