Skip to main content

Data protection impact assessment (DPIA) policy

Contents

  1. Introduction
  2. Purpose
  3. Scope
  4. Responsibilities, accountabilities and duties
  5. Procedure or implementation
  6. Training implications
  7. Monitoring arrangements
  8. Equality impact assessment screening
  9. Links to any other associated documents
  10. References
  11. Appendices

1 Introduction

With the on-going published advancements in data protection legalisation, the general data protection regulation (GDPR) came into force on 25 May 2018. The Data Protection Act (2018) makes the GDPR part of UK law and replaces the Data Protection Act (1998). This places a legal obligation on Rotherham, Doncaster and South Humber NHS Foundation Trust (RDaSH) to conduct a screening Data Protection Impact Assessment (DPIA) for all projects which includes, but is not limited to, the use of information, data and technologies.

The aim of this policy is to provide colleagues with information that promotes good practice and compliance with the GDPR and other statutory requirements provided by our supervisory authority, the information commissioner’s office (ICO).

Additionally, the policy reflects the minimum requirements under the conditions of article 35 of the GDPR.

2 Purpose

The purpose of this policy is to ensure that risks to the rights and privacy of individuals are minimised while allowing the aims of the project to be met whenever possible.

This policy provides a standardised approach towards identifying, assessing and mitigating data protection and privacy risk and assists towards the delivery of compliance with legal statutory requirements.

Risks can be identified and addressed at an early stage by analysing how the proposed uses of data, technology and processes will work in practice. This analysis can be tested by consulting with the stakeholders who will be working on, or affected by, the project.

3 Scope

A DPIA is an integral part of the development and implementation of projects at RDaSH and must be applied to all projects, allowing greater scope for influencing how the project will be implemented.

We recognise that colleagues tasked with accomplishing project objectives and outcomes, it may not define that colleague as a trained project manager so it is likely that projects could be recognised and delivered in different ways. Therefore all colleagues must recognise that a DPIA must be completed via the DPIA portal (staff access only) (opens in new window), which can be found at the bottom of the intranet home page, in the following circumstances and situations:

  • during the use of a trial period of technology, modalities or products which use data or information
  • during the use of charitable or free technology or products which use data or information
  • when publishing personal identifiable information or sensitive information or data on the intranet or in other publicly available media types
  • during procurement of technology, modalities or products which use data or information
  • when de-commissioning or disposing of technology, modalities or products which use data or information
  • when there is a change to existing processes or technology, modalities and products which will significantly amend the way data or information is handled
  • when implementing or developing new processes, technology, modalities or products which involve the use of data or information
  • collecting, retrieving, obtaining, recording or holding new data or information

This document applies to, and is relevant across, all services, departments, and care groups.

4 Responsibilities, accountabilities and duties

4.1 Chief executive

The individual with overall accountability within the trust is the accountable officer, the chief executive. The role provides assurance, through a statement of internal controls, that all risks to the organisation, including those relating to information, are effectively managed and mitigated.

4.2 Senior information risk owner

Is the director of informatics and the senior information risk owner (SIRO) on behalf of the board. The SIRO owns the information risk and incident management framework, overall information risk approach and risk assessment processes, and is responsible for ensuring they are implemented consistently.

4.3 Caldicott guardian (CG)

Is the executive medical director and the senior person responsible for protecting the confidentiality of personal confidential data (PCD) and information. The Caldicott guardian plays a key role in ensuring that RDaSH and partner organisations abide by the highest level of standards for handling PCD and personal identifiable information (PII).

4.4 Data protection officer (DPO)

Is the head of information governance and DPO, a legal role required by the GDPR. This person is responsible for overseeing the information governance (IG) policy and framework and the implementation of data protection and security measures to ensure compliance with the GDPR requirements; these measures should ultimately minimise the risk of breaches and uphold the protection of PII and special categories of data.

The DPO must:

  • carry out an evaluation of the full DPIA to identify potential risks and sources
  • escalate any uncooperative actions to the SIRO and CG
  • provide the responsible project lead and information asset owners (IAO) with any recommendations and conclusions that seem necessary from the evaluation
  • escalate unaccepted conclusions and recommendations to the IG group, SIRO and ICO
  • communicate with the IG team, Information Technology (IT) team, the responsible project lead, ICO, SIRO and IAO with the frequency and formality that they deem necessary
  • feedback relevant communication from the ICO to the responsible project lead, IG group and SIRO to ultimately work towards the final steps of the DPIA

4.5 Information asset owners (IAO)

Are departmental heads and senior managers involved in running the relevant business; their role is to understand what information is held, who has access to this information and why. As a result they can understand and address risks to the information assets they ‘own’, providing assurance to the SIRO. It is the responsibility of the IAO to develop and manage the standard operating procedures and data quality processes for the appropriate use of the information defined within the project.

4.6 Responsible project lead

Is any colleague, including flexible, permanent, new starters, locum, temporary, student and contracted staff members who are tasked with, and are responsible for, accomplishing “project” objectives and outcomes throughout the business by the information asset owners.

The “responsible project lead” must:

  • examine the project at the earliest possible stage and make an initial assessment of data protection and privacy risks, by ensuring the DPIA procedure is adhered to and the screening questions are completed via the portal (staff access only) (opens in new window)
  • accept accountability where some of the screening questions within the DPIA procedure apply to the project; in this case, it is likely that a full DPIA must be undertaken
  • decide if the product or process is a health IT system, a health IT System is defined as a product used to provide electronic information for health or social care purposes where the product may include hardware, software, or a combination of both. The scope of the Health IT System may extend beyond a manufacturer’s organisation and include hardware and or software procured or supplied from other organisations and include infrastructure already in use at a health organisation. If ‘yes’ this product also needs to be assessed against the clinical risk management standards. The DPIA cannot be signed off until the assessment or decision against the clinical risk management standards has been completed, (within approximately 4 weeks from the point that all relevant information is received) as this will inform the DPIA. For further information, guidance and next steps visit the trust’s digital clinical safety intranet page (staff access only) (opens in new window)
  • recognise that there is a legal obligation for the data protection officer to be involved should a full DPIA be necessary using the DPIA procedure, and recognise that the DPIA outcome must be integrated into the project plan before the project is developed and implemented
  • communicate with the IG team, data protection officer, information technology, IAO and other key stakeholders with the frequency and formality that they deem necessary
  • manage potential sources of risk and concerns as they arise, escalating to the senior business or technical roles as required
  • communicate with data protection officer to work towards finalising any conclusions and recommendations should a full DPIA be necessary

Where the conclusions and recommendations have been provided by the data protection officer and are:

  • accepted, demonstration that consideration has been given to the sources of potential risk through the completion of the DPIA form. Additionally conclusions and recommendations are integrated into the main project plan
  • not accepted, demonstration that consideration has been given to the sources of potential risk through formally providing the rationale of non-acceptance by the completion of the DPIA form

A Word version of the DPIA can be found in the DPIA procedure document.

Additionally conclusions and recommendations are integrated into the main project plan.

4.7 The IG team must:

  • Carry out an evaluation of the submitted screening questions and or or DPIA form to address the initial sources of potential risk.
  • Provide the responsible project lead with guidance, if required.
  • Provide the responsible project lead and data protection officer with any recommendations or conclusions that seem necessary.
  • Escalate any uncooperative actions such as not accepting the risks, not carrying out mitigating tasks etc. to the SIRO and CG.

5 Procedure or implementation

Link to the data processing impact assessment procedure.

6 Training implications

6.1 Information governance training, all colleagues or individuals given access to the trust’s electronic clinical system whether trust or third party

  • How often should this be undertaken: Annual mandatory.
  • Length of training: 2 hours.
  • Delivery method: Face to face or via the e-learning module.
  • Training delivered by whom: Information Governance team.
  • Where are the records of attendance held: Electronic staff record system (ESR).

6.2 Clinical system training

  • How often should this be undertaken: On commencement with the organisation, when system access is identified and if update training is required.
  • Length of training: Varies on the level and system specific training required.
  • Delivery method: Face to face.
  • Training delivered by whom: IT Training team.
  • Where are the records of attendance held: Electronic staff record system (ESR).

As a trust policy, all colleagues need to be aware of the key points that the policy covers. Colleagues can be made aware through a variety of means such as:

  • all user emails for urgent messages
  • continuous professional development sessions
  • daily email (sent Monday to Friday)
  • group supervision
  • intranet
  • local induction
  • one to one meetings or supervision
  • posters
  • practice development days
  • special meetings
  • team meetings

7 Monitoring arrangements

7.1 The review and approval of completed DPIA’s that result in a high risk to the freedoms of individuals

  • How: Review at the IG group.
  • Who by: Head of IG or DPO.
  • Reported to: SIRO, Caldicott, ICO.
  • Frequency: Monthly.

7.2 The effectiveness of this policy is a requirement of the information governance policy and framework

  • How: Formal review of the data security and protection toolkit three times a year has key requirements in relation to the policy.
  • Who by: Head of IG or DPO.
  • Reported to: IG group, HIG, FPIC.
  • Frequency: Annual or as required by the DHSC or ICO.

8 Equality Impact assessment screening

Link to equality impact assessment: EIA

8.1 Privacy, dignity and respect

The NHS Constitution states that all patients should feel that their privacy and dignity are respected while they are in hospital. High Quality Care for All (2008), Lord Darzi’s review of the NHS, identifies the need to organise care around the individual, ‘not just clinically but in terms of dignity and respect’.

As a consequence the trust is required to articulate its intent to deliver care with privacy and dignity that treats all service users with respect. Therefore, all procedural documents will be considered, if relevant, to reflect the requirement to treat everyone with privacy, dignity and respect, (when appropriate this should also include how same sex accommodation is provided).

8.1.1 How this will be met

No issues have been identified in relation to this policy.

8.2 Mental Capacity Act 2005

Central to any aspect of care delivered to adults and young people aged 16 years or over will be the consideration of the individuals capacity to participate in the decision making process. Consequently, no intervention should be carried out without either the individual’s informed consent, or the powers included in a legal framework, or by order of the court.

Therefore, the trust is required to make sure that all colleagues working with individuals who use our service are familiar with the provisions within the Mental Capacity Act (2005). For this reason all procedural documents will be considered, if relevant to reflect the provisions of the Mental Capacity Act (2005) to ensure that the rights of individual are protected and they are supported to make their own decisions where possible and that any decisions made on their behalf when they lack capacity are made in their best interests and least restrictive of their rights and freedoms.

8.2.1 How this will be met

All individuals involved in the implementation of this policy should do so in accordance with the guiding principles of the Mental Capacity Act (2005) (section 1).

10 References

11 Appendices

11.1 Appendix A Definitions or explanation of terms used

Definitions
Term Definition
Data protection and security toolkit Formally known as the information governance (IG) toolkit, the tool is an online system which allows RDaSH to measure compliance against the listed relevant legislation and regulations within this policy
Information asset A body of information defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles
Project Shall mean any plan, process or proposal, which involves the use of information, data or technology. This shall also include any change that will amend the way in which the information, data or technology is handled
Personal identifiable information (PII) Personal data is information that relates to an identified or identifiable individual

Document control

  • Version: 2.1.
  • Unique reference number: 537.
  • Date approved: 30 January 2024.
  • Approved by: Corporate policy approval group.
  • Name of originator or author: Head of information governance or data protection officer.
  • Name of responsible individual: Director of informatics.
  • Date issued: 30 January 2024.
  • Review date: 31 January 2026.
  • Target audience: All colleagues

Page last reviewed: April 12, 2024
Next review due: April 12, 2025

Feedback

Report a problem