Data Protection Impact Assessment (DPIA)

Under GDPR, it is the responsibility of our Trust, not just to be compliant with the law, but to be able to actively demonstrate this compliance. One of the key ways of demonstrating compliance with Data Protection by Design is through the use of DPIAs.

What is a DPIA?

A DPIA is a screening tool which is designed to help organisations systematically analyse, identify and minimise the data protection risks of a project or plan. It allows issues to be recognised as early as possible and addressed appropriately, which in turn shows that data protection has been considered throughout the development of any new or changes to existing activities.

The list below shows DPIA’s which have been undertaken and approved by the Trust:

The Trust uses a Health Education England (HEE) provided tool to facilitate and support the transfer of information into the Trust Electronic Staff Record (ESR) system.

This will assist the Trust to maximise placement capacity and ensure the quality of the learning environment.

Recommendation and Conclusion

This approach is supported by the ESR National Team. Minimal risks, installed locally and no supplier access to data.

System added to the Trust Asset Management Register.

Electronic system to replace paper checklists used to log resuscitation trolley checks, order stock and monitor expiry dates.

This will enable the Trust to actively monitor trolley stock compliance and effectively manage any product recalls.

Recommendation and Conclusion

System only holds minimal data, this being a staff members name. The company has DSPR and ISO 9001 credentials.

Data is held on third party servers, whose company compliance includes DSPT and ISO 27001.

Supplier credentials to be monitored by IG on an annual basis and system added to the Trust Asset Management Register.

Implementation of a technical solution, backed by policy, procedures and communications (staff and public facing), to enable the Trust to meet the requirements of the National Data Opt Out as stipulated in the Caldicott 3 Review of Data Security Consent and Opt Outs.

Recommendation and Conclusion

Small risk of data being processed that may include patients who have opted out.

Ongoing work by the IG and Data Analyst team will ensure Trust wide compliance.

The in-house creation of an Overpayment Log Dashboard to ensure the Trust has full visibility of any overpayments made along with a process of recovery.

Recommendation and Conclusion

All data is held and managed internally, therefore minimal risks.

The implementation and use of a Trust wide electronic Risk Register, providing additional reporting capabilities and monitoring for the CQC and NHSLA Standards.

It also assists the Trusts compliance with the yearly Data Security and Protection Toolkit (DSPT).

Recommendation and Conclusion

The Licence Agreement covers all required aspects of a Data Processing Protocol.

Supplier credentials to be monitored by IG on an annual basis and system added to the Trust Asset Management Register.

Direct interoperability allowing Primary and Community Care sites to see a read-only view of the data via an embedded html view.

This supports the Trust aims to better link physical and mental healthcare and effectively provides our clinical services better access the information they need.

Recommendation and Conclusion

Project is fully supported by all Stakeholders.

Both systems maintain full audits of inbound/outbound requests.

Supplier credentials to be monitored by IG on an annual basis.

Software which is compatible with the Trust’s training manikins.

This will enhance staff training, enabling courses to be more interactive and provide realistic scenarios.

Recommendation and Conclusion

No data is stored within the software.

Download of software completed following the Request for Change process.