Log in to Skyline
Completing a DPIA
- 1 Overview
- 2 Step 1: Identify the need for a DPIA
- 2.1 Overview
- 3 Step 2: Describe the processing
- 4 Step 3: Consultation process
- 5 Step 4: Assess necessity and proportionality
- 6 Steps 5 & 6: Identify and assess risks & mitigating measures
- 7 Step 7: Sign off and record outcomes
- 8 Additional Questions
- 8.1 What controls are in place during transfer
- 8.2 What is the frequency of transfer
- 8.3 How many records are transferred in each data flow
- 8.4 What is the Data classification
- 8.5 In what geographical location is the destination of the data flow
- 8.6 Records of children under 13
- 8.7 Records of children under 18
- 8.8 Are actions audited?
- 8.9 How long is data held for?
- 8.10 Business Continuity
- 8.11 Is the National Data Opt Out supported?
Overview
The completion of a DPIA is the responsibility of the Data Controller (who is the GP Practice).
As Data Processor Informatica Systems Ltd provides the following information to assist in the completion of the document.
A DPIA should include these steps:
Step 1: identify the need for a DPIA
Step 2: describe the processing
Step 3: consider consultation
Step 4: assess necessity and proportionality
Step 5: identify and assess risks
Step 6: identify measures to mitigate the risks
Step 7: sign off and record outcomes
Contractual Context
A Skyline Subscription is procured by a Customer (e.g. a CCG).
The Customer has a Contract and/or a Data Processing Deed (DPD) which provides the legal basis for processing data.
A Subscription contains one or more Solutions.
Relevant Solutions within a Subscription are made available to Subscription Organisations, also known as Beneficiaries in the associated DPD.
Each Solution will have an associated Solution Agreement will include links to the DPD as appropriate; a Solution may not process sensitive data in which case such links will be for information only.
Where the Subscription Organisation is the Controller they will need to agree to Solution Agreements for each Solution they use prior to the Solution being made available to Users .
Step 1: Identify the need for a DPIA
Informatica Systems is not the controller of the data being processed in this DPIA. The controllers are the GP practices who are Beneficiaries of Informatica Systems and have authorised us to process the data on their behalf. This DPIA information has been prepared for these data controllers by Informatica Systems.
Note for the Data Controller
It is the responsibility of the data controller to establish their need for using the Skyline system.
Overview
The Skyline system is designed to provide NHS primary care with Clinical Decision Support, Risk Stratification and Population Health Management capabilities which can be procured through the GP IT Futures framework agreement or directly from Informatica.
Skyline processes patient data as follows:
Acquiring patient medical records from the different Principal Clinical Systems such as EMIS;
Analysing the patient medical records according to specifications to support clinical care;
Supporting clinicians to make clinical decisions by interpreting the results of the previous analysis;
Displaying the results of the patient data analysis to assist in direct clinical care, planning and research;
Where a practice is participating in, and has given explicit consent,
Extracting subsets of data from the patient medical records for provision to third parties such as SAIL or the National Diabetes Programme;
Collecting new and updated medical data about patients to support patient reviews and Public Health programmes such as the NHS Health Check;
Assisting GP practices in the day-to-day operations of patient management, for example managing the call and recall process for immunisation programmes.
Step 2: Describe the processing
The system holds Personally Identifiable Information (PII) which is typically patient medical data. This is classed as sensitive personal data. This type of data requires a higher level of protection. The GDPR refers to the processing of these data as ‘special categories of personal data’.
Nature of the Processing
How is data collected? | Patient data is collected from the Principal Clinical Systems (EMIS, TPP etc). |
How is data stored? | Personal data is stored in various AWS ‘cloud’ services. All data remains in the UK by being sited in the AWS Europe (London) Region. |
How is data used? | Patient data is analysed according to clinical guidelines to support Clinical Decision Support, Risk Stratification and Population Health Management activities. |
Who has access to the data? | Authorised staff members in the GP practice have access to the PII of patients registered at the practice. If patient PII is shared (see below) then authorised staff members in those organisations also have access to the PII of patients registered at the practice. |
Who is the data shared with? | No patient data is shared by Informatica, and the Skyline Application. The GP practice may elect to share the patient PII with other organisations that it has a data sharing agreement with. This supports scenarios such as the use of shared PCN workforce resources (e.g. clinical pharmacists), or performing NHS Health Checks in the community. The GP practice may also elect to share aggregated or anonymised data with other organisations for the purposes of planning or research. |
Who processes the data? | Informatica Systems Ltd are the main processor AWS is the sole sub-processor. |
How long is the data held? | The personal data is held for as long as the GP practice uses the Skyline system. |
What security measures are in place? | Personal data is encrypted (both at-rest and in-transit). In transit all data is protected using TLS1.2. |
Are any new technologies being used? | The data is processed using Amazon EMR which is a ‘big data’ technology. |
Are any novel types of processing being undertaken? | None. In the future Skyline may use techniques such as Artificial intelligence, machine learning or deep learning but that will generate a new DPIA. |
Which screening criteria flagged as likely high risk? | See “Do we need to do a DPIA?” above. |
Scope of the Processing
What is the nature of the personal data? | Patient medical records. |
What is the volume and variety of the personal data? | Data held for every patient registered with the practice. |
What is the sensitivity of the personal data? | Sensitive based on these special categories:
|
What is the extent and frequency of the processing? | A patient’s personal data is processed:
The frequency of this processing depends on:
It can be expected that, when looking across these types of processing, an individual patient’s data is processed on a daily basis. |
What is the duration of the processing? | A patient’s personal data will be processed whilst they are registered at the practice. Once they are de-registered their data will continue to be processed for historic data analysis purposes. |
What is the number of data subjects involved? | This depends on the GP practice. The median number of patients in a practice in England and Wales is ~8,500. |
What is the geographical area covered. | That of the catchment area of the GP practice. |
Context of the Processing
What is the nature of your relationship with the individuals? | data controller to complete |
How far do individuals have control over their data? | data controller to complete |
How far are individuals likely to expect the processing? | data controller to complete |
Do the individuals include children or other vulnerable people? | Yes |
Does the data controller have previous experience of this type of processing? | data controller to complete |
Are there any relevant advances in technology or security? | The use of internet facing cloud systems is now preferred by the NHS. AWS is certified for the NHS Information Governance Toolkit. Informatica Systems is following the guidance provided by NHS Digital for the use of public cloud services. |
Are there any current issues of public concern? | data controller to complete |
Has the data controller considered and complied with relevant codes of practice? | data controller to complete Informatica Systems, the data processor, is certified for ISO27001 Information Security Management System (ISMS), Cyber Essentials PLUS and the NHS Data Security and Protection Toolkit. |
Purposes of the Processing
Step 3: Consultation process
Step 4: Assess necessity and proportionality
What is our lawful basis for the processing? | data controller to complete |
How will we prevent function creep? | data controller to complete |
How do we intend to ensure data quality? | data controller to complete |
How do we intend to ensure data minimisation? | Skyline holds a maximal set of data about each patient. This data is required to satisfy the complete range of clinical data analyses that may be required. The output of each data analysis is the minimal set of data required to satisfy the clinical query it addresses. e.g. a data analysis for diabetes will only output information about the patient related to diabetes. |
How do we intend to provide privacy information to individuals? | data controller to complete |
How do we implement and support individuals' rights? | Skyline supports individuals' rights through the implementation of the appropriate role based access control |
What measures do we have to ensure our processors comply? | data controller to complete |
How do we safeguard international transfers? | data controller to complete |
Steps 5 & 6: Identify and assess risks & mitigating measures
Step 7: Sign off and record outcomes
Additional Questions
Below are specific questions we have been asked
What controls are in place during transfer
Data is encypted in transit. Data is also encrypted at rest.
What is the frequency of transfer
Bulk extracts are undertaken daily
How many records are transferred in each data flow
The bulk extract includes all active patients and patient records deducted in the last 12 months.
What is the Data classification
All clinical data is classified as personal data and is considered special category personal data as it includes health and demographic data as defined in the GDPR. Data is processed in accordance with the appropriate legislation.
In what geographical location is the destination of the data flow
EU approved country (UK)
Records of children under 13
We extract all patient records including children. Where they meet the cohort definitions these patients are then displayed to clinicians.
Records of children under 18
We extract all patient records including children. Where they meet the cohort definitions these patients are then displayed to clinicians.
Are actions audited?
All actions are audited by the Skyline system. Audit records are currently available via a concierge service from Informatica; the service will be available as a self service facitily in a future release.
How long is data held for?
For audit and record purposes, data will be held up to 12 months after contract termination.
Business Continuity
Skyline is built on the AWS service platform with high resilience and availability criteria. Informatica does not backup the data utilising instead the AWS integrated services. In the event of a catastrophic loss of data availability in Skyline the data is able to be rebulked from the Principal Clinical System.
Is the National Data Opt Out supported?
Skyline does not include NDOO functionality as all Solutions are for Individual care; as defined in https://digital.nhs.uk/services/national-data-opt-out/understanding-the-national-data-opt-out/individual-care-and-research-and-planning-uses-of-data
Patient opt outs are managed at a practice level for sharing of patient level data downloads.
Skyline is designed and developed by Informatica