Privacy Impact Assessment: Standard Operating Procedure

Transcription

1 Corporate Privacy Impact Assessment: Standard Operating Procedure Document Control Summary Status: Version: Author/Title: Owner/Title: Approved by: Ratified: Related Trust Strategy and/or Strategic Aims Implementation Date: Review Date: Key Words: Associated Policy or Standard Operating Procedures Contents New v1.3 Date: 19/05/2016 Laura Marklew/Vikki Williams - Information Governance Leads Jon Davis - Senior Project Manager Policy and Procedures Committee Date: 19 th May 2016 Policy and Procedures Committee Date: 19 th May 2016 IM&T Strategy June 2016 June 2017 Risks, new, project, mandate, privacy Programme and Project Management Policy 1. Introduction Process of Undertaking a PIA Scope... 2 Stage 1 - Privacy Impact Assessment Screening... 3 Stage 2 - Privacy Impact Assessment Definitions References... 9 Change Control Amendment History Version Dates Amendments v Creation of Document v Amendments including adding links, updating references and document layout v Minor amendments from Information Governance Steering Group

2 V Slight amendment to reference section IG Policy added 1. Introduction A Privacy Impact Assessment (PIA) is a tool which assists organisations in identifying and minimising the privacy risks of new projects or policies. A PIA will help to ensure potential problems or impacts on privacy are identified and addressed at an early stage when resolution will be simpler and less costly. PIAs should be conducted with the involvement of people within the organization and partner organisations and with people affected by the project/policy to identify and reduce privacy risks. An effective PIA will be used throughout the development and implementation of a project/programme/policy, using existing project management processes. PIAs should identify risks to individuals affected by changes to privacy and also corporate risks to the organisation, such as financial and reputational impacts of a data breach. 2. Process of Undertaking a PIA There are 3 main stages to undertaking a PIA: 1. Privacy Impact Assessment Screening questions identifies if a full PIA is required 2. Full Privacy Impact Assessment 3. Development of Privacy Impact Assessment as project/policy develops or changes The rest of this document forms the Screening Questions and Privacy Impact Assessment Template. This document should be completed in conjunction with the Information Commissioner s Office Privacy Impact Assessment Code of Practice. PIAs should be completed by the most relevant person involved in the project, for example, the project manager or policy author. When completed, the Stage 1 form should be forwarded to the Information Governance Lead (via informationgovernance@sssft.nhs.uk) for agreement of whether a full PIA is required. PIAs should be stored within the PMO project folder and also copied to the Information Governance team who maintain a log of PIAs completed. 3. Scope Stage 1 should be undertaken by all projects, programmes and policies to determine whether a PIA is required. Where the privacy impacts or scope of a project, programme or policy has changed significantly, stage 1 should be reviewed to determine if a PIA is then required. Stage 2 should be undertaken where Stage 1 has confirmed that a full PIA is required. Stage 3 should be undertaken where the privacy impacts of a project, programme or policy has changed significantly. Page 2 of 10

3 Stage 1 - Privacy Impact Assessment Screening To be undertaken as part of Project Mandate for all projects. These questions are intended to help you decide whether a Privacy Impact Assessment is necessary. Answering yes to any of these questions is an indication that a PIA is required. You can expand on your answers as the project develops if you need to. Please provide additional information where the answer to any question is yes. Once complete, forward this form to the Information Governance Lead to determine if a PIA is required. Project Name Reviewer Directorate Date of Completion Any Associated Projects /Programmes Outcome (to be completed by Information Governance Lead) Privacy Impact Assessment is: Required / Not Required 1. Will the project involve the collection of personal information about individuals? Is any of this information considered sensitive? 2. Will the project involve the collection of NEW information about individuals which is not already collected elsewhere? 3. Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information? Page 3 of 10

4 4. Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used? 5. Does the project involve you using new technology that might be perceived as being privacy intrusive? For example assistive technology worn by an individual. 6. Will the project result in you making decisions or taking action against individuals in ways that can have a significant impact on them? 7. Is the information about individual of a kind particularly likely to raise privacy concerns or expectations? For example, health records or other information that people would consider private. 8. Will the project require you to contact individuals in ways they may find intrusive? Once completed, forward this template to the Information Governance Lead for agreement of whether a PIA is required. Outcome is a full Privacy Impact Assessment required? (to be completed by Information Governance Lead) Page 4 of 10

5 Stage 2 - Privacy Impact Assessment A full Privacy Impact Assessment should be undertaken if it has been determined in Stage 1 that the project will have implications for privacy. The Information Governance lead will confirm whether a full PIA is required in the outcome section of stage 1. The following template should be completed in full. Appendix A details how the privacy impact assessment should be linked to the Data Protection Act principles and the questions within this section may help to think about how privacy will be affected by the project. Project Name Reviewer Directorate Date of Completion Any Associated Projects /Programmes Part One Identify the need for a PIA 1. Briefly explain what the purpose of the project is and what it aims to achieve and the expected benefits (or provide link to project mandate). 2. Summarise why the need for a PIA was identified (can be copied from outcome of Stage 1 form) Part Two Describe the Information Flows 1. Describe what information/data is going to be collected how it is going to be used and how long it will be kept for (this may be information collected as part of the project or within the system/process that the project is implementing on an ongoing basis). Page 5 of 10

6 2. How many individuals are likely to be affected by the project? 3. Provide an information flow diagram Part Three Consultation Requirements 1. What steps will be taken to ensure that all privacy risks are identified and addressed? Who will be consulted (internally and externally) and how will this be carried out? (Refer to stakeholder analysis documentation from PMO) Page 6 of 10

7 Part Four Identify the Privacy Risks 1. Identify the key privacy risks. These risks should be recorded on the corporate or project risk register and linked to this document. Risk No. What is the Privacy Issue? What is the risk to individuals? Is this a compliance risk (with Data Protection)? Is there an associated organization / Corporate Risk? Part Five Identify Privacy Solutions 1. Describe the actions which can be taken to reduce the identified risks and any future steps which will be necessary (e.g. creation of new guidance/future security testing for systems). Risk No. Solution(s) Result: risk eliminated, reduced or accepted? Evaluation: is the final impact (after implementing solutions) justified, compliant and proportionate to the aims of the project? Page 7 of 10

8 Part Six Sign Off and Record PIA Outcomes 1. Who has approved the privacy risks outlined above? What solutions need to be implemented? (Approval will normally be provided by the project owner or project board for high/business critical projects) Risk No. Approved Solution Approved By and Date Part Seven Integrate the outcomes back into the project plan 1. Confirm who is responsible for integrating the outcomes and approved actions back into the project plan. 2. Who is the contact for any future privacy concerns regarding this project and its outcomes? Once completed, store a copy of this Privacy Impact Assessment within the project folder in the PMO workgroup on the G drive and the Information Governance Lead to assess the outcomes : G:\WorkGroups\PMO Page 8 of 10

9 4. Definitions Privacy Impact Assessment: A tool to help organisations identify the most effective way to comply with their data protection obligations and meet individuals expectations of privacy. Personal Information: Any information relating to an individual. PID/PII: Personally Identifiable Details / Information - data which relates to a living individual who can be identified and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Sensitive Information: Personal information relating to: (a) Racial or ethnic origin, (b) Political opinions, (c ) Religious beliefs or other beliefs of a similar nature, (d) Trace Union membership, (e) Physical or mental health or condition, (f) Sexual life, (g) The commission or alleged commission of any offence, or (h) Any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings. 5. References Please read this Standard Operating Procedure in conjunction with the Information Governance Policy Privacy Impact Assessment Code of Practice Appendix A Linking the PIA to the Data Protection Act Principles Answering these questions during the PIA process will help you to identify where there is a risk that the project will fail to comply with the DPA or other relevant legislation, for example the Human Rights Act. The Information Governance lead can help you answer these questions. Principle 1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: a. At least one of the conditions in Schedule 2 is met, and b. In the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. Have you identified the purpose of the project? How will you tell individuals about the use of their personal data? Do you need to amend your privacy notices? Have you established which conditions for processing apply? If you are relying on consent to process personal data, how will this be collected and what will you do if it is withheld or withdrawn? If your organisation is subject to the Human Rights Act, you also need to consider: Will your actions interfere with the right to privacy under Article 8? Have you identified the social need and aims of the Page 9 of 10

10 Principle 2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Principle 3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Principle 4 Personal data shall be accurate and, where necessary, kept up to date. Principle 5 Personal data processed for any purpose or purposes shall not be kept for longer than necessary for that purpose or those purposes. Principle 6 Personal data shall be processed in accordance with the rights of data subjects under this Act. Principle 7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Principle 8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country of territory ensures and adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. project? Are your actions a proportionate response to the social need? Does your project plan cover all of the purposes for processing personal data? Have you identified potential new purposes as the scope of the project expands? Is the quality of the information good enough for the purposes it is used? Which personal data could you not use, without compromising the needs of the project? If you are procuring new software does it allow you to amend data when necessary? How are you ensuring that personal data obtained from individuals or other organisations is accurate? What retention periods are suitable for the personal data you will be processing? Are you procuring software that will allow you to delete information in line with your retention periods? Will the systems you are putting in place allow you to respond to subject access requests more easily? If the project involves marketing, have you got a procedure for individuals to opt out of their information being used for that purpose? Do any new systems provide protection against the security risks you have identified? What training and instructions are necessary to ensure that staff know how to operate a new system securely? Will the project require you to transfer data outside of the EEA? If you will be making transfers, how will you ensure that the data is adequately protected? Page 10 of 10