General Data Protection Regulation (GDPR) Strategy

Transcription

1 General Data Protection Regulation (GDPR) Strategy NHS Digital s Approach to Compliance Published October 2017 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body created by statute, also known as NHS Digital.

2 Contents Executive Summary 3 Introduction 3 Vision for GDPR Compliance 3 Strategic Approach 4 Discovery 4 Transition 4 Education 5 Assurance 5 Risks 6 Acceptance Criteria 6 Who will deliver the programme? 7 How we will do it? 7 Appoint a Data Protection Officer 7 Setting up of GDPR Work streams 8 GDPR Compliant Information Asset Register 9 Prioritisation of Compliance for Key Information Assets 10 Communication 11 Education 12 Use of Guidance in production of Documentation to support GDPR 13 Problem Solving Process 14 Governance 16 Timescales 16 Copyright 2017 Health and Social Care Information Centre. 2

3 Executive Summary The General Data Protection Regulation (GDPR) will be moved into European Law on 25th May It will be supported by the UK Data Protection Bill (to be moved into statute in 2017/18), which will be used to repeal the Data Protection Act of 1998 and support the implementation of this new European Regulation. This document sets out the Strategic Approach NHS Digital will take in moving towards GDPR Compliance, its Programme Team and proposed Governance Arrangements that will drive through the actions required to fulfil its obligations to its staff, partners and customers with regards to the Regulation. Introduction The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). As the Safe Haven of NHS & Social Care Data, NHS Digital has a responsibility to ensure that its working practices mirror current and future UK and EU Legislation and that a Strategic Approach will be required to ensure that all of its staff are aware of new legislation, its impact and their role in compliance as well as providing assurance to its internal and external stakeholders that the assets, policies and procedures within NHS Digital are identified, examined and changed in order to evidence compliance by 2018/19. It should be noted that NHS Digital already has regard to the Data Protection Act 1998 and the Common Law Duty of Confidence in its working practices and can already demonstrate how it complies with these in its delivery of functions as set out in the Health and Social Care Act Therefore broadly, our NHS Digital programme of work is about tightening up current arrangements and ensuring we meet those parts of the GDPR that have now become mandatory, tackling those new elements of data protection included in GDPR and ensuring we can evidence compliance in all areas post May Vision for GDPR Compliance. By 25th May 2018, NHS Digital as the Safe Haven of NHS & Social Care Data will have examined its current Assets, Policies, Procedures and Processes with regards to its delivery of services and will be GDPR Compliant in all areas of its business Copyright 2017 Health and Social Care Information Centre. 3

4 Strategic Approach The Strategic Approach for NHS Digital is split into 4 distinct phases Discovery Assess current DPA 1998 Compliance across the organisation Comprehensively examine impact of GDPR and DP Bill on current services Redefine definition of an Information Asset with regards to NHS Digital Functionality Assess Current Information Asset Register and ownership of Assets both within NHS Digital and where joint ownership with other ALBs are identified Transition Appointment of a Data Protection Officer Introduction & Management of a Comprehensive, electronic Information Asset Register Changes to working practices (such as SAR Requests) to meet GDPR Compliance Changes to NHS Digital Policies, Procedures and Guidelines to support GDPR Changes to future Contract Management to meet GDPR Requirements Copyright 2017 Health and Social Care Information Centre. 4

5 Education Board and EMT Awareness with regards to the impact of GDPR on the organisation inc. fines for noncompliance Communication Plan to bring GDPR awareness across the organisation GDPR Awareness Mandatory E-Learning Training Package IAO Mandatory Annual E-Learning Package Assurance External Audit Programme from implementation to BAU DPO Led Audit Programme for NHS Digital Compliance Annual declaration by IAO of Assets as compliant DPO Led Audit Programme for Assets (3 year rolling programme) Copyright 2017 Health and Social Care Information Centre. 5

6 Risks A Recent Audit by the Government Internal Audit Agency (GIAA) found that the Programme had sufficient foundation and plans to move the organisation towards GDPR Compliance; but has identified the key risks to the organisation as: Governance arrangements fail to effectively steer and control the department wide activities to deliver GDPR Compliance by May 2018 Risk Management Arrangements fail to identify, evaluate, monitor and mitigate key risks to deliver GDPR compliance by May 2018 Key Activities to Deliver GDPR Compliance by May 2018 are not planned and/or prioritised effectively Therefore, the plans for GDPR Compliance that are overseen by the GDPR Steering Group and Programme Team must ensure that there are work packages in place and that plans are adhered to in order to mitigate these risks as much as possible Acceptance Criteria In scoping the GDPR Programme there have been 3 levels of Acceptance Criteria identified that NHS Digital could find itself in a position against. As the true impact of GDPR within NHS Digital is still in the Discovery Phase it is not clear which criteria the organisation will find itself in on 25 th May Level Acceptance Criteria 1 Optimum 2 Defensible 3 Sub-optimum Minimum Specification Fully GDPR Compliant in all parts of NHS Digital IAOs fully trained and signed up to IAO Charter GDPR Audit Programme in place and staffed appropriately All information Assets are identified All Information Assets, Policies and Processes are DPA 1998 compliant All Critical Assets have been identified and are GDPR Compliant GDPR Awareness across the organisation. All Assets are not identified No examination of NHS Digital Policies and processes against current legislation Lack of GDPR Awareness across the organisation Copyright 2017 Health and Social Care Information Centre. 6

7 However, Level 3 is not acceptable to the Board, and that a comprehensive programme of work is required to deliver Level 2 in the first instance and then Level 3 during 2018/19. Who will deliver the programme? The GDPR Programme will be delivered by existing staff within NHS Digital, in addition to their current role. A GDPR ABR Code within the Central Administrative Service used for staff to allocate their time against will be created for staff to log the work they are undertaking to implement GDPR. The Programme Team are set out below and can be contacted to give guidance and advise in their relevant workstream areas How we will do it? Appoint a Data Protection Officer Section 4; Article 37 of the GDPR Regulation sets out the requirement for the Designation of a Data Protection Officer (DPO). As a Public Authority who processes personal data, it is the responsibility of NHS Digital to ensure a DPO is appointed who can give advice, monitor Copyright 2017 Health and Social Care Information Centre. 7

8 compliance and act as the point of contact for internal and external stakeholders with regards to the organisation s function. The Head of Strategic Information Governance has been identified as the most suitable post holder within NHS Digital to carry out this function. This post holder will be setting up a team to oversee, manage and audit compliance with GDPR and will be setting out the plans for assurance by May Setting up of GDPR Work streams By taking the key changes from DPA 1998 and GDPR, as well as the key departments that will be affected by these changes, 16 Workstreams have been set up to manage individual key areas of GDPR Compliance. Each have a named lead and will produce monthly highlight reports to the GDPR Steering Board, so progress can be monitored and any issues in delivery can be identified early, and mitigations put in place. Workstream Communication Information we hold (Asset Register) Communication of Privacy Notices & PIAs Responsible Person Paul Butler Christina Munns John Varlow Individuals Rights inc. Data Portability/erasure Catherine Nicholson SARS Lawful basis for processing personal data Vanessa Kaliapermall Catherine Nicholson Consent Children (age change to adult) Data Breaches Data Protection by design Data Protection Officers Contracts Training and Education HR Information Security Records Management Catherine Nicholson John Varlow Neil McCrirrick John Varlow Catherine Nicholson Hazel Randall Carole Sheard Alison McTrusty Matt Lutkin Paul Harris Copyright 2017 Health and Social Care Information Centre. 8

9 GDPR Compliant Information Asset Register Within NHS Digital for some time, there has been an Information Asset Register (IAR), but this was maintained manually by the Operational IG Team to ensure compliance with the requirements for the IG Toolkit. The information kept on the register met with current IG Toolkit Requirements, but would not be sufficient to demonstrate compliance with GDPR. There has also been an acknowledgement that Information Asset Owners (IAOs) need to take more accountability and responsibility for the Assets they own, and ensure that they comply with current and future legislation. After a scoping exercise looking at Commercial off the Shelf products (COTS) products and initiatives within NHS Digital, the decision has been made that the Unified Register, already in use for the recording of Data Collections would be the electronic means for collecting and demonstrating evidence of compliance for all Information Assets owned or processed by NHS Digital. Once the product of choice had been identified, by liaising with the IAO Forum from within NHS Digital, the definition of an Information Asset was re-defined: - An Information Asset is Defined as: - A body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information Assets have recognisable and manageable value, risk, content and lifecycles. And an extensive engagement and communication plan is planned to capture all information Assets within NHS Digital by December The Information Asset Register development will be approached in 4 phases: - Copyright 2017 Health and Social Care Information Centre. 9

10 Identification of all Information Assets and their owners (IAO) and their adherence to current DPA 1998 principles Gap Analysis of current Information Asset Register content with regards to GDPR Requirements Identification of Critical/Key Information Assets which MUST adhere to the principles of GDPR by May 2018 and workplans for adherence confirmed with each IAO All Information Assets must adhere to the principles of GDPR by the end of 2018 Prioritisation of Compliance for Key Information Assets Once the Information Asset Register has completed its 1 st iteration to match DPA 1998 and has been assured, there will be a requirement to identify the Key, Critical Assets NHS Digital which will be the priority in assurance that these will adhere to the principles of GDPR by May A Criteria for assessing Key Assets is set out below: - Value Impact of Information Asset on NHS Digital and its customers Very High High Moderate Internal and External Customers rely on this Asset to carry out their basic functions. Loss of this asset would have an adverse impact on the operation of NHS Digital and the Health and Social Care Sector and the delivering of patient care to England. The loss of this Information Asset would cause severe reputational and patient safety risk to the organisation and the NHS as a whole. The Identified Information Asset is one that is relied on to deliver a function within NHS Digital and its stakeholders. The loss of this asset would impact on one or more functions within care delivery for NHS Digital and the Health and Social Care sector. The loss of the Information Asset may cause considerable financial and reputational risk to the organisation and the NHS as a whole. The Information Asset is identified as one that does assist in the delivery of function into NHS Digital and/or Health and Social Care. The loss of this Asset may lead to a reduced capability for some functions within NHS Digital and Health and Social Care, with a possible reduction in patient care delivery, but Copyright 2017 Health and Social Care Information Centre. 10

11 Low Very Low other functions may allow care delivery to continue. The loss of this Asset may lead to a limited adverse effect in that it may reduce functions of an organisation, but that they would still be able to operate effectively The loss of this Asset may have some financial and reputational risk to NHS Digital and the NHS as a whole. The Information Asset is acknowledged in supporting the delivery of function into NHS Digital and/or Health and Social Care. The loss of this Asset may lead to a limited adverse effect in that it may reduce functions of an organisation, but that they would still be able to operate effectively. The loss of this Asset may have minor financial and reputational risk. The Information Asset is identified as not having a major impact on the delivery of services to NHS Digital or the Health and Social Care Sector as a whole. The loss of this Asset would have minimal impact on the delivery of patient care or the delivery of function within NHS Digital This exercise will be carried out by the Information Asset Workstream Lead and the Chair of the IAO Forum and identification is expected to be completed by December 2017 with adherence and evidence of GDPR Principles submitted into the Information Asset Register for Key Assets by March Communication Working with the Media and Communication Teams there are plans for a series of innovative Communication Campaigns in the run up to May Vlogs by Key NHS Digital Staff Use of External Website for customer awareness GDPR "Countdown Clock" to 25th May 2018 Communications Campaign Suggestions Board where staff can "pin" their queries Targeted Campaigns to key staff eg. IAO's GDPR Dedicated page on the intranet Copyright 2017 Health and Social Care Information Centre. 11

12 The Programme Lead for Communications is expected to produce a Comprehensive Communication Plan which will be passed to GDPR Steering Group and EMT for Approval. Education It is proposed that every member of staff within NHS Digital will receive a level of GDPR Training in the 2017/18 Operational Year IAOs Comprehensive GDPR Awareness and Accountability GDPR Workstream Leads GDPR Principles and applications Levels of awareness EMT & Board GDPR Awareness Training NHS Digital - All Staff GDPR Awareness Training The Communication Plan include a programme of campaigns and alerts within to ensure that all staff will have heard of GDPR and how to prepare themselves for it to move into Regulation in May However, it has been recognised that to ensure all staff are fully aware of the implications a more comprehensive education plan is to be developed: - Copyright 2017 Health and Social Care Information Centre. 12

13 Education Package Lunch & Learns and Webinars Aimed at Targeting all Staff within NHS Digital Looking at the Key principles and changes regarding GDPR and how to apply them into working practices within NHS Digital E-Learning Package for GDPR Awareness All staff within NHS Digital Mandatory before May 2018 Board Presentation on GDPR Principles and key changes External GDPR Practitioner - Delivery of key GDPR Principles to GDPR Workstreams Leads E-Learning Package for Information Asset Owners NHS Digital EMT and Board Aimed at awareness of key changes which may impact functions of NHS Digital GDPR Workstream leads to give them insight and documentation to support the delivery of the key changes regarding GDPR to their workstreams All IAOs within NHS Digital To support education and the assurance of Assets meeting GDPR principles Annual Mandatory Training to be supporting by the signing of an IAO Charter for assuring compliance Use of Guidance in production of Documentation to support GDPR When the GDPR Regulation (EU) 2016/679 was released in 2016, it was expected that the EU Article 29 Working Party would be releasing Guidance on how to implement GDPR into organisations. To date it has only released 3 pieces of guidance with the reminder expected in 2018 Guidance on the right to data portability Guidance on Data Protection Officers Guidance on Data Privacy Impact Assessments The UK ICO has been expected to release general guidance on implementation and adherence to the GDPR Regulation, releasing this statement in September 2017 Copyright 2017 Health and Social Care Information Centre. 13

14 We will be working to turn the Overview of the GDPR into a Guide to GDPR, which will be similar to our existing guides to other legislation. We will be filling in gaps in its coverage and expanding the content to make it a comprehensive guide.and all the new content should available by early next year.. Due to the lack of thorough and sector specific guidance within Health and Social Care, an EU Working Party, made up of representatives of key departments, ALBs, Providers and customers was set up in January 2017 in order to discuss and produce guidance that can be used in the Health and Social Care Setting. Their ambitious plan is to have released the following guidance by December CEO Briefing Data protection accountability and governance Privacy by design and default Implications of the GDPR for Health and Social Care Research Health and Social Care Research: legal basis and safeguards Transparency, consent and subject s rights Consent Pseudonymisation Personal data breaches and notification Profiling and risk stratification GDPR overview What's new and what changes NHS Digital will have regard to all guidance published and may change or alter NHS Digital s approach to compliance once the guidance content is understood, accepted and the changes have passed through the GDPR Governance channels. Problem Solving Process It is recognised that all parts of NHS Digital, PHC2020 and individual portfolio areas will require guidance and support throughout the Transition phase of the GDPR Programme. Workstreams will also require support in delivering their objectives and may require specific guidance to an issue. Copyright 2017 Health and Social Care Information Centre. 14

15 In order to address this, a Problem Statement Proforma will be produced which will cover as a minimum: - What the problem or point for consideration is The relevant legislation to support a response Areas within NHS Digital which may need to consider this statement The Position Statement that NHS Digital employees need to regard in their working practices. The Problem Statement proforma will progress through the following governance process, the end being a publication on the Intranet and the NHS Digital Website: - Workstream or Programme Identify an issue and/or clarification required with regards to GDPR Complete a "Problem Statement Proforma" with and area requiring clarification Strategic IG Team Examine all relevant legislation. Legislation added to pro forma with any other information known to assist in clarification Expert Group meet to examine statement and legislation and match to working practices within NHS Digital as well as current available GDPR Guidance Complete Pro-forma with solution to problem Statement GDPR Steering Group Ratify Problem Statement Advise further Action if policy or process change required Inform EMT and/or Board of any key issues identified Publication on Intranet and NHS Digital Website. Policy or Guideline produced by Strategic IG Team if appropriate Copyright 2017 Health and Social Care Information Centre. 15

16 Governance There is a defined process identified for governance of the GDPR Compliance Programme. This runs from workstream to Board; thus, ensuring all levels of the organisation are involved in ensuring GDPR Compliance across NHS Digital. Operational Group 16 Workstreams Examine GDPR and DP Bill and other relevant Regulations Produce Highlight Reports and Statements Expert Group Examine Statements and Products from Operational Group against NHS Digital Practice Ratify Statements or Product as compliant Produce final Supporting Document Steering Group Set GDPR and DP Bill Strategy Horizon Scan for internal and external influences Ratify Supporting Documentati on Produce EMT Paper and Slide deck EMT Receive monthly update from Steering Group Exec Sponsor to deliver update and discuss key findings NHS Digital Board Bi-monthly update on GDPR delivered by Exec Sponsor Timescales Activity Sept Oct Nov Dec Jan Feb March April May June-Dec DPO Assigned Workstreams Finalised Programme plan completed 1st Draft Info Asset Register Identification of Critical Assets 2nd Draft Info Asset Register Education Programme Critical Assets GDPR Compliant Policies and Processes uplifted All Information Assets GDPR Compliant GDPR Assurance Programme Commences Copyright 2017 Health and Social Care Information Centre. 16