Publication - Consultation paper

Information sharing between NHS Scotland boards and Police Scotland: consultation

Published: 7 Aug 2019

Consultation on information sharing agreement and data protection impact assessment between NHS Scotland boards and Police Scotland in relation to forensic medical examinations.

82 page PDF

806.0 kB

82 page PDF

806.0 kB

Contents
Information sharing between NHS Scotland boards and Police Scotland: consultation
Data Protection Impact Assessment Template

82 page PDF

806.0 kB

Data Protection Impact Assessment Template

Information Governance Delivery Group
CMO Taskforce for Victims of Rape and Sexual Assault

Data Protection Impact Assessment (DPIA) Questionnaire for

Sharing Personal data between Health and other public agencies with regards to the provision of forensic medical and healthcare services provided to people those individuals who have been victims of rape, sexual assault and sexual abuse.

V0.14 

[Date :31 July 2019]

Document Control Sheet

Key Information

Title

Sharing Personal data between Health and other public agencies with regards to the provision of forensic medical and healthcare services to people who have been victims of rape and sexual abuse.

Date Published/ Issued

Date Effective From

Version/ Issue Number

0.14

Document Type

Data Protection Impact Assessment

Document Status

DRAFT

Author

Owner

Approvers

Contact

File Name

Revision History

Version

Date

Summary of Changes

0.1

07/01/19

Initial Working Document

0.2

11/03/19

Updated with consent and populated.

0.3

19/03/19

Consolidation of DPIA following meeting 

0.4

26/03/19

Update to legal basis for research, included additional special category data.

0.5

29/04/19

Comments from EB, text updated with suggestions. Flow Diagram flattened. All flow descriptions composited. Additional Guidance document V0.1 

0.6

02/05/19

Replaced patient with service user. Renamed flow as decision tree

0.7

15/05/19

Replaced service user with individual. Updated decision tree with holders for child and adults with incapacity processes. Added additional decision trees for request. Added basic data flow diagrams. Added appendix with SOPs needed for the DPIA. Comments on legal basis and risk areas updated.

0.8

28/05/19

Old comments removed. Duplicate risk removed. BMA changed to GMC

0.9

28/06/19

Updated decision tree with adult and child clinical pathways. Expanded Information flows. Spelling corrections. All comments removed

0.10

02/07/19

Updated from feedback

0.11

04/07/19

Updated formatting- Font set to Arial with minimum 12pt. Repagination as required. Non-functioning URLS removed, Removal of URLS from section 6 for clarity. Remaining functional URLS listed in full.

0.12

11/07/19

Updated GDPR legal bases for consistent wording with ISA

0.13

23/07/19

Updated from feedback from CLO and Solicitors

0.14

30/07/19

Updated following proof read for spelling and grammatical errors

Approvals

Version

Date

Name

Designation

 
 
 
 
 

About the Data Protection Impact Assessment (DPIA)

The DPIA (also known as privacy impact assessment or PIA) is a tool, which is used to identify, assess and mitigate any actual or potential risks to privacy created by a proposed or existing process or project involving the use of personal data.  It helps us to identify the most effective way to comply with our data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow us to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. Failing to manage privacy risks appropriately can lead to enforcement action from the Information Commissioner’s Office (ICO), which can include substantial fines.

A DPIA is not a ‘tick-box’ exercise.  Consultation may take a number of weeks to complete, so make sure that key stakeholders are engaged early, and that you have enough time prior to delivery to iron out any issues.

Carrying out a DPIA is an iterative process.  Once complete, a review date within the next 3 years must be set.  Should a specific change in purpose, substantial change in service or change in the law occur before the review date, the DPIA must be re-done.

The ICO code of practice on conducting privacy impact assessments is a useful source of advice.

The DPIA is just one specific aspect of risk management, and therefore feeds into the overall risk management processes and controls in our organisation.  Is a DPIA required?

If the process or project that you are planning has one or more of the aspects listed below then you must complete a DPIA at an early stage.

YES/NO 

1.

The work involves carrying out a systematic and extensive evaluation of people’s personal details, using automated processing (including profiling). Decisions that have a significant effect on people will be made as a result of the processing.
Includes:
Profiling and predicting, especially when using aspects about people’s work performance, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements
Processing with effects on people such as exclusion or discrimination
Excludes:
Processing with little or no effect on people

No

2.

The work involves carrying out large scale processing of any of the special categories of personal data, or of personal data relating to criminal convictions and offences.
Includes:

  • racial or ethnic origin data
  • political opinions data
  • religious or philosophical beliefs data
  • trade Union membership data
  • genetic data 
  • biometric data for the purpose of uniquely identifying a person
  • health data
  • sex life or sexual orientation data
  • data which may generally be regarded as increasing risks to people’s rights and freedoms e.g. location data, financial data
  • data processed for purely personal or household matters whose use for any other purposes could be regarded as very intrusive

To decide whether processing is large scale you must consider:

  • the number of people affected by the processing, either as a specific number or as a proportion of the relevant population
  • the volume of data and/or the range of different data items being processed
  • the duration or permanence of the processing
  • the geographical extent of the processing activity 

No

3. 

The work involves carrying out large scale and systematic monitoring of a publicly accessible area. Includes processing used to observe, monitor or control people.

No

4. 

The work involves matching or combining datasets e.g. joining together data from two or more data processing activities performed for different purposes and/or by different organisations in a way that people would not generally expect; joining together data to create a very large, new dataset.  

No

5.

The work involves processing personal data about vulnerable groups.  This includes whenever there is a power imbalance between the people whose data are to be used e.g. children, the mentally ill, the elderly, asylum seekers, and the organisation using their personal data. 

Yes

6.

The work involves significant innovation or use of a new technology. Examples could include combining use of fingerprint and face recognition for improved physical access control; new “Internet of Things” applications.

No

7.

The work involves transferring personal data across borders outside the European Economic Area. 

No

8.

The work involves processing that will prevent people from exercising a right or using a service or a contract e.g. processing in a public area that people passing by cannot avoid. 

No

Step One – Consultation Phase

Consult with all stakeholders about what you wish to do as early as possible in the process. Stakeholders will normally include:

  • key service staff e.g. those who will be managing the process.
  • technical support, especially if a new system is involved.  This may involve the relevant IT supplier.
  • information governance advisors e.g. Caldicott Guardian, Information Security Officer, Data Protection Officer.

Sometimes it will be necessary to consult with service users.  This will be particularly relevant if the change in process will change how they interact with our NHS Board, or what information is collected and shared about them.

Early consultation will ensure that appropriate governance and security controls are built into the process as it is being designed and delivered, rather than being ‘bolted on’ shortly before the change is launched.

Step Two - DPIA drafting

The responsibility for drafting a DPIA will normally sit with the service area that ‘owns’ the change. However, all stakeholders will have an input. Depending on the nature and complexity of your proposal, more than one service area and/ or Information Asset Owner (IAO) may be the owner(s).

Step Three - Sign-off

[NHS Board may need to also add in here specific, local/ administrative details on how DPIAs should be carried out and recorded in their organisation e.g. links with the Information Asset Register, mailboxes to use etc]

When a DPIA has been fully completed, it must be submitted for formal review by an appropriate IG professional/ the Data Protection Officer.  They will review the DPIA to ensure that all information risks are fully recognised and advise whether appropriate controls are in place.  The Data Protection Officer will decide, where the DPIA shows a high degree of residual risk associated with the proposal, whether it is necessary to notify the ICO.  It may be necessary to inform and/or involve the Board’s Senior Information Risk Owner (SIRO) as part of this risk assessment and decision-making.

Once reviewed, the DPIA will need to be signed off by the Information Asset Owner(s) (IAOs), normally a head of service.

1. What are you trying to do and why? - give (or attach separately) a high level summary description of the process, including its nature, scope, context, purpose, assets e.g. hardware, software used, data flows). Explain the necessity and proportionality of the processing in relation to the purpose(s) you are trying to achieve.   

Provide for the exchange of information between NHS Scotland, the Police Service of Scotland, Social Services (public agencies), for the purposes of provision of Healthcare and Forensic Medical Services for Victims of Rape, Sexual Assault and Sexual Abuse with a view to supporting their care and case management, including the collection, preservation and sharing of forensic evidence.

The exchange of information can be for the following purposes:

  • support healthcare for those in the care of the Police
  • support healthcare for those not reporting to the Police
  • support the collection and sharing of forensic evidence
  • support integrated care and case management
  • support consistency in the sharing of information with the Police Service of Scotland and social work
  • support community continuity of care
  • support onward referral to appropriate services and agencies
  • support the provision of services and the continuous improvement of services
  • achievement of better outcomes for service users receiving care
  • safety and wellbeing of service users who may be in need of care and protection (including children and young people)
  • investigation, prevention and detection of crime
  • preservation of personal and community safety
  • assessment of need at individual and community level
  • management and planning of services
  • supporting the Taskforce vision of consistent, person centred, trauma informed care for all victims of rape, sexual assault and sexual abuse in Scotland

How processing sits with NHS Scotland.

The legal basis used to process personal and special category information for the day to day  operation of NHS Scotland is given below. The “business as usual” model is out of scope of this DPIA, but is provided for information to give context for the provision of Healthcare and Forensic Medical Services for Victims of Rape and Sexual Assault.

Business as Usual Legal Bases

Business as Usual Legal Bases

Information Flows

In each pathway the information flows covered by this DPIA are denoted by  a circle with a reference number.

 Eg. Information Flow 1 is denoted by the symbol Information Flow 1 is denoted by the symbo

Adult Clinical Pathway

The adult clinical pathway is shown for information only. It gives context for where personal and special category information will be shared. It is these information flows that are the focus of this DPIA rather than the clinical pathway.

Information Flow Chart

Child / Young Person Clinical Pathway

The child / young person clinical pathway is shown for information only. Again, to give context for where in the pathway personal and special category information will be shared. It is these information flows that are the focus of this DPIA rather than the clinical pathways.

Information Flow Chart

NHS to a Competent Authority Disclosure Pathway

Information Flow Chart

NHS to Other Agencies Disclosure Pathway

Information Flow Chart

Information Flows

F1 - Agency / Service user to NHS

F2 - Service user to NHS

Information Flow Chart

F3 - NHS to the Chief Constable of the Police Service of Scotland

Information Flow Chart

F4 - NHS to competent authority

Information Flow Chart

F5 - NHS compliance with a court order

Information Flow Chart

F6 NHS to competent authority

Information Flow Chart

F7 NHS to other Agency

Information Flow Chart

F8 NHS to other Agency

Information Flow Chart

2. What personal data will be used?

Categories of individuals

Categories of personal data

Any special categories of personal data
[see Guidance Notes for definition]

Sources of personal data 

Service user

Health Record 

Health
Sexual life
Sexual orientation

Provided by Service user
NHS

Service user

Specimens

Health
Criminal
Genetic

Provided by Service user

Service user

Description of events

Health
Sexual life
Criminal

Provided by Service user,
Police Service of Scotland,
NHS

Service user

Forensic Images

Health
Sexual life
Criminal

Provided by Service user,
Police Service of Scotland, NHS

Service user

Demographic

Racial or ethnic origin
Religious or philosophical beliefs

Provided by Service user,
Police Service of Scotland, NHS

Third Party

Specimens

Health
Criminal
Genetic

Provided by Service user

Third Party

Description of events

Health
Criminal

Provided by Service user,
Police Service of Scotland, NHS

3. What legal condition for using the personal data is being relied upon? [see Guidance Notes for the relevant legal conditions]

Legal condition(s) for personal data
[see Guidance Notes]

Legal conditions for any special categories of personal data [see Guidance Notes]

All Circumstances

Provision of health care, treatment and management of a health or social care system (NHS)

General Data Protection Regulation Article 6(1)(e)

All Circumstances

Provision of health care, treatment and management of a health or social care system (NHS)

General Data Protection Regulation Article 9(2)(h)

Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1)
General Data Protection Regulation Article 9(2)(j)

Advising the Police Service of Scotland when they are not aware
General Data Protection Regulation Article 6(1)(e)

Advising the Police Service of Scotland when they are not aware

General Data Protection Regulation Article 9(2) (g). 

DPA Schedule1 Part 2 (10) Preventing or detecting unlawful acts.

Compliance with a court order

General Data Protection Regulation  Article 6(1)(c)

Compliance with a court order

General Data Protection Regulation Article 9(2)(g)

DPA Schedule 1 Part 2 (6) Statutory etc and government purposes.

Transfer of material, samples or information to a competent authority

General Data Protection Regulation Article 23(1) 

Data Protection Act 2018: Exemption Schedule 2 (2): Crime and taxation: general.
or
General Data Protection Regulation Article 6(1)(e)

Transfer of material, samples or information to a competent authority

General Data Protection Regulation Article 23(1) 

Data Protection Act 2018: Exemption Schedule 2 (2): Crime and taxation: general.
or
General Data Protection Regulation Article 9(2)(g)

DPA Schedule 1 Part 2 (10) Preventing or detecting unlawful acts.

Transfer of information to other agencies

General Data Protection Regulation Article 6(1)(c)

or
General Data Protection Regulation Article 6(1)(e)

Transfer of information to other agencies

General Data Protection Regulation  Article 9(2)(g) 

DPA Schedule 1 Part 2 (6) Statutory etc and government purposes.
or
General Data Protection Regulation Article 9(2)(g)

DPA Schedule 1 Part 2 (10) Preventing or detecting unlawful acts.

4. Describe how the personal data will be collected, used, transferred and if necessary kept up to date – may be attached separately. 

The provision of healthcare is <NHS BOARD>’s public task as enabled under the National Health Service (Scotland) Act 1978 and is beyond the scope of this DPIA.

In certain circumstances it may be necessary to disclose limited information to the Police Service of Scotland or other agencies without the consent/knowledge of the service user. Guidance from General Medical Council is available to assist with type of disclosure. 

Forensic medical information/samples will be collected with the cooperation of the data subject through a number of forensic medical examination procedures specific to the presentation of the service user.

Information/samples will be stored in accordance with <NHS BOARD>’s policies and procedures for forensic medical examinations which are attached as appendix I. These must be separate from the service user’s health record in accordance with Records Management: NHS Code of Practice (SCOTLAND).

5. What information is being provided to the people to whom the data relate to ensure that they are aware of this use of their personal data? – This is the ‘right to be informed’ (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/) and information such as privacy notices may be included as an attachment.

How the NHS handles your personal health information (https://www.nhsinform.scot/care-support-and-rights/health-rights/confidentiality-and-data-protection/how-the-nhs-handles-your-personal-health-information)

<NHS BOARD>’s Data Protection Notice.
A specific privacy notice for law enforcement regarding rape and sexual assault.
Other public information leaflets (see implementation guidance)

6. How will people’s individual rights in relation to the use of their personal data be addressed by this process? (Rights are not applicable to all types of processing, and expert advice on this may be necessary.)

<NHS BOARD> uses the following policies and procedures to ensure data subjects can exercise their rights.

Right of access:
See Appendix J
See Appendix K

Right to rectification:
See Appendix J

Right to object (where applicable):
See Appendix J 

Right to restrict processing (where applicable):
See Appendix J

Right to data portability (where applicable):
Not applicable.

Right to erasure (where applicable):
Not applicable

Rights in relation to automated decision-making and profiling (where applicable):
Not applicable.

7. For how long will the personal data be kept?- refer to our Document Storage Retention and Disposal Policy for advice 

<NHS BOARD> retains this information for ....... (see implementation guidance)

Who will have access to the personal data?

All Circumstances

<NHS BOARD> authorised personnel

Where the Police Service of Scotland are aware of the incident

The Police Service of Scotland’s personnel

COPFS personnel

Depending on the services user's choices

Social Services personnel

Third sector personnel

Where the service user is a child or young person

Social Services personnel 

8. Will the personal data be routinely shared with any other service or organisation? – if yes, provide details of data sharing agreement(s) and any other relevant controls.  Advice on data sharing requirements is in the Scottish Information Sharing Toolkit.  

Yes, there is an Information Sharing Agreement (ISA) in place between <NHS BOARD> and the Police Service of Scotland.

9. Will the personal data be processed by a Processor e.g. an IT services provider? – [see Guidance Notes for the definition of Processor]. If yes, provide details of selection criteria, processing instructions and contract (may be attached separately).

Insert the details of any processors.

10. Describe what organisational controls will be in place to support the process and protect the personal data (seek the advice of your Information Security Officer as necessary.) 

<NHS BOARD> has the following control measures in place.

Type of Control – examples 

Description 

Information Governance, Security and related policies

(see implementation guidance)

Staff training 

(see implementation guidance)

Adverse event reporting and management 

(see implementation guidance)

Physical access and authorisation controls 

(see implementation guidance)

Environmental controls 

(see implementation guidance)

Information asset management including management of backups and asset disposal 

(see implementation guidance)

Business continuity 

(see implementation guidance)

Information Asset Register

All information assets used are documented in the information asset register

Management of third parties and partners

(see implementation guidance)

Standard Operating Procedures

(see implementation guidance)

11. Describe what technical controls will be in place to support the process and protect the personal data (seek the advice of your Information Security Officer as necessary).

Type of Control – examples

Description

System access levels and user authentication controls

(see implementation guidance)

System auditing functionality and procedures

(see implementation guidance)

Operating system controls such as vulnerability scanning and anti-virus software

(see implementation guidance)

Network security such as firewalls and penetration testing

(see implementation guidance)

Encryption of special category personal data

(see implementation guidance)

Cyber Essentials compliance(if applicable)

(see implementation guidance)

System Security Policy (SSP) and Standard Operating Procedures(SOPs) (if applicable/ when available)

(see implementation guidance)

Details of ISO27001/02 accreditation (if applicable) 

(see implementation guidance)

Add others where applicable 

(see implementation guidance)

12. Will personal data be transferred to outside the European Economic Area (EEA) or countries without an European Commission-designated adequate level of protection? – if yes, provide details of the safeguards that will be in place for the transfer(s). 

No (see implementation guidance)

13. Describe who has been consulted in relation to this process – e.g. subject matter experts, service providers, service users. 

Subject matter experts

Service providers

<Insert consultations when done>

14. In light of what is proposed, indicate what level of risk has been identified in relation to the following data protection principles:

Principle

Low/ Green

Medium/ Amber

High/ Red

Personal data is processed in a fair, lawful and transparent manner

No Forensic Examination 

Forensic Examination

Forensic Examination – Third Party

Personal data is collected for specific, explicit and legitimate purposes

No Forensic Examination

Forensic Examination

Personal data is adequate, relevant and limited to what is necessary

No Forensic Examination

Forensic Examination

Personal data is accurate, and kept up to date

No Forensic Examination

Forensic Examination

Personal data is kept no longer than necessary

No Forensic Examination

Forensic Examination

Personal data is processed in a manner that ensures adequate security

No Forensic Examination

Forensic Examination

Note: Third party refers to any other person’s information that may be captured by a forensic examination. E.g. The partner(s) of the service user, the alleged perpetrator of a crime or any other person who may have come into contact with the service user.

15. Risks and actions identified [see Guidance Notes for more information].  List all that you have identified and ensure that these integrate properly with our NHS Board’s risk management process:

Description 

Likelihood

Consequence 

Overall Risk rating (LxC)

Mitigation/ Actions 

Residual Risk 

Risk Owner

Date

Loss of confidentiality of personal data protected by professional secrecy 

(Permanent loss of Forensic Medical Information (deletion, non recording, IT disaster)

Likely

Major

HR

<NHS BOARD> IT policies and procedures.

Staff training.

Documented forensic examination procedures.

Unlikely x Major = MR

NHS SIRO
CG

Inadmissibility of Forensic examination information as evidence 

Likely

Major

HR

<NHS BOARD> 

Documented forensic examination procedures

Staff training.

Documented storage and transfer procedures.

Unlikely x Major =MR

NHS SIRO
CG

Transmission of data:

Accidental disclosure via incorrect communications route

Likely

Major

HR

All <NHS BOARD> staff are trained in IG.

All <NHS BOARD> staff are trained on the disclosure procedures. 

Standard operating procedures with agreed communication methods and routes is in place.

Unlikely x Major = MR

NHS SIRO
CG

Inability to exercise rights(Service user)

Likely

Major

HR

See section 6

Unlikely x Major = MR

NHS SIRO
CG

Prevented from exercising control over their personal data (Third Party)

Almost Certain

Major

HR

Strict protocols mean that NHS will never try and identify an individual. 

It would be a reasonable expectation of the public that this information would be disclosed.

On balance the rights of the service user and benefit to society of disclosure out weight the rights of third parties.

Unlikely x Major = MR

NHS SIRO
CG

Discrimination

Likely

Major

HR

NHS: Strict protocols are in place for the handling of health data to minimise the risk of inappropriate disclosure,

Unlikely x Major = MR

NHS SIRO

CG

Reputational damage(Service user & Third Party)

Likely

Major

HR

NHS: Strict protocols are in place for the handling of health data to minimise the risk of inappropriate disclosure.

Unlikely x Major = MR

NHS SIRO
CG

Identity theft or fraud 

Unlikely

Major

MR

NHS: Strict protocols are in place for the handling of health data to minimise the risk of inappropriate disclosure.

Remote x Major = MR

NHS
SIRO
CG

Financial loss

Unlikely

Major

MR

NHS: Strict protocols are in place for the handling of health data to minimise the risk of inappropriate disclosure.

Remote x Major = MR

NHS
SIRO
CG

Unauthorised reversal of pseudonymisation

Remote

Negligible

VLR

Pseudonymisation has not been specified

Remote x Negligible = VLR

NHS
SIRO
CG

Risks that are associated with the general provision of Health and Social care and their related processes and systems by NHS BOARD are omitted as they are covered by other DPIA/PIA/Risk assessments.  

16. Review and Sign-Off 

Role 

Advice/ Action/ Sign-Off 

Date

IG/ Data Protection (DPO) Advice 

Information Security Officer Advice (questions 11 and 12)

Others, if necessary e.g. Caldicott Guardian, Senior Information Risk Owner (SIRO

DPO opinion on whether residual risks need prior notification to the ICO 

Information Asset Owner(s) (IAO(s))  Sign Off 

17. Recommended Review Date:___________________________________

Appendices

Appendix A: Standard Operation Procedure A – Transfer of information from an Agency / Service user to NHS.

Appendix B: Standard Operation Procedure B – Transfer of information from Service user and <NHS BOARD)

Appendix C: Standard Operating Procedure C – Transfer of information from <NHS BOARD> to the Police Service of Scotland

Appendix D: Standard Operating Procedure D – Transfer of information from <NHS BOARD> to a competent authority

Appendix E: Standard Operating Procedure E – Transfer of information from <NHS BOARD> by court order

Appendix F: Standard Operating Procedure F – Transfer of information from <NHS BOARD> to a competent authority

Appendix G: Standard Operating Procedure G – Transfer of information from <NHS BOARD> to another agency 

Appendix H: Standard Operating Procedure H – Transfer of information from <NHS BOARD> to another agency 

Appendix I: Standard Operating Procedure I – Forensic Medical Examination procedures

Appendix J: The <NHS BOARD>’s Data Protection Policy

Appendix K: The <NHS BOARD>’s Subject Access Procedure


Contact

Email: CMOTaskforce.secretariat@gov.scot