Privacy Impact Assessment Policy V3.0

Transcription

1 Privacy Impact Assessment Policy V3.0 January 2016

2 Summary. Although not mandatory the best practice guidance from the information Commissioner is to conduct a Privacy Impact Assessment. Privacy impact assessments (PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals expectations of privacy. An effective PIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. PIAs are an integral part of taking a privacy by design approach. Page 2 of 22

3 Table of Contents Summary Introduction Purpose of this Policy/Procedure Scope Definitions / Glossary Ownership and Responsibilities Standards and Practice Dissemination and Implementation Monitoring compliance and effectiveness Updating and Review Equality and Diversity Equality Impact Assessment... 9 Appendix 1. Governance Information Appendix 2. Initial Equality Impact Assessment Form Appendix 3. Privacy Impact Assessment Tool Page 3 of 22

4 1. Introduction 1.1. For many organisations, privacy now poses risks which need to be professionally managed in a similar way to other categories of risk. Royal Cornwall Hospitals Trust recognises that handling data is an intrinsic and critical aspect of their business, and that the implementation of projects that handle personal data need to monitored It is important to note that any collection, use or disclosure of personal information has the potential to have a risk to personal privacy. Sometimes those risks are not obvious and as a result it can be easy to overlook or not adequately address them This version supersedes any previous versions of this document. 2. Purpose of this Policy/Procedure 2.1. This policy and procedure is designed to illustrate the approach that the Trust is taking in regards to monitoring and assessing any changes to, or implementation of any new information systems. The careful analysis at the planning stage of intended projects will be enhanced by the implementation of Privacy Impact Assessments (PIA) on all new projects. 3. Scope 3.1. The term project used in this policy and procedure is not strictly limited to just projects. It encompasses any activity that may alter, dispose of or initiate a new system that contains, or potentially contains personal data, whether in an electronic or paper format This policy and procedure will apply across the Trust and contracted services where personal data is either managed or processed. All relevant projects must have a PIA Screening or Assessment completed at an early stage. 4. Definitions / Glossary PIA Privacy Impact Assessment (process for assessing risk) IGC Information Governance Committee (Oversight committee) SIRO Senior Information Risk Officer. (Person responsible for risk) 5. Ownership and Responsibilities 5.1. The Chief Executive is responsible for maintaining privacy and confidentiality within the Trust The Caldicott Guardian is responsible for protecting the confidentiality of patient information and acts as the conscience of the Trust to ensue 5.3. The Senior Information Risk Owner and the Head of Information Governance/Data Protection Officer responsible for ensuring IGC analysis of all Trust PIA s and ultimate approval. Page 4 of 22

5 5.4. Members of the Information Governance Committee (IGC) are responsible for assessing and contributing to the assessment of all Trust PIA s All Project Leads (either Business or Project managers) within the Trust are responsible for ensuring that PIA s are carried out, and presented to the relevant IGC, on all new projects All managers are to be aware of the need for PIA s for all new projects The IT Security Manager is responsible for assessing any IT security needs Role of the Managers Line managers are responsible for: Ensuring any new process or system that contains, handles or uses personal identifiable data has a PIA conducted prior to implementation. Ensuring any new/changed processes, policies, procedures or office locations (including moves) are assessed using the PIA to ensure confidential information is secure Role of the Information Governance Committee The Information Governance Committee is responsible for: Receiving completed PIA s and recommendations form the Head of Information Governance. Approving or seeking further clarification as to issues as required Role of Individual Staff All staff members are responsible for: Ensuring they alert either their line manager or the Head of Information Governance to changes to process where personal identifiable data is used. Raise awareness where they think personal identifiable data is at risk. 6. Standards and Practice 6.1. What is privacy? 6.2. Interpreted most broadly, privacy is about the integrity of the individual. However, for the purposes of completing a privacy impact assessment (PIA), it is more useful to examine different aspects of privacy. A PIA could consider: 6.3. Privacy of personal information is referred to variously as data privacy and information privacy. Individuals generally do not want data about themselves to be automatically available to other individuals and organisations. Even where data is possessed by another party, the individual should be able to exercise a substantial degree of control over that data and its use. Page 5 of 22

6 6.4. Privacy of the person, sometimes referred to as bodily privacy, is concerned with the integrity of the individual s body. At its broadest, it could be interpreted as extending to freedom from torture and right to medical treatment, but these are more commonly seen as separate human rights rather than as aspects of privacy. Issues that are more readily associated with privacy include body searches, compulsory immunisation, blood transfusion without consent, compulsory provision of samples of body fluids and body tissue, and requirements for submission to biometric measurement Privacy of personal behaviour relates to the observation of what individuals do, and includes such issues as optical surveillance and media privacy. It could relate to matters such as sexual preferences and habits, political or trade union activities and religious practices. But the notion of private space is vital to all aspects of behaviour, is relevant in private places such as the home and toilet cubicle, and is also relevant in public places, where casual observation by the few people in the vicinity is very different from systematic observation, the recording or transmission of images and sounds Privacy of personal communications could include various means of analysing or recording communications such as mail covers, the use of directional microphones and bugs with or without recording apparatus and telephonic interception and recording. In recent years, concerns have arisen about third party access to messages. Individuals generally desire the freedom to communicate among themselves, using various media, without routine monitoring of their communications by other persons or organisations Privacy risks 6.8. The enormous increases in the collection, storage, use and disclosure of personal data, and the imposition of many intrusive technologies, have caused increased concern about individual privacy. Privacy risks fall into two categories. 1. Risks to the individual as a result of contravention of their rights in relation to privacy, or loss, damage, misuse or abuse of their personal information. 2. Risks to the organisation as a result of: perceived harm to privacy; a failure to meet public expectations on the protection of personal information; retrospective imposition of regulatory conditions; the costs of redesigning or delaying a system; the collapse of a project or completed system; withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or failure to comply with the law, leading to: o enforcement action; or o compensation claims from individuals. Page 6 of 22

7 6.9. Privacy Impact Assessment 6.10.A PIA is a systematic process for evaluating a proposal or project in terms of its impact upon privacy. A PIA can assist in: Identify potential issues and concerns on individual or group privacy Examine how detrimental effects may be overcome. Ensure that new projects comply with privacy law and principals. Avoiding loss of trust and reputation. Avoiding unnecessary costs and inadequate solutions 6.11.A PIA must be seen as a separate process from compliance checking or data protection audit processes. Projects which are already up and running should not be submitted to a PIA, but to either a compliance check or a data protection audit, whichever is more appropriate The Process 1. Identifying the need for a PIA. The need for a PIA can be identified as part of an organisation s usual project management process or by using the screening questions in annex two of this Code. 3. Identifying the privacy and related risks. Some will be risks to individuals - for example damage caused by inaccurate data or a security breach, or upset caused by an unnecessary intrusion on privacy. Some risks will be to the organisation - for example damage to reputation, or the financial costs or a data breach. Legal compliance risks include the DPA, PECR, and the Human Rights Act. 5. Signing off and recording the PIA outcomes. Make sure that the privacy risks have been signed-off at an appropriate level. This can be done as part of the wider project approval. A PIA report should summarise the process, and the steps taken to reduce the risks to privacy. It should also record the decisions taken to eliminate, mitigate, or accept the identified risks. Publishing a PIA report will improve transparency and accountability, and lets individuals learn more about how your project affects them. 2. Describing the information flows. Describe the information flows of the project. Explain what information is used, what it is used for, who it is obtained from and disclosed to, who will have access, and any other necessary information 4. Identifying and evaluating privacy solutions. Explain how you could address each risk. Some might be eliminated altogether. Other risks might be reduced. Most projects will require you to accept some level of risk, and will have some impact on privacy. Evaluate the likely costs and benefits of each approach. Think about the available resources, and the need to deliver a project which is still effective. 6.Integrating the PIA outcomes back into the project plan. The PIA findings and actions should be integrated with the project plan. It might be necessary to return to the PIA at various stages of the project s development and implementation. Large projects are more likely to benefit from a more formal review process. A PIA might generate actions which will continue after the assessment has finished, so you should ensure that these are monitored. Record what you can Page 7 of 22

8 7. Dissemination and Implementation 7.1. This document will be made available on the Trusts Document Library. It will also be highlighted to the Cornwall IT Services management to ensure it is adopted by its Project Managers This requirement has been in existence for a number of years, no further training is required, just a reaffirming of its existence and the need for compliance. 8. Monitoring compliance and effectiveness Element to be monitored Lead Tool Frequency Reporting arrangements Acting on recommendations and Lead(s) Change in practice and lessons to be shared The completion of PIA s for all known projects Deputy Director of CITS, Business & Infrastructure Programme Manager and Head of Information Governance? The PIA documentation is the tool used to monitor compliance. Assurances should be sought from the Deputy Director of CITS, Business & Infrastructure Programme Manager and Head of Information Governance quarterly as to the level of compliance. A PIA should be completed for all projects where there is a new use of information of where there is a significant change of an existing process. All PIA s will be tabled at the IGC. These are bi-monthly. The IGC will receive the PIA s once approved by the SIRO The SIRO and Head of Information Governance will make appropriate recommendations. These responsibilities are listed in the duties of the IGC. The IGC will require action plans on any recommendations made to PIA s that do not meet the required standards. The action plan for actions will be determined by the constraints of the delivery of the project. Any changes to the design of the project will be built into the project plan and will be managed by the Project Manager. The Project Manager will be responsible for ensuring the actions are undertaken ion an agreed time frame. Page 8 of 22

9 9. Updating and Review 9.1. This policy should be reviewed every three years. The IGC will be the mechanism for this Revisions can be made ahead of the review date when the procedural document requires updating. Where the revisions are significant and the overall policy is changed, the author should ensure the revised document is taken through the standard consultation, approval and dissemination processes Where the revisions are minor, e.g. amended job titles or changes in the organisational structure, approval can be sought from the Executive Director responsible for signatory approval, and can be re-published accordingly without having gone through the full consultation and ratification process Any revision activity is to be recorded in the Version Control Table as part of the document control process. 10. Equality and Diversity This document complies with the Royal Cornwall Hospitals NHS Trust service Equality and Diversity statement which can be found in the or the Equality and Diversity website All Human Resources policies must include, or refer to, the following employment statement: Royal Cornwall Hospitals NHS Trust is committed to a Policy of Equal Opportunities in employment. The aim of this policy is to ensure that no job applicant or employee receives less favourable treatment because of their race, colour, nationality, ethnic or national origin, or on the grounds of their age, gender, gender reassignment, marital status, domestic circumstances, disability, HIV status, sexual orientation, religion, belief, political affiliation or trade union membership, social or employment status or is disadvantaged by conditions or requirements which are not justified by the job to be done. This policy concerns all aspects of employment for existing staff and potential employees Equality Impact Assessment The Initial Equality Impact Assessment Screening Form is at Appendix 2. Page 9 of 22

10 Appendix 1. Governance Information Document Title Privacy Impact Assessment Policy Date Issued/Approved: Date Valid From: 25 January 2016 Date Valid To: Directorate / Department responsible (author/owner): No more than 3 years from approval Mark Scallan Head of Information Governance Contact details: Brief summary of contents Privacy impact assessment guide and tool for conducting process. This should be used for all new or significantly changed data collection/processes. Suggested Keywords: Target Audience Executive Director responsible for Policy: Date revised: 6 January 2016 This document replaces (exact title of previous version): Approval route (names of committees)/consultation: Privacy Confidentiality Risk Assessment. RCHT PCH CFT KCCG Christine Perry Director of Nursing Privacy Impact Assessment Version 2.0 Information Governance Committee Divisional Manager confirming approval processes Name and Post Title of additional signatories Name and Signature of Divisional/Directorate Governance Lead confirming approval by specialty and divisional management meetings Signature of Executive Director giving approval Publication Location (refer to Policy on Policies Approvals and Ratification): Richard Johnson Head of Quality, Safety & Compliance Not Required Name: Richard Johnson Internet & Intranet Intranet Only Page 10 of 22

11 Document Library Folder/Sub Folder Links to key external standards Related Documents: Training Need Identified? e.g. Clinical / Infection Prevention & Control Data Protection Act 1998 Information Governance Toolkit Information Use Framework Policy No training required as this policy and the tool will be used in collaboration with the Information Governance team. Version Control Table Date Version No Summary of Changes Changes Made by (Name and Job Title) 3 Nov 09 V.1 Initial issue M Scallan Head of IG. 12 Feb 13 V.2 Updated to POP compliance M Scallan Head of IG 25 Jan 16 V.3 Changed to show new assessment tool. M Scallan Head of IG [Please complete all boxes and delete help notes in blue italics including this note] All or part of this document can be released under the Freedom of Information Act 2000 This document is to be retained for 10 years from the date of expiry. This document is only valid on the day of printing Controlled Document This document has been created following the Royal Cornwall Hospitals NHS Trust Policy on Document Production. It should not be altered in any way without the express permission of the author or their Line Manager. Page 11 of 22

12 Appendix 2. Initial Equality Impact Assessment Form Privacy Impact Assessment Policy Directorate and service area: Information Governance Name of individual completing assessment: Mark Scallan 1. Policy Aim* Who is the strategy / policy / proposal / service function aimed at? Is this a new or existing Policy? existing Telephone: To provide a clear process for ensuring the Trust addresses the required confidentiality requirements for projects 2. Policy Objectives* To ensure projects consider the requirements of confidentiality and Data Protection. 3. Policy intended Outcomes* 4. *How will you measure the outcome? 5. Who is intended to benefit from the policy? 6a) Is consultation required with the workforce, equality groups, local interest groups etc. around this policy? Projects are implemented safely with the required considerations to confidentiality. Through PIA completion against the list of approved projects Patients and staff No b) If yes, have these *groups been consulted? C). Please list any groups who have been consulted about this procedure. Page 12 of 22

13 7. The Impact Please complete the following table. Are there concerns that the policy could have differential impact on: Equality Strands: Yes No Rationale for Assessment / Existing Evidence Age X No age related aspects. Sex (male, female, transgender / gender reassignment) Race / Ethnic communities /groups Disability - Learning disability, physical disability, sensory impairment and mental health problems Religion / other beliefs X X X X No sexual orientation related aspects No Race/Ethnic related aspects. No disability related aspects No Religion or belief related aspects. Marriage and civil X No Marriage/Civil partnership related aspects partnership Pregnancy and maternity X No pregnancy/maternity related aspects Sexual Orientation, Bisexual, Gay, heterosexual, Lesbian X No sexual orientation related aspects You will need to continue to a full Equality Impact Assessment if the following have been highlighted: You have ticked Yes in any column above and No consultation or evidence of there being consultation- this excludes any policies which have been identified as not requiring consultation. or Major service redesign or development 8. Please indicate if a full equality analysis is recommended. Yes No 9. If you are not recommending a Full Impact assessment please explain why. This policy as around process management, it would not have the desired elements to have a detrimental effect on any one individual or groups. Signature of policy developer / lead manager / director Date of completion and submission Names and signatures of members carrying out the Screening Assessment Keep one copy and send a copy to the Human Rights, Equality and Inclusion Lead, c/o Royal Cornwall Hospitals NHS Trust, Human Resources Department, Knowledge Spa, Truro, Cornwall, TR1 3HD A summary of the results will be published on the Trust s web site. Signed Date Page 13 of 22

14 Appendix 3. Privacy Impact Assessment Tool Privacy Impact Assessment. (PIAs) are a tool that you can use to identify and reduce the privacy risks of your projects. A PIA can reduce the risks of harm to individuals through the misuse of their personal information. It can also help us to design more efficient and effective processes for handling personal data. What do we mean by privacy? Privacy, in its broadest sense, is about the right of an individual to be let alone. It can take two main forms, and these can be subject to different types of intrusion: Physical privacy - the ability of a person to maintain their own physical space or solitude. Intrusion can come in the form of unwelcome searches of a person s home or personal possessions, bodily searches or other interference, acts of surveillance and the taking of biometric information. Informational privacy the ability of a person to control, edit, manage and delete information about themselves and to decide how and to what extent such information is communicated to others. Intrusion can come in the form of collection of excessive personal information, disclosure of personal information without consent and misuse of such information. It can include the collection of information through the surveillance or monitoring of how people act in public or private spaces and through the monitoring of communications whether by post, phone or online and extends to monitoring the records. Projects which might require a PIA A new IT system for storing and accessing personal data. A data sharing initiative where two or more organisations seek to pool or link sets of personal data. A proposal to identify people in a particular group or demographic and initiate a course of action. Using existing data for a new and unexpected or more intrusive purpose. A new surveillance system (especially one which monitors members of the public) or the application of new technology to an existing system (for example adding Automatic number plate recognition capabilities to existing CCTV). A new database which consolidates information held by separate parts of an organisation. Legislation, policy or strategies which will impact on privacy through the collection of use of information, or through surveillance or other monitoring. A move of office, building or location Page 14 of 22

15 The creation of a policy or procedure which centres on the collection or use of personal identifiable data. Any other project or activity where through careful consideration a risk could be identified which needs mitigation. Who is responsible for conducting a PIA? The completion of a PIA should be done through collaboration of the Project Sponsor, Project Manager and the Head of Information Governance. Guidance Notes (1) Does the project involve new or inherently privacy-invasive technologies? Examples of such technologies include, but are not limited to, smart cards, radio frequency identification (RFID) tags, biometrics, locator technologies (including mobile phone location, applications of global positioning systems (GPS) and intelligent transportation systems), visual surveillance, digital image and video recording, profiling, data mining, and logging of electronic traffic. Technologies that are inherently intrusive and technologies that are new and sound threatening, excite considerable public concern, and hence represent project risk. In order to answer this question, considerations include: whether all of the information technologies that are to be applied in the project are already well-understood by the public; whether their privacy impacts are all well-understood by the organisation, and by the public; whether there are established measures that avoid negative privacy impacts, or at least reduce them to the satisfaction of those whose privacy is affected; and whether all of those measures are being applied in the design of the project. (2) Is the justification for the new data-handling unclear or unpublished? Individuals are generally much more accepting of measures, even measures that are somewhat privacy-intrusive, if they can see that the loss of privacy is balanced by some other benefits to themselves or society as a whole. On the other hand, vague assertions that the measures are needed 'for security reasons', or 'to prevent fraud', are much less likely to calm public disquiet. (5) Does the project involve new or substantially changed identity authentication requirements that may be intrusive or onerous? The public understands that an identifier enables an organisation to collate data about an individual, and that identifiers that are used for multiple purposes enable data consolidation. They are also aware of the increasingly onerous registration processes and document production requirements Page 15 of 22

16 imposed by organisations in recent years. From the perspective of the project manager, these are warning signs of potential privacy risks. (8) Does the project involve new linkage of personal data with data in other collections, or significant change in data linkages? The degree of concern about a project is higher where data is transferred out of its original context. The term 'linkage' encompasses many kinds of activities, such as the transfer of data, the consolidation of data-holdings, the storage of identifiers used in other systems in order to facilitate the future searches of the current content of records, the act of fetching data from another location (eg to support so-called 'front-end verification'), and the matching of personal data from multiple sources. Page 16 of 22

17 Section one. Please complete this section to help the Information Governance Team assess whether further action is required. Information System or Project Name Person completing PIA Date Department Is this a new process or a change to an existing process? What is the project/system? Explain what the project aims to achieve, what the benefits will be to the organisation, to individuals and to other parties. Page 17 of 22

18 Please provide as much detail as possible for each of these answers. Will the project involve the collection of new information about individuals? This is where the project is increasing information we may already be collecting. Is there a clear justification for the new data handling, is this clear and is it made known to the data subjects? Will the project compel individuals to provide information about themselves? Are we making additional uses for identifiers already collected? Are we creating new identifiers, if so why and with who are they shared? Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information? Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used? Are we creating new uses? Does the project involve you using new technology which might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition. Will the project result in you making decisions or taking action against individuals in ways which can have a significant impact on them? Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records or other information that people would consider to be particularly private. Will the project require you to contact individuals in ways which they may find intrusive? Have we obtained consent for making contact? Page 18 of 22

19 Describe Information Flows to prevent function creep. E.g. Obtained, used, retained. Does the project involve new or substantially changed identity authentication requirements that maybe intrusive or onerous? Will the project result in the handling of a significant amount of new data about data subjects, or change in existing data holding? Will the project involve collecting information about a significantly larger group of people? Will the data be linked to other systems? For example will there be new interfaces that link this data to other previously unconnected systems? Will there be new of changed data collection policies or practices that maybe unclear or intrusive? Does the project involve new or changed data quality assurance processes or standards that maybe unclear or intrusive? Does the project involve new or changed data security arrangements that maybe unclear or intrusive? Does the project involve new or changed data access or disclosure arrangements that maybe unclear? Does the project involve new or changed data retention arrangements that maybe unclear? Does the Project involve changing the medium of disclosure for publically available information in such a way that the data becomes more readily accessible than before? Will the project give rise to new or changed datahandling that is in any way exempt from legislative privacy protections? Page 19 of 22

20 Section two What types of information is involved? Please indicate all likely data types. Personal Information: Name Please tick Sensitive Information Health/Clinical related information Please tick Initials only Religion Address Racial category Postcode Disabilities Part of Post Code Sexual persuasion NHS Number Safeguarding Adult or Children Local identifier Personal banking/financial information Date of Birth Criminal convictions Staff Administration Number Trade Union affiliation. Staff designation Any other types of information not mentioned above please outline below Data Flows. Describe the information flows of the project. Explain what information is used, what it is used for, who it is obtained from and disclosed to, who will have access, and any other necessary information. Page 20 of 22

21 Risk Risk to Individuals. Inadequate disclosure controls increase the likelihood of information being shared inappropriately. The context in which information is used or disclosed can change over time, leading to it being used for different purposes without people s knowledge New surveillance methods may be an unjustified intrusion on their privacy Measures taken against individuals as a result of collecting information about them might be seen as intrusive. The sharing and merging of datasets can allow organisations to collect a much wider set of information than individuals might expect. Identifiers might be collected and linked which prevent people from using a service anonymously. Vulnerable people may be particularly concerned about the risks of identification or the disclosure of information. Collecting information and linking identifiers might mean that an organisation is no longer using information which is safely anonymised. Information which is collected and stored unnecessarily, or is not properly managed so that duplicate records are created, presents a greater security risk If a retention period is not established information might be used for longer than necessary. Corporate and compliance Risk Non-compliance with the DPA or other legislation can lead to sanctions, fines and reputational damage. Problems which are only identified after the project has launched are more likely to require expensive fixes The use of biometric information or potentially intrusive tracking technologies may cause increased concern and cause people to avoid engaging with the organisation. Information which is collected and stored unnecessarily, or is not properly managed so that duplicate records are created, is less useful to the business. Public distrust about how information is used can damage an organisation s reputation and lead to loss of business. Data losses which damage individuals could lead to claims for compensation. Non-compliance with the Privacy and Electronic Communications Regulations (PECR). Non-compliance with sector specific legislation or standards. Non-compliance with human rights legislation. Page 21 of 22

22 Identify the key privacy risks and the associated compliance and corporate risks. Larger-scale PIAs might record this information on a more formal risk register. Privacy issue Risk to individuals Compliance risk Associated organisation / corporate risk Identify privacy solutions Describe the actions you could take to reduce the risks, and any future steps which would be necessary (e.g. the production of new guidance or future security testing for systems). Risk Solutions Result: is the risk eliminated, reduced, or accepted Evaluation: is the final impact on individuals after implementing each solution a justified, compliant and proportionate response to the aims of the project? Signed:. Date:... Project Lead Signed:. Date: Head of Information Governance Page 22 of 22