Data Protection Impact Assessment (DPIA) Section 1: System/Project General Details

System/project/process (referred to thereafter as ‘project’) title:

Leeds Teledermatology Project

Objective: To enable consultant dermatologists to make safe and accurate diagnosis of the skin conditions of Leeds patients on the basis of images, rather than requiring all patients to attend individual face to face appointments

Detail: Why is the new system/change in system required? Is there an approved business case?

The new system/change is system is required in order to significantly reduce the numbers of face to face appointments required within specialist dermatology services. This will free up capacity enabling patients with suspected skin cancers to be seen more quickly, offer a greater proportion of specialist dermatological capacity to be used to provide routine appointments, reducing their waits also; and put the city in a far stronger position to safely and effectively manage the forecast rapid increase in skin cancer referrals. A business case was developed across citywide stakeholders in order to attract Cancer Transformation Fund resources. This was approved in September 2017.

Stakeholders/Relationships/Partners: Please outline the nature of such relationships and the corresponding roles of other organisations.

Stakeholders include Leeds Teaching Hospitals Trust, Leeds General Practices, and the Leeds Clinical Commissioning Groups Partnership. Leeds General Practices will begin the process of implementing the new system, by attaching images of their patients to dermatology referrals made using e-RS. Leeds Teaching Hospitals Trust are responsible for ensuring that referrals received using e-RS with images attached are processed appropriately so that they are available for the specialist dermatologists to view and make their triaging decision, The specialist dermatologists are responsible for making the appropriate triage decision in accordance with agreed protocols, Leeds Teaching Hospitals are also responsible for taking the appropriate next steps following the triaging decision, which may be discharge, advice and guidance, or making a booking into the appropriate service. The Leeds Clinical Commissioning Groups Partnership have provided project management, and taken the lead on procurement and quality assurance on all aspects of the project and related assets (hardware and software). The Leeds Clinical Commissioning Groups Partnership have also led on the development of new contractual and financial arrangements that enable providers to adopt the new system.

Other related projects: N/A

Project lead: Name:

Title: Click here to enter text.

Department: Click here to enter text.

Telephone: Click here to enter text.

Email Click here to enter text.

Information Asset Owner: All information systems/assets must have an Information Asset

Name: Named Individual in GP Practices

Title:

Department:

Page 2 of 13 Version: 3.1

Owner (IAO). IAO’s should normally be a Head of Department/Service.

Telephone:

Email

Information Asset Administrator: Information systems/assets may have an Information Asset Administrator (IAA) who reports the IAO. IAA’s are normally System Managers/Project Leads.

Name:

Title:

Department:

Telephone:

Email

Page 3 of 13 Version: 3.1

Section 2: Data Protection Impact Assessment Key Questions

Question Response

Data Items

1. Will the project use identifiable or potentially identifiable data in any way? If answered ‘No’ then a DPIA is not normally suggested.

☒ Yes ☐ No If yes, who will this data relate to:

☒ Patient

☐ Staff

☐ Other: Click here to enter text.

2. Please state purpose for the processing of the data: For example, patient care, commissioning, research, audit, evaluation.

Patient care. Enabling consultant dermatologists to view images of dermatological conditions quickly and make diagnostic decisions where safe to do so will substantially reduce the wait times of all patients who require treatment, and provide swift piece of mind and reassurance to those that do not.

3. Please tick the data items that are held in the system Personal Special categories of personal data (sensitive data)

☐ Name ☐ Address

☐ Post Code ☐ Date of Birth

☐ GP Practice ☐ Date of Death

☒ NHS Number ☐ NI Number

☐ Passport Number ☐ Pseudonymised Data

☐ Online Identifiers (e.g. IP Number, Mobile Device ID)

☐ Health Data ☐ Trade Union membership

☐ Political opinions ☐ Religion

☐ Racial or Ethnic Origin ☐ Sex life and sexual orientation

☐ Biometric Data ☐ Genetic Data

☒ Other: Images of suspicious lesions taken during the patient

consultation with the General Practitioner

4. What consultation/checks have been made regarding the adequacy, relevance and necessity for the processing of the data for this project?

Comprehensive consultation with the Dermatology Consultants at Leeds Teaching Hospitals has identified that having an image of the suspicious lesion available to them when triaging referrals allows them to make a quicker diagnosis for the patient and to improve access to see a Consultant where required. Only the minimum data required for this extended process will be held. The photo-images will be retained for medico-legal purposes and will technically comprise part of the patient’s primary care record. As such the data needs to be patient-identifiable via reference to their NHS number.

5. How will the data be kept up to date and checked for accuracy and completeness?

The image uploaded to the patients record will be accurate at the time of taking the image and will not require updating

Page 4 of 13 Version: 3.1

Question Response

Data processing

6. Will a third party be processing data on the CCG or one of its contractors?

☒ Yes ☐ No If no, please go to the Confidentiality section.

7. Is the third party contract/supplier of the project registered with the Information Commissioner? This is required until 25 May 2018.

☒ Yes ☐ No Organisation: Consultant Connect Data Protection Registration Number: ZA106470

8. Has the third party supplier completed and published a satisfactory Information Governance Toolkit submission? Please note that from 1 April 2018 the IG Toolkit will be replaced with the Data Security and Protection Toolkit.

☒ Yes ☐ No

If yes, please give organisation code and percentage score: 8JC53 66% IG Toolkit Score:

☒ Satisfactory ☐ Not satisfactory

☐ Satisfactory with Improvement Plan

If satisfactory with an improvement plan, please request a copy of the plan and enclose it with this assessment. If not satisfactory, please explain how the service has been procured: Click here to enter text.

9. Does the third party/supplier contract(s) include all the necessary Information Governance clauses regarding Data Protection and Freedom of Information? See Contract and Commissioning Information Governance Assurance checklist.

☒ Yes ☐ No Is the contract based on or utilise the NHS standard contract?

☒ Yes ☐ No

10. Will other third parties (not already identified) have access to the data? Include any external organisations.

☒ Yes ☐ No If so, for what purpose? Click here to enter text. Please list organisations and by what means of transfer: Leeds Teaching Hospitals NHS Trust through attachments to referrals made through the NHs e-referral system

Confidentiality

Page 5 of 13 Version: 3.1

Question Response

11. Please outline how individuals will be informed and kept informed about how their data will be processed. A copy of the privacy notice and/or leaflets must be provided.

During the initial consultation with the patient the GP will explain why the images are being taken and that they will be held in the practice as part of their clinical record. They will be informed that the images will be linked to their NHS Number. An information leaflet has been produced which outlines the process and why the images are being taken and what will happen to them. This will be made available to the patient before the images are taken. The application used for taking the images (PhotoSAF) requires the GP to confirm that consent has been given before they are able to take the images.

12. Does the project involve the collection of data that may be unclear or intrusive? Are all data items clearly defined? Is the data collected limited to a specific set of predefined categories?

☐ Yes ☒ No If yes, please explain: Click here to enter text.

13. Are you relying on individuals (patients/staff) to explicit consent to the processing of personal identifiable or sensitive data? Please provide copies of any consent documentation that will be used, including patient information leaflets

☐ Yes ☒ No (Go to next question) How will consent be obtained and by whom? Will the consent cover all proposed processing and sharing/disclosures?

☐ Yes ☐ No If no, please detail: Click here to enter text.

14. If explicit consent is not being sought, what legal basis enables this data processing? For more information about conditions for processing, please see the ICO’s GDPR website.

Personal data (identifiers and potentially identifiable data):

☐ Relating to a contract: Click here to enter text.

☐ Legal obligation: Click here to enter text.

☐ Vital interests: Click here to enter text.

☒ Public task: Article 6(I)e

☐ Other: Click here to enter text. Special categories of personal data (sensitive data), if applicable:

☒ Medical related: Article 9(2)h

☐ Public Health: Click here to enter text.

☐ Employment related: Click here to enter text.

☐ Vital interests: Click here to enter text.

☐ Already public: Click here to enter text.

☐ Legal claim related: Click here to enter text.

☐ Substantial public interest: Click here to enter text.

☐ Other: Click here to enter text.

Page 6 of 13 Version: 3.1

Question Response

15. Will identifiable data only be handled within the patients’ direct care team (in accordance with the Common Law Duty of Confidentiality)?

☒ Yes ☐ No If no, please detail: Click here to enter text.

16. How will consent, non-consent, objections or opt-outs be recorded and respected?

If the patient does not give consent to the images being taken then this will be recorded in the patient’s clinical record and their referral will be made without any images attached. When this occurs, the patient will routinely be offered an appointment in the same way that occurs currently.

17. What arrangements are in place to process Subject Access Requests? What would happen if such a request were made?

Each General Practice has a policy in place which allows their patient to request copies of the images that are stored on their patient record. The Practice would be able to print off the images and provide these to the patient or the patient would be able to see the images under the usual Practice policy for access to patient records

18. Will the processing of data be automated? Will the proposed processing of data involved automated means of processing to determine an outcome for the individual?

☐ Yes ☒ No

☐ Not applicable If yes, please outline what arrangements are available to enable the individual access and to extract data (in a standard file format). Please also detail any profiling that may take place as part through automated processing: Click here to enter text.

19. What process is in place for rectifying/blocking data? What would happen if such a request were made?

Patient Identifiable Information could not be rectified as once the photo-image is taken this is fixed however the image can be erased upon receipt of written authorisation. When this is received removal of the mapping from the public name to the object can start immediately and would generally be processed across the distributed system within several seconds. Once the mapping is removed, there is no external access to the deleted object. The photo images are then permanently deleted from the Consultant Connect system.

Engagement

20. Has stakeholder engagement taken place?

☒ Yes ☐ No If yes, how have any issues identified by stakeholders been considered? All issues are discussed at the teledermatology steering group which comprises the Dermatology Consultants from Leeds Teaching Hospitals, commissioning leads within Leeds CCG and GPs. The project plan also incorporates patient engagement If no, please outline any plans in the near future to seek stakeholder feedback: Click here to enter text.

Page 7 of 13 Version: 3.1

Question Response

Data Sharing

21. Does the project involve any new data sharing between stakeholder organisations?

☒ Yes ☐ No If yes, please describe: The project involves the sharing of images taken of a patient’s dermatological lesion between the patient’s general practice and the LTHT consultant dermatology team. The pathway involves the following steps:

1. The GP will explain to the patient that three photos will be taken of their lesion, one to show the location of the lesion and two further photos to show a close up of the lesion and a magnified image. These photos will be sent with the referral letter to the Consultant at LTHT.

2. The GP will obtain verbal patient consent from the patient to having these photos taken informing them that they will be linked to their NHS number and saved on an IG complaint secure cloud. If no consent is given then the referral will be sent without photos attached.

3. If consent is obtained the GP takes the photos using an ipod which has been loaded with the PhotoSAF application. The application confirms that consent has been obtained before allowing photos to be taken.

4. Once all three photos are taken the GP types in the NHS Number on the PhotoSAF application.

5. At this stage the photos are sent via the application to the IG-compliant secure cloud managed by Consultant Connect and no photo images remain on the ipod.

6. The Photo images taken by the GP are stored as fully encrypted digital files which are accessible only by the relevant GP practice.

7. The secretary (or GP) then accesses the cloud using a unique logon and password combination. They will select the appropriate photos using the NHS number as the reference and then save these photos on to the secure server at the practice.

8. The photos are then attached to the patient’s clinical record on the practice clinical system e.g. Systmone or EMIS.

9. Once the images have been sent with the referral the Practice will delete the images from the Consultant Connect PhotoSAF Cloud

10. These photos along with a completed two week wait referral form for dermatology are sent via ERS to the Consultant at LTHT to allow them to make a diagnosis and provide the appropriate level of care for the patient.

Page 8 of 13 Version: 3.1

Question Response

A schematic diagram of this data flow is attached as Appendix 1 – ‘PhotoSAF inc downloads 060218.pdf’

Data Linkage

22. Does the project involve linkage of personal data with data in other collections, or significant change in data linkages? The degree of concern is higher where data is transferred out of its original context (e.g. the sharing and merging of datasets can allow for a collection of a much wider set of information than needed and identifiers might be collected/linked which prevents personal data being kept anonymously)

☒ Yes ☐ No If yes, please provide a data flow diagram showing how identifiable information would flow and ensure this is added to the CCG Information Asset and Data Flow Register (see Information Assets and Data Flows section). A schematic diagram of this data flow is attached as Appendix 1 – ‘PhotoSAF inc downloads 060218.pdf’

Information Security

23. Who will have access to the data within the project? Please refer to roles/job titles/organisations.

General Practitioners / Practice admin staff, Admin staff at Leeds Teaching Hospitals Trust processing referrals through e-referral, Consultant Dermatologists at Leeds Teaching Hospitals Trust

24. Is there a useable audit trail in place for the project? For example, to identify who has accessed a record?

☒ Yes ☐ No

☐ Not applicable If yes, please outline the audit plan: Consultant Connect can provide a detailed audit trail with authorised access to PID (Permissions) and the extent to which those authorised users actually access PID (Access). Systmone and e-referral are both accessed using an individual users smartcard and an audit trail can be obtained for any user.

25. Where will the data be kept/stored/accessed? Where applicable, please refer to data flow diagram.

The patient identifiable information linked to the NHS number, which is fully encrypted, is retained within a secure virtual private cloud that is dedicated to Consultant Connect and is provided by amazon Web Services (AWS). According to the UK government, AWS meets TIA-942 Tier 4 standards (Please see certificate attached as Appendix 2 – ‘Consultant Connect AWS ISO 27001 Global Certification – Exp Nov 2019’). The AWS secure virtual private cloud is physically located in the UK with high physical security and ISO/IEC 27001 certification. No data associated with the Consultant Connect service is stored in any other territory.

Page 9 of 13 Version: 3.1

Question Response

26. Please indicate all methods in which data will be transferred

☐ Fax ☐ Email (Unsecure/Personal)

☐ Email (Secure/nhs.net) ☐ Internet (unsecure – e.g. http)

☐ Telephone ☒ Internet (secure – e.g. https)

☐ By hand ☐ Courier

☐ Post – track/traceable ☐ Post – normal

☐ Software ☒ Mobile app

☒ Other: NHS e-referral system

27. Does the project involve privacy enhancing technologies? New forms of encryption, two factor authentication and/or pseudonymisation.

☒ Yes ☐ No If yes, please give details: The AWS secure virtual private cloud has high levels of physical security and is ISO/IEC 27001 certified. Digital security is such that access to PID is only via secure web-portal and is controlled via a long random password/username combination with Advanced Encryption Standard (AES) encryption: Data-in-transit is controlled via username and password combinations (with ~238 bits of entropy) with all data transfer between servers employing strong cryptography (TLS 1.2 with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256). Data-at-rest is encrypted with AES-256 with each file using a unique key and keys stored encrypted (also using AES-256) via a master key. The master keys are regularly rotated.

28. Is there a documented System Level Security Policy (SLSP) or process for this project? A SLSP is required for new systems – this is likely to need to be completed by the supplier.

☐ Yes ☐ No

☒ Not applicable If yes, please provide a copy.

Privacy and Electronic Communications Regulations

29. Will the project involve the sending of unsolicited marketing messages electronically such as telephone, fax, email and text? Please note that seeking to influence an individual is considered to be marketing.

☐ Yes ☒ No If yes, what communications will be sent? Click here to enter text. Will consent be sought prior to this?

☐ Yes ☐ No If no, please explain why consent is not being sought first: Click here to enter text.

Records Management

30. What are the specific retention periods for this data? Please refer to the Records Management Code of Practice for

and list Health and Social Care 2016the retention period for identifiable project datasets.

Images held on the Consultant Connect PhotoSAF cloud will be deleted once the referral has been sent. Data is held as photo images within the GP patient record and will be retained until 6 years after death as per the Records Management Code of Practice for Health and Social Care 2016.

Page 10 of 13 Version: 3.1

Question Response

31. Will the data be securely destroyed when it is no longer required?

☒ Yes ☐ No If no, please detail: Click here to enter text.

Information Assets and Data Flows

32. Has an Information Asset Owner been identified and does the Information Asset and Data Flow Register require updating? Please see the Information Asset Register and Data Flow Mapping Form.

☐ Yes ☒ No If yes, include the completed Information Asset Register New Entry Form. The Information Asset Owners are the GP Practices who are individually registered with the Information Commissioners Office for data protection Does this project constitute a change to existing Information Asset(s) or is this a new Information Asset?

☐ Yes ☒ No If yes, include the completed Information Asset Register and Data Flow Mapping Form for risk review.

Business Continuity

33. Have the business continuity requirements been considered?

☒ Yes ☐ No

☐ Business Continuity is not applicable Please explain and either reference how such plans link with the organisational plan or why there are no business continuity considerations that are applicable for this project: Consultant Connect has a Business Continuity and Disaster Recovery Policy. Should there be any data loss then this would be recoverable via the cloud based real-time back-ups

Open Data

34. Will identifiable/potentially identifiable from the project be released as Open Data (placed in to the public domain)?

☐ Yes ☒ No If yes, please describe: Click here to enter text.

Data Processing Outside of the UK and European Union (EU)

35. Will any personal and/or sensitive data be transferred to a country outside the UK?

☐ Yes ☒ No If yes, which data and to which country? Click here to enter text.

Page 11 of 13 Version: 3.1

Question Response

36. Will any personal and/or sensitive data be transferred to a country outside the European Union?

☐ Yes ☒ No If yes, are transfers subject to appropriate safeguards as specified in the GDPR?

☐ Yes ☐ No If yes, who completed and determined this? Click here to enter text.

Section 3: Privacy/Data Protection Impact Assessment Information Governance Review (for completion by IG)

Information Governance Review Response

Issue Potential Risk Recommendation Agreed Action Completion Date

and Initials

1 Assurance as to where the

Cloud storage is hosted and

that there dedicated storage

(data segregation) in the cloud

provider

Location of the cloud

and how data is

stored could leave this

open to

Assurance sought from provider

on location and data storage

The patient identifiable information, which is fully

encrypted, is retained within a secure virtual private

cloud that is dedicated to Consultant Connect and is

provided by amazon Web Services (AWS). According

to the UK government, AWS meets TIA-942 Tier 4

standards. The AWS secure virtual private cloud is

physically located in the UK with high physical

security and ISO/IEC 27001 certification. No data

associated with the Consultant Connect service is

stored in any other territory. The AWS secure virtual

private cloud has high levels of physical security and

is ISO/IEC 27001 certified. Digital security is such that

access to PID is only via secure web-portal and is

controlled via a long random password/username

combination with Advanced Encryption Standard

(AES) encryption: Data-in-transit is controlled via

username and password combinations (with ~238

bits of entropy) with all data transfer between

servers employing strong cryptography (TLS 1.2 with

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256).

Data-at-rest is encrypted with AES-256 with each file

using a unique key and keys stored encrypted (also

using AES-256) via a master key. The master keys are

regularly rotated.

Abi Dakin, CCG

Information Security

Lead reviewed and found

security satisfactory –

24/04/2018

2 Data controllership of the data.

As CCG is commissioner for the

Commissioner

controls the means of

Appoint an information asset

owner –responsible for ensuring

The GP Practice and LTHT are Data Controllers, Consultant Connect

clarified role, as data

Page 13 of 13 Version: 3.1

means of processing the

relationship to the data needs

to be established

processing by

procuring the

products acquiring

data controllership

that the standard operating

procedures are adhered and meet

requirements of the practice in

terms of their legal responsibility

and protection

Consultant Connect are Data Processors. processors –

25/04/2018.

3 Data being accessible and stored on the mobile device

Risk that data is breached by

unauthorised access through loss, theft or

malicious intent

Data is not stored on the device. Instantaneous transfer.

ipod locked and cannot be used for any other purpose, password protected. Encrypted protection

against loss and theft –data is not stored on the phone

Standard Operating Procedure for usage of the device will ensure the hardware and software are

managed appropriately

Devices controlled by CCG Informatics team.

4 Assurances are needed around how files are

- deleted

- transferred

consent is captured and recorded in our system

Compliance rests on the processes of

deletion, transfer and legal basis for

processing –no evidence of assurance

means data controllers are in

breach of the DPA and GDPR

Assurances from the supplier on these technical and processes

attributes

PID will be erased or transferred upon receipt of written authorisation. Once any data transfer

arrangements have been concluded, removal of the mapping from the public name to the object starts

immediately, and would generally be processed across the distributed system within several seconds.

Once the mapping is removed, there is no external access to the deleted object. The photo images are

then permanently deleted from the Consultant Connect system.

Consent is obtained and recorded on the PhotoSAF application before the images area taken and the consent will also be recorded on the GP Clinical

System on the referral form.

Once the photo has been downloaded from the Consultant Connect Cloud in to the patients record it will be deleted from the Consultant Connect Cloud

by Practice staff

Consultant Connect confirmed processes –

25/04/2018.

IG review completed by: John Robinson Date complete and endorsed: 26/04/2018 Review date: 21/05/2018