5. Questions to identify privacy issues
5.1 Involvement of multiple organisations
External Partners – Allow individuals to join the ODR
GP Surgeries / NHS Digital
Scottish Organ Donation Website
External partners – Subcontractors
APS Group ( GI Solutions) – Mailing Service, providing confirmation letters to registrants
Teleperformance – Organ Donor Helpline, checking and amending registrations, providing advice on Organ Donation to callers
NHS National Services Scotland – Scottish CH1 number batch tracing service
Automated Document Solutions – Manual input of paper registration forms
Northgate – IT development and maintenance contract for the bespoke ODR system
5.2 Anonymity and pseudonymity
The information held on the register is not anonymous. It is however, only accessible to the appropriate authorised individuals.
No personal data is gathered as a by-product of the ODR.
5.4 Identification methods
Unique identifiers are collected as part of an ODR registration. See section 3.2.
5.5 Sensitive/Special Category personal data
Special category data is sometimes collected as part of an ODR registration ( e.g. where the person provides their ethnic origin or religion). See section 3.2
5.6 Changes to data handling procedures
Paper ODR Registration Forms
Sent directly to the ODR Team via pre-marked envelope (in most cases)
Stored in lockable cabinets
When mailed in bulk, sent via courier service.
Retained for one week after processing and then destroyed via NHSBT confidential waste procedures. An exception applies for a sample of forms used for sample checking purposes. These will be retained for up to four weeks before being destroyed.
Sent via sFTP using XML files. Mailing files sent to GI Solutions are sent in CSV format. Occasionally sent via secure e-mail (business continuity when sFTP unavailable).
Records are stored on the Microsoft Azure Cloud ( NHSBT subscription)
Read only and write access processes in place and limited to a need to know basis
Role-based access catering for multiple different user groups.
5.7 Statutory exemptions/protection
5.9 Other risks
Currently the test environment is a copy of the live environment. Future ambitions are to continue to utilise real data but to 'scramble' and anonymise the personal identifiable information within the test environments.
There is a problem
Thanks for your feedback