Information sharing between NHS Scotland boards and Police Scotland: consultation
Consultation on information sharing agreement and data protection impact assessment between NHS Scotland boards and Police Scotland in relation to forensic medical examinations.
Data Protection Impact Assessment Template
Information Governance Delivery Group
CMO Taskforce for Victims of Rape and Sexual Assault
Data Protection Impact Assessment (DPIA) Questionnaire for
Sharing Personal data between Health and other public agencies with regards to the provision of forensic medical and healthcare services provided to people those individuals who have been victims of rape, sexual assault and sexual abuse.
V0.14
[Date :31 July 2019]
Document Control Sheet
Key Information
| Title |
Sharing Personal data between Health and other public agencies with regards to the provision of forensic medical and healthcare services to people who have been victims of rape and sexual abuse. |
|---|---|
| Date Published/ Issued |
|
| Date Effective From |
|
| Version/ Issue Number |
0.14 |
| Document Type |
Data Protection Impact Assessment |
| Document Status |
DRAFT |
| Author |
|
| Owner |
|
| Approvers |
|
| Contact |
|
| File Name |
Revision History
| Version |
Date |
Summary of Changes |
|---|---|---|
| 0.1 |
07/01/19 |
Initial Working Document |
| 0.2 |
11/03/19 |
Updated with consent and populated. |
| 0.3 |
19/03/19 |
Consolidation of DPIA following meeting |
| 0.4 |
26/03/19 |
Update to legal basis for research, included additional special category data. |
| 0.5 |
29/04/19 |
Comments from EB, text updated with suggestions. Flow Diagram flattened. All flow descriptions composited. Additional Guidance document V0.1 |
| 0.6 |
02/05/19 |
Replaced patient with service user. Renamed flow as decision tree |
| 0.7 |
15/05/19 |
Replaced service user with individual. Updated decision tree with holders for child and adults with incapacity processes. Added additional decision trees for request. Added basic data flow diagrams. Added appendix with SOPs needed for the DPIA. Comments on legal basis and risk areas updated. |
| 0.8 |
28/05/19 |
Old comments removed. Duplicate risk removed. BMA changed to GMC |
| 0.9 |
28/06/19 |
Updated decision tree with adult and child clinical pathways. Expanded Information flows. Spelling corrections. All comments removed |
| 0.10 |
02/07/19 |
Updated from feedback |
| 0.11 |
04/07/19 |
Updated formatting- Font set to Arial with minimum 12pt. Repagination as required. Non-functioning URLS removed, Removal of URLS from section 6 for clarity. Remaining functional URLS listed in full. |
| 0.12 |
11/07/19 |
Updated GDPR legal bases for consistent wording with ISA |
| 0.13 |
23/07/19 |
Updated from feedback from CLO and Solicitors |
| 0.14 |
30/07/19 |
Updated following proof read for spelling and grammatical errors |
Approvals
| Version |
Date |
Name |
Designation |
|---|---|---|---|
About the Data Protection Impact Assessment (DPIA)
The DPIA (also known as privacy impact assessment or PIA) is a tool, which is used to identify, assess and mitigate any actual or potential risks to privacy created by a proposed or existing process or project involving the use of personal data. It helps us to identify the most effective way to comply with our data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow us to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. Failing to manage privacy risks appropriately can lead to enforcement action from the Information Commissioner’s Office (ICO), which can include substantial fines.
A DPIA is not a ‘tick-box’ exercise. Consultation may take a number of weeks to complete, so make sure that key stakeholders are engaged early, and that you have enough time prior to delivery to iron out any issues.
Carrying out a DPIA is an iterative process. Once complete, a review date within the next 3 years must be set. Should a specific change in purpose, substantial change in service or change in the law occur before the review date, the DPIA must be re-done.
The ICO code of practice on conducting privacy impact assessments is a useful source of advice.
The DPIA is just one specific aspect of risk management, and therefore feeds into the overall risk management processes and controls in our organisation. Is a DPIA required?
If the process or project that you are planning has one or more of the aspects listed below then you must complete a DPIA at an early stage.
| YES/NO |
||
| 1. |
The work involves carrying out a systematic and extensive evaluation of people’s personal details, using automated processing (including profiling). Decisions that have a significant effect on people will be made as a result of the processing. |
No |
| 2. |
The work involves carrying out large scale processing of any of the special categories of personal data, or of personal data relating to criminal convictions and offences.
To decide whether processing is large scale you must consider:
|
No |
| 3. |
The work involves carrying out large scale and systematic monitoring of a publicly accessible area. Includes processing used to observe, monitor or control people. |
No |
| 4. |
The work involves matching or combining datasets e.g. joining together data from two or more data processing activities performed for different purposes and/or by different organisations in a way that people would not generally expect; joining together data to create a very large, new dataset. |
No |
| 5. |
The work involves processing personal data about vulnerable groups. This includes whenever there is a power imbalance between the people whose data are to be used e.g. children, the mentally ill, the elderly, asylum seekers, and the organisation using their personal data. |
Yes |
| 6. |
The work involves significant innovation or use of a new technology. Examples could include combining use of fingerprint and face recognition for improved physical access control; new “Internet of Things” applications. |
No |
| 7. |
The work involves transferring personal data across borders outside the European Economic Area. |
No |
| 8. |
The work involves processing that will prevent people from exercising a right or using a service or a contract e.g. processing in a public area that people passing by cannot avoid. |
No |
Step One – Consultation Phase
Consult with all stakeholders about what you wish to do as early as possible in the process. Stakeholders will normally include:
- key service staff e.g. those who will be managing the process.
- technical support, especially if a new system is involved. This may involve the relevant IT supplier.
- information governance advisors e.g. Caldicott Guardian, Information Security Officer, Data Protection Officer.
Sometimes it will be necessary to consult with service users. This will be particularly relevant if the change in process will change how they interact with our NHS Board, or what information is collected and shared about them.
Early consultation will ensure that appropriate governance and security controls are built into the process as it is being designed and delivered, rather than being ‘bolted on’ shortly before the change is launched.
Step Two - DPIA drafting
The responsibility for drafting a DPIA will normally sit with the service area that ‘owns’ the change. However, all stakeholders will have an input. Depending on the nature and complexity of your proposal, more than one service area and/ or Information Asset Owner (IAO) may be the owner(s).
Step Three - Sign-off
[NHS Board may need to also add in here specific, local/ administrative details on how DPIAs should be carried out and recorded in their organisation e.g. links with the Information Asset Register, mailboxes to use etc]
When a DPIA has been fully completed, it must be submitted for formal review by an appropriate IG professional/ the Data Protection Officer. They will review the DPIA to ensure that all information risks are fully recognised and advise whether appropriate controls are in place. The Data Protection Officer will decide, where the DPIA shows a high degree of residual risk associated with the proposal, whether it is necessary to notify the ICO. It may be necessary to inform and/or involve the Board’s Senior Information Risk Owner (SIRO) as part of this risk assessment and decision-making.
Once reviewed, the DPIA will need to be signed off by the Information Asset Owner(s) (IAOs), normally a head of service.
1. What are you trying to do and why? - give (or attach separately) a high level summary description of the process, including its nature, scope, context, purpose, assets e.g. hardware, software used, data flows). Explain the necessity and proportionality of the processing in relation to the purpose(s) you are trying to achieve.
Provide for the exchange of information between NHS Scotland, the Police Service of Scotland, Social Services (public agencies), for the purposes of provision of Healthcare and Forensic Medical Services for Victims of Rape, Sexual Assault and Sexual Abuse with a view to supporting their care and case management, including the collection, preservation and sharing of forensic evidence.
The exchange of information can be for the following purposes:
- support healthcare for those in the care of the Police
- support healthcare for those not reporting to the Police
- support the collection and sharing of forensic evidence
- support integrated care and case management
- support consistency in the sharing of information with the Police Service of Scotland and social work
- support community continuity of care
- support onward referral to appropriate services and agencies
- support the provision of services and the continuous improvement of services
- achievement of better outcomes for service users receiving care
- safety and wellbeing of service users who may be in need of care and protection (including children and young people)
- investigation, prevention and detection of crime
- preservation of personal and community safety
- assessment of need at individual and community level
- management and planning of services
- supporting the Taskforce vision of consistent, person centred, trauma informed care for all victims of rape, sexual assault and sexual abuse in Scotland
How processing sits with NHS Scotland.
The legal basis used to process personal and special category information for the day to day operation of NHS Scotland is given below. The “business as usual” model is out of scope of this DPIA, but is provided for information to give context for the provision of Healthcare and Forensic Medical Services for Victims of Rape and Sexual Assault.
Business as Usual Legal Bases
Information Flows
In each pathway the information flows covered by this DPIA are denoted by a circle with a reference number.
Eg. Information Flow 1 is denoted by the symbol 
Adult Clinical Pathway
The adult clinical pathway is shown for information only. It gives context for where personal and special category information will be shared. It is these information flows that are the focus of this DPIA rather than the clinical pathway.
Child / Young Person Clinical Pathway
The child / young person clinical pathway is shown for information only. Again, to give context for where in the pathway personal and special category information will be shared. It is these information flows that are the focus of this DPIA rather than the clinical pathways.
NHS to a Competent Authority Disclosure Pathway
NHS to Other Agencies Disclosure Pathway
Information Flows
F1 - Agency / Service user to NHS
F2 - Service user to NHS
F3 - NHS to the Chief Constable of the Police Service of Scotland
F4 - NHS to competent authority
F5 - NHS compliance with a court order
F6 NHS to competent authority
F7 NHS to other Agency
F8 NHS to other Agency
2. What personal data will be used?
| Categories of individuals |
Categories of personal data |
Any special categories of personal data |
Sources of personal data |
|---|---|---|---|
| Service user |
Health Record |
Health |
Provided by Service user |
| Service user |
Specimens |
Health |
Provided by Service user |
| Service user |
Description of events |
Health |
Provided by Service user, |
| Service user |
Forensic Images |
Health |
Provided by Service user, |
| Service user |
Demographic |
Racial or ethnic origin |
Provided by Service user, |
| Third Party |
Specimens |
Health |
Provided by Service user |
| Third Party |
Description of events |
Health |
Provided by Service user, |
3. What legal condition for using the personal data is being relied upon? [see Guidance Notes for the relevant legal conditions]
| Legal condition(s) for personal data |
Legal conditions for any special categories of personal data [see Guidance Notes] |
|---|---|
| All Circumstances Provision of health care, treatment and management of a health or social care system (NHS) General Data Protection Regulation Article 6(1)(e) |
All Circumstances Provision of health care, treatment and management of a health or social care system (NHS) General Data Protection Regulation Article 9(2)(h) Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1) |
| Advising the Police Service of Scotland when they are not aware |
Advising the Police Service of Scotland when they are not aware General Data Protection Regulation Article 9(2) (g). DPA Schedule1 Part 2 (10) Preventing or detecting unlawful acts. |
| Compliance with a court order General Data Protection Regulation Article 6(1)(c) |
Compliance with a court order General Data Protection Regulation Article 9(2)(g) DPA Schedule 1 Part 2 (6) Statutory etc and government purposes. |
| Transfer of material, samples or information to a competent authority General Data Protection Regulation Article 23(1) Data Protection Act 2018: Exemption Schedule 2 (2): Crime and taxation: general. |
Transfer of material, samples or information to a competent authority General Data Protection Regulation Article 23(1) Data Protection Act 2018: Exemption Schedule 2 (2): Crime and taxation: general. DPA Schedule 1 Part 2 (10) Preventing or detecting unlawful acts. |
| Transfer of information to other agencies General Data Protection Regulation Article 6(1)(c) or |
Transfer of information to other agencies General Data Protection Regulation Article 9(2)(g) DPA Schedule 1 Part 2 (6) Statutory etc and government purposes. DPA Schedule 1 Part 2 (10) Preventing or detecting unlawful acts. |
4. Describe how the personal data will be collected, used, transferred and if necessary kept up to date – may be attached separately.
The provision of healthcare is <NHS BOARD>’s public task as enabled under the National Health Service (Scotland) Act 1978 and is beyond the scope of this DPIA.
In certain circumstances it may be necessary to disclose limited information to the Police Service of Scotland or other agencies without the consent/knowledge of the service user. Guidance from General Medical Council is available to assist with type of disclosure.
Forensic medical information/samples will be collected with the cooperation of the data subject through a number of forensic medical examination procedures specific to the presentation of the service user.
Information/samples will be stored in accordance with <NHS BOARD>’s policies and procedures for forensic medical examinations which are attached as appendix I. These must be separate from the service user’s health record in accordance with Records Management: NHS Code of Practice (SCOTLAND).
5. What information is being provided to the people to whom the data relate to ensure that they are aware of this use of their personal data? – This is the ‘right to be informed’ (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/) and information such as privacy notices may be included as an attachment.
How the NHS handles your personal health information (https://www.nhsinform.scot/care-support-and-rights/health-rights/confidentiality-and-data-protection/how-the-nhs-handles-your-personal-health-information)
<NHS BOARD>’s Data Protection Notice.
A specific privacy notice for law enforcement regarding rape and sexual assault.
Other public information leaflets (see implementation guidance)
6. How will people’s individual rights in relation to the use of their personal data be addressed by this process? (Rights are not applicable to all types of processing, and expert advice on this may be necessary.)
<NHS BOARD> uses the following policies and procedures to ensure data subjects can exercise their rights.
Right of access:
See Appendix J
See Appendix K
Right to rectification:
See Appendix J
Right to object (where applicable):
See Appendix J
Right to restrict processing (where applicable):
See Appendix J
Right to data portability (where applicable):
Not applicable.
Right to erasure (where applicable):
Not applicable
Rights in relation to automated decision-making and profiling (where applicable):
Not applicable.
7. For how long will the personal data be kept?- refer to our Document Storage Retention and Disposal Policy for advice
<NHS BOARD> retains this information for ....... (see implementation guidance)
Who will have access to the personal data?
All Circumstances
<NHS BOARD> authorised personnel
Where the Police Service of Scotland are aware of the incident
The Police Service of Scotland’s personnel
COPFS personnel
Depending on the services user's choices
Social Services personnel
Third sector personnel
Where the service user is a child or young person
Social Services personnel
8. Will the personal data be routinely shared with any other service or organisation? – if yes, provide details of data sharing agreement(s) and any other relevant controls. Advice on data sharing requirements is in the Scottish Information Sharing Toolkit.
Yes, there is an Information Sharing Agreement (ISA) in place between <NHS BOARD> and the Police Service of Scotland.
9. Will the personal data be processed by a Processor e.g. an IT services provider? – [see Guidance Notes for the definition of Processor]. If yes, provide details of selection criteria, processing instructions and contract (may be attached separately).
Insert the details of any processors.
10. Describe what organisational controls will be in place to support the process and protect the personal data (seek the advice of your Information Security Officer as necessary.)
<NHS BOARD> has the following control measures in place.
| Type of Control – examples |
Description |
|---|---|
| Information Governance, Security and related policies |
(see implementation guidance) |
| Staff training |
(see implementation guidance) |
| Adverse event reporting and management |
(see implementation guidance) |
| Physical access and authorisation controls |
(see implementation guidance) |
| Environmental controls |
(see implementation guidance) |
| Information asset management including management of backups and asset disposal |
(see implementation guidance) |
| Business continuity |
(see implementation guidance) |
| Information Asset Register |
All information assets used are documented in the information asset register |
| Management of third parties and partners |
(see implementation guidance) |
| Standard Operating Procedures |
(see implementation guidance) |
11. Describe what technical controls will be in place to support the process and protect the personal data (seek the advice of your Information Security Officer as necessary).
| Type of Control – examples |
Description |
|---|---|
| System access levels and user authentication controls |
(see implementation guidance) |
| System auditing functionality and procedures |
(see implementation guidance) |
| Operating system controls such as vulnerability scanning and anti-virus software |
(see implementation guidance) |
| Network security such as firewalls and penetration testing |
(see implementation guidance) |
| Encryption of special category personal data |
(see implementation guidance) |
| Cyber Essentials compliance(if applicable) |
(see implementation guidance) |
| System Security Policy (SSP) and Standard Operating Procedures(SOPs) (if applicable/ when available) |
(see implementation guidance) |
| Details of ISO27001/02 accreditation (if applicable) |
(see implementation guidance) |
| Add others where applicable |
(see implementation guidance) |
12. Will personal data be transferred to outside the European Economic Area (EEA) or countries without an European Commission-designated adequate level of protection? – if yes, provide details of the safeguards that will be in place for the transfer(s).
No (see implementation guidance)
13. Describe who has been consulted in relation to this process – e.g. subject matter experts, service providers, service users.
Subject matter experts
Service providers
<Insert consultations when done>
14. In light of what is proposed, indicate what level of risk has been identified in relation to the following data protection principles:
| Principle |
Low/ Green |
Medium/ Amber |
High/ Red |
|---|---|---|---|
| Personal data is processed in a fair, lawful and transparent manner |
No Forensic Examination |
Forensic Examination Forensic Examination – Third Party |
|
| Personal data is collected for specific, explicit and legitimate purposes |
No Forensic Examination |
Forensic Examination |
|
| Personal data is adequate, relevant and limited to what is necessary |
No Forensic Examination |
Forensic Examination |
|
| Personal data is accurate, and kept up to date |
No Forensic Examination |
Forensic Examination |
|
| Personal data is kept no longer than necessary |
No Forensic Examination |
Forensic Examination |
|
| Personal data is processed in a manner that ensures adequate security |
No Forensic Examination |
Forensic Examination |
Note: Third party refers to any other person’s information that may be captured by a forensic examination. E.g. The partner(s) of the service user, the alleged perpetrator of a crime or any other person who may have come into contact with the service user.
15. Risks and actions identified [see Guidance Notes for more information]. List all that you have identified and ensure that these integrate properly with our NHS Board’s risk management process:
| Description |
Likelihood |
Consequence |
Overall Risk rating (LxC) |
Mitigation/ Actions |
Residual Risk |
Risk Owner |
Date |
|---|---|---|---|---|---|---|---|
| Loss of confidentiality of personal data protected by professional secrecy (Permanent loss of Forensic Medical Information (deletion, non recording, IT disaster) |
Likely |
Major |
HR |
<NHS BOARD> IT policies and procedures. Staff training. Documented forensic examination procedures. |
Unlikely x Major = MR |
NHS SIRO |
|
| Inadmissibility of Forensic examination information as evidence |
Likely |
Major |
HR |
<NHS BOARD> Documented forensic examination procedures Staff training. Documented storage and transfer procedures. |
Unlikely x Major =MR |
NHS SIRO |
|
| Transmission of data: Accidental disclosure via incorrect communications route |
Likely |
Major |
HR |
All <NHS BOARD> staff are trained in IG. All <NHS BOARD> staff are trained on the disclosure procedures. Standard operating procedures with agreed communication methods and routes is in place. |
Unlikely x Major = MR |
NHS SIRO |
|
| Inability to exercise rights(Service user) |
Likely |
Major |
HR |
See section 6 |
Unlikely x Major = MR |
NHS SIRO |
|
| Prevented from exercising control over their personal data (Third Party) |
Almost Certain |
Major |
HR |
Strict protocols mean that NHS will never try and identify an individual. It would be a reasonable expectation of the public that this information would be disclosed. On balance the rights of the service user and benefit to society of disclosure out weight the rights of third parties. |
Unlikely x Major = MR |
NHS SIRO |
|
| Discrimination |
Likely |
Major |
HR |
NHS: Strict protocols are in place for the handling of health data to minimise the risk of inappropriate disclosure, |
Unlikely x Major = MR |
NHS SIRO CG |
|
| Reputational damage(Service user & Third Party) |
Likely |
Major |
HR |
NHS: Strict protocols are in place for the handling of health data to minimise the risk of inappropriate disclosure. |
Unlikely x Major = MR |
NHS SIRO |
|
| Identity theft or fraud |
Unlikely |
Major |
MR |
NHS: Strict protocols are in place for the handling of health data to minimise the risk of inappropriate disclosure. |
Remote x Major = MR |
NHS |
|
| Financial loss |
Unlikely |
Major |
MR |
NHS: Strict protocols are in place for the handling of health data to minimise the risk of inappropriate disclosure. |
Remote x Major = MR |
NHS |
|
| Unauthorised reversal of pseudonymisation |
Remote |
Negligible |
VLR |
Pseudonymisation has not been specified |
Remote x Negligible = VLR |
NHS |
Risks that are associated with the general provision of Health and Social care and their related processes and systems by NHS BOARD are omitted as they are covered by other DPIA/PIA/Risk assessments.
16. Review and Sign-Off
| Role |
Advice/ Action/ Sign-Off |
Date |
|---|---|---|
| IG/ Data Protection (DPO) Advice |
||
| Information Security Officer Advice (questions 11 and 12) |
||
| Others, if necessary e.g. Caldicott Guardian, Senior Information Risk Owner (SIRO) |
||
| DPO opinion on whether residual risks need prior notification to the ICO |
||
| Information Asset Owner(s) (IAO(s)) Sign Off |
17. Recommended Review Date:___________________________________
Appendices
Appendix A: Standard Operation Procedure A – Transfer of information from an Agency / Service user to NHS.
Appendix B: Standard Operation Procedure B – Transfer of information from Service user and <NHS BOARD)
Appendix C: Standard Operating Procedure C – Transfer of information from <NHS BOARD> to the Police Service of Scotland
Appendix D: Standard Operating Procedure D – Transfer of information from <NHS BOARD> to a competent authority
Appendix E: Standard Operating Procedure E – Transfer of information from <NHS BOARD> by court order
Appendix F: Standard Operating Procedure F – Transfer of information from <NHS BOARD> to a competent authority
Appendix G: Standard Operating Procedure G – Transfer of information from <NHS BOARD> to another agency
Appendix H: Standard Operating Procedure H – Transfer of information from <NHS BOARD> to another agency
Appendix I: Standard Operating Procedure I – Forensic Medical Examination procedures
Appendix J: The <NHS BOARD>’s Data Protection Policy
Appendix K: The <NHS BOARD>’s Subject Access Procedure
Contact
There is a problem
Thanks for your feedback