Human Tissue (Authorisation) (Scotland) Bill: DPIA

3. Description of the project

3.1 Description of the work:

The Bill will make provision for Scottish Ministers to establish and maintain a register enabling Scottish Ministers to secure effective performance of functions under section 1 of the 2006 Act ^[1] . In practice the Bill will introduce a statutory underpinning for the current arrangements between NHS Blood and Transplant who operate the NHS Organ Donor Register for the UK and the Scottish Government. The intention is that NHSBT would continue to maintain the Organ Donor Register on behalf of Scottish Ministers to ensure that organ and tissue donation continues to operate across the UK. NHSBT is a Special Health Authority for England and Wales responsible for managing the English Blood Service and Organ Donation services across the UK.

The Bill will provide a statutory basis in Scotland for declarations to be made to opt out of organ and tissue donation. This will mean that a person can opt out of organ and tissue donation by recording a decision on the Organ Donor Register. The organ donor register is a database holding personal information provided by individuals wishing to opt in to organ or tissue donation for transplantation after their death or opt out of such donation.

The provisions described above will not change the way the Organ Donor Register operates. The purpose of this Privacy Impact Assessment is to give assurance that the system is compliant with the principles of the Data Protection Act and General Data Protection Regulations.

Personal data to be processed.

The Data will continue to be processed by NHS Blood and Transplant. People will continue to be able to register their authorisation to opt in or opt out of organ and tissue donation for transplantation in the same way as presently as follows:

• Organ donor registration websites (both the NHSBT's own website and the Organ Donation Scotland website managed by the Scottish Government)
• Registration phone line
• Paper based forms (opt in only)
• Driver and Vehicle Licensing Agency (opt in only)
• GP registration forms (opt in only)
• Boots advantage card (opt in only)

The data collected is:

• NHS/ CHI number

Mandatory Personal data collected is:

• Full name
• Address
• Postcode
• Gender – A person can also select 'Prefer not to say'
• Date of Birth
• Donation decision and choices

Additional non mandatory information which may be collected, depending on registration method used is

• Telephone number
• Mobile number
• E-mail address
• Preferred form of contact
• Ethnic classification
• Religion
• Source of registration
• Marketing campaign id
• Consent flag for data protection
• Death status – checks are used to ensure the register is up to date and remove those who are deceased
• Date of death

The following personnel have access to the register:

• ODR call centre staff for the purposes of adding information given by an individual over the telephone or to confirm details held.
• Sub-contractors of NHSBT who handle paper registrations and enter the data onto the ODR
• National Transplant Liaison Co-ordinators of NHSBT who access the system on behalf of Specialist Nurses for Organ Donation
• Specialist Nurses for Organ Donation at the appropriate time of end of life care
• Tissue nurses to facilitate tissue transplantation
• The ODR Team to process registrations and improve the quality and accuracy of data held on the ODR
• NHSBT Statistics for analysis and reporting purposes

An Access Control Procedure is in place to ensure all personal who have access to the register are appropriately trained, and have the appropriate access level.

All data is encrypted and backed up by NHSBT or by subcontractors responsible for hosting the data.

NHSBT owns the data; The Information Asset Owner is Alex Hudson, Head of the NHS Organ Donor Register.

Electronic records are sent via secure file transfer protocol ( sFTP) using XML files. Mailing files are sent to GI Solutions in CSV format.

3.2 Explain the legal basis for the sharing with internal or external partners:

The following basis applies to the processing of the mandatory personal data included on the ODR:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
If the Human Tissue (Authorisation) (Scotland) Bill is approved by the Scottish Parliament, once the relevant provisions are commenced, the following basis will instead be relied upon:
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations) and/or
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
The following basis applies to the processing and sharing of special category data:

Article 9(2)(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject.

The Human Tissue (Scotland) Act 2006, the Human Tissue Act 2004 and the Human Transplantation (Wales) Act 2013 require those carrying out donation and transplant activities to satisfy themselves that the donation and transplantation of organs and tissue can proceed within the requirements of the law. This means satisfying themselves that the appropriate authorisation for donation and transplantation is in place and involves access to information on the Organ Donor Register as to whether a person had recorded an authorisation to donate or not to donate for the purpose of transplantation.
The law also provides that in certain circumstances a nearest relative (nearest relative is defined in s. 50 of the 2006 Act) can authorise donation. For this to happen the Specialist Nurse for Organ Donation or Tissue Donor Coordinator has to provide information to the effect that a person has registered a decision or not on the organ donor register. In cases where a person has authorised donation on the ODR their nearest relatives also needs to be advised so that the donation process can be explained to them and they can assist in providing necessary background information about the potential donor to assist with the process.