Privacy Impact Assessment for Start4Life Information Service for Parents (S4L ISP)

Transcription

1 Document filename: Privacy Impact Assessment Start4Life Information Service For Parents (S4L ISP) Directorate / Programme IG & Standards Project Information Service for Parents (ISP) Document Reference Project Manager Ugo Ulebor Status Draft Owner Kofi Yeboah Version 0.6 Author Ugo Ulebor Amtar Ali Version issue date 04/05/2015 Privacy Impact Assessment for Start4Life Information Service for Parents (S4L ISP) HSCIC Privacy Impact Assessment Copyright 2014 Health and Social Care Information Centre

2 Document Management Revision History Version Date Summary of Changes Initial Draft Amended section Minor amends to section Significant amendments to the initial draft Minor amends to section 3.1, 3.5, 2.2(1) Document Control: The controlled copy of this document is maintained in the HSCIC corporate network. Any copies of this document held outside of that area, in whatever format (e.g. paper, attachment), are considered to have passed out of control and should be checked for currency and validity. Reviewers This document must be reviewed by the following people: Reviewer name Title / Responsibility Date Version Freya Lock Amtar Ali Andy Dickinson Kofi Yeboah Jennifer Childs PHE- Information Service for Parents Programme Lead PHE - Point of Care Sign Up Delivery and Programme Manager Information Service for Parents HSCIC- Information Governance Subject Matter Expert HSCIC- Programme Manager Senior Policy Officer, Information Commissioners Office 01/05/ /05/ Crown Copyright 2015 Page 2 of 18

3 Approved by This document must be approved by the following people: Name Signature Title Date Version Freya Lock PHE- Information Service for Parents Programme Lead Kofi Yeboah HSCIC- Cross Government Programme Manager Glossary of Terms Term / Abbreviation HSCIC SCCI NIB HRA CAG PCD PIA What it stands for Health & Social Care Information Centre Standards Committee for Commissioning Information National Information Board Health Research Authority Confidentiality Advisory Group Personal Confidential Data Privacy Impact Assessment Crown Copyright 2015 Page 3 of 18

4 CONTENTS 1. About this Document Reasons for a Privacy Impact Assessment Audience Purpose of the Project Purpose of the PIA 6 2. Privacy Impact Assessment Process Consultation with Stakeholders Privacy Impact Assessment Questions 7 3. Risk Management Analysis of feedback Risks identified Impact of Risks and Countermeasures Recommended Further Actions Register Risks Signatories 17 Crown Copyright 2015 Page 4 of 18

5 1. About this Document This Privacy Impact Assessment (PIA) identifies and reduces the privacy risks of Start4Life Information Service for Parents. 1.2 Reasons for a Privacy Impact Assessment The purpose of this document is to establish the requirement and procedures for a Privacy Impact Assessment to be carried out in relation to the Start4Life Information Service for Parents Programme. This Privacy Impact Assessment: Describes the purpose and objectives of the Start4Life Information Service for Parents programme Assesses the potential implications for privacy; and Explains what PHE and the HSCIC will do to protect privacy 1.3 Audience This PIA Report is produced for the attention of the Start4Life Information Service for Parents. This document is also aimed at all parties that will contribute to the S4L ISP project, including HSCIC, SCCI and NHS Trusts. 1.4 Purpose of the Project The purpose and scope of the Project under assessment is as follows; Purpose It is well evidenced and understood that what happens during a person s early years, starting in the womb, has lifelong effects on many aspects of health and wellbeing, from obesity, heart disease & mental wellbeing, to educational achievement and economic status. Research shows that becoming a parent presents an opportunity to provide information to support behaviour change and that when looking for information and advice people want validated sources of authority, such as the NHS. That is why the public health white paper Healthy Lives, Healthy People emphasises the importance of giving all children a healthy start to life. It sets out plans for the Healthy Child Programme, Health Visitors and the Family Nurse Partnership and shows how these contribute to the wider public health priority of encouraging good health and wellbeing throughout life. More recently the Giving All Children A Healthy Start in Life policy includes actions to help encourage healthy living from an early age by giving parents and parents to be a wide range of trusted information and advice on how to encourage a healthy diet and physical activity in young children through regular s, text messages and short videos from the Information Service for Parents (ISP). The ISP is a service which is part of the Start 4 Life (S4L) programme within Public Health England (PHE). This project is dedicated to developing an information sharing platform between the NHS and PHE that will provide every parent-to-be with the opportunity to sign up for the S4L ISP at the point of care. Currently expectant and new parents are able to sign up to the S4L ISP voluntarily via the NHS Choices website. The intention is to move from voluntary sign up to a more proactive method Crown Copyright 2015 Page 5 of 18

6 of sign up at the point of care in order to provide more parents with evidence-based information and advice which can help them to give their children the best start in life. Scope Midwives will capture the informed consent from parents-to-be at their Booking In appointment (where they book in for antenatal care) between 8 and 12 weeks of pregnancy to sign them up to the S4L ISP. This will enable parents-to-be to receive regular s and / or text messages from the S4L ISP containing information and advice on pregnancy, child development, child health and parental health. 1.4 Purpose of the PIA Privacy Impact Assessments were launched in the UK by the Information Commissioner in December 2007 and were mandated by the Cabinet Office for information and communications technology (ICT) projects following the Data Handling Review of June This Privacy Impact Assessment will: Address privacy risks as part of overall project management processes Formalise steps that should already be taken as part of the S4L ISP service development and the wider impact assessment processes Ensure that data protection risks are properly identified and addressed wherever possible, and that decision-makers have been fully informed of the risks and the options available for mitigating them To manage privacy risks identified by the PIA the process will consider; Necessity - why is it necessary for the organisation to do this? What purpose is being served? For example, is it to deliver a better public service? Proportionality - does the outcome justify the means? Would it be possible to achieve the same outcome with less data sharing or less invasion of privacy? What safeguards are in place to prevent the information being abused or accessed inappropriately? Legal basis does the law allow this use of personal information to take place? 2. Privacy Impact Assessment Process Conducting this PIA involved working with people within the organisation, with partner organisations and with the people affected to identify and reduce privacy risks. 2.1 Consultation with Stakeholders Our process of conducting a PIA had begun early in the project. This PIA will run alongside the programme development process where consideration of privacy issues will be developed into part of the PIA. Early consultation with key stakeholders had identified a number of privacy issues concerning personal information and technology. Crown Copyright 2015 Page 6 of 18

7 Professionals consulted to date include: Bob Gann, Programme Manager S4L ISP, PHE Kofi Yeboah, Programme Manager, HSCIC Ugo Ulebor, Project Manager, HSCIC David Low, National Lead for Paediatrics and Child Health, NHS England Robyn Glen, Digital Lead, PHE Andy Dickinson, IG, HSCIC Jennifer Childs, Senior Policy Officer - Information Commissioner s Office 2.2 Privacy Impact Assessment Questions Identified PIA questions and responses are recoded below from the stakeholder consultation sessions. (1) Name of Stakeholder Group, Data Consulted ISP Project Team and NHS England representative, November 24, 2014 (2) The purposes and reasons for collecting personal information (Necessity). (2.1) Could the aims of the project be achieved without the collection and use of personal information? No. The S4L ISP is an existing service that already collects data which are necessary, proportionate and legal in accordance with legislative and organisational guidelines. Point of Care sign-up is a constituent part of the national programme and complements existing services. The aim of Point of Care sign-up is to provide every parent-to-be in England with the opportunity to sign up to the Start4Life Information Service for Parents at point of care as opposed to signing themselves up to the service as now. Point of Care cannot function with the minimum required personal information. This minimum data set is vital in order to provide personalised information and advice to parents to be and new parents. The S4L ISP contributes to PHE s priority to give every child the best possible start in life, by providing information, advice and support to expectant and new parents of young children on health, wellbeing and developmental milestones. The S4L ISP in an innovative digital advice service in the form of s, including video clips and SMS messages specifically aimed at parents-to-be and new parents in England. It provides relevant high quality, evidence based information in a timely manner, using the trusted NHS brand, and it also makes use behaviour change tools to support expectant and new parents to improve their and their family s health and wellbeing. Crown Copyright 2015 Page 7 of 18

8 (2.2) Could the aims of the project be achieved without the sharing of personal information between organisations? No. The minimum information is required to provide personalised information service to parents. The principle of personalisation in the S4L ISP service is to add value to a parent s choice by forwarding trusted information and advice. It is about informing and engaging parents about health and wellbeing during pregnancy and up until their child is five years old.., It Also provides personalised information at the development stages of the child and the availability of trusted information by a click making information accessible at all times. Personal details gathered at the point of care (Maternity) and stored by Public Health England (PHE) comprise:- First name of Mother Mother s address (registrants can opt to have s, SMS or both so data captured needs to be address and / or mobile number) Mother s Mobile number (as above) Baby s due date Mother s Full Postcode Partner s name (optional and where direct consent of the partner has been obtained) Partner s address (as above) (see note relating to mother s address and / or mobile number) Partner s Mobile Number (as above) (see note relating to mother s address and / or mobile number) Date of Birth of other Children (0 to 5years) (optional) (2.3) What are the privacy risks associated with how long data is retained and how might they be mitigated? A policy on data retention was agreed in conjunction with NHS Choices as part of a previous PIA that the data will be held for up to 6 years. S4L ISP is in the process of developing service to include content for up to 5 years by March Point of Care is a new initiative designed to work with local NHS Trusts across England and given the geographical and socio-economic differences, it is vital to understand trends, geographical differences, needs of communities and healthcare professionals. In order to further develop this programme, we need to be able to: Trace and identify the source for a period of time to understand trends Identify the type of communications s or SMS Analyse interest by gender and geography This will enable the programme to analyse anonymised data to establish and forecast trends. Particularly: Understanding the trends by monitoring progress by areas, gender and methods of communication Crown Copyright 2015 Page 8 of 18

9 Developing strategies to improve uptake of S4L ISP Service In line with the fifth data protection principle, we will: review the length of time we keep personal data consider the purpose we hold the information for in deciding whether (and for how long) to retain it securely delete information that is no longer needed update, archive and securely delete information if it goes out of date (2) The amount of personal information collected and how it is processed (Proportionality). (3.1) Given the amount of data collected, what are the privacy risks? How might they be mitigated? Point of care sign-up to the S4L ISP involves the extraction of personal confidential data from the Trust s Maternity Information System/records, including sensitive personal data as defined in the Data Protection Act Identifiers (estimated due date, postcode, and name etc.) are extracted from providers and sent to the HSCIC. As with any disclosure of personal confidential data, there are associated risks to privacy and confidentiality. Therefore, the he privacy impact will be considered in three areas: The extraction of personal confidential data into the HSCIC 1 The processing of the personal confidential data when held by the HSCIC The onward of disclosure of data from the HSCIC The extraction of personal confidential data into the HSCIC Extraction of the S4L ISP Data set will be on the minimum of a weekly basis using Strategic Data Collection Service (SDCS). SDCS will provide a secure location for ISP data transfer to take place via Secure Transfer Protocol or HTTPS. In accordance with the Data Protection Act 1998, only the minimum necessary patient identifiable data will be collected. The S4L ISP data set has been considered by SCCI, PHE IG process and the Information Commissioner s Office (ICO). Data collected are fundamental to the delivery of PHE strategic priority to give children the best start in life, the S4L ISP programme and necessary to improving the health of babies, children and parents. The possible impact on privacy is that some people may feel a loss of individual autonomy and some patients may not be aware of or understand their choices. 1 The technical options are in development and this is a possible way forward. Crown Copyright 2015 Page 9 of 18

10 To mitigate this, we have the following control measures in place: An Information Sharing Agreement with each participating Trust and working towards developing National Information Sharing Agreement Midwifes are supported to seek consent from patients at the point of registration A detailed FAQs for participating Trusts Testing of materials and approach is part of the developmental phase and will be evaluated for learning purposes before the national roll-out Welcome will provide patients with an option to unsubscribe from the service and will provide further information about the service, Terms and Conditions, responsibilities and data management process and approaches Every and or text provides recipients the opportunity to unsubscribe Weekly and Monthly monitoring and evaluation of key privacy issues at strategic and operational level facilitated by PHE Information Service for Parents Programme Lead The processing of the personal confidential data when held by the HSCIC Under the Health and Social Care Act 2012, the HSCIC is established as a 'safe haven' with powers to collect and analyse confidential information about patients. The HSCIC will process the personal confidential data for point of care sign-up to the S4L ISP. Under the Act, HSCIC has the responsibility to protect the confidentiality of all the data it holds. HSCIC is the data controller of numerous NHS datasets in addition to those collected for the S4L ISP. HSCIC like all organisations that process and store patient identifiable data, must protect the confidentiality of that data and must guard against risks and threats from inside and outside the organisation. The risks described include threats associated with cyberspace such as hackers attempting to access the data illegally. The HSCIC s strategy describes in detail how these risks and threats are addressed and minimised by effective information governance controls. Processing of data by the HSCIC has a potential impact on privacy because the HSCIC is an organisation to which patients have not disclosed information themselves. At a local level, personal confidential health data have been used for many years for the purposes of indirect care (e.g. for planning services, audit, and research). The privacy risks associated with the HSCIC are mitigated because the process of linking the record is/will be automated. There is very little human involvement and where there are human involvement it is done following strict rules and processes, all of which are designed to protect the confidentiality of the individual. These include, for example, rules around retaining the data, destroying the data, disclosing the data and illegally matching data to identify individuals. The possible impact of privacy are that data collection, storage and processing creates a risk of confidential information being accessed without the knowledge or consent of patient and risks in terms of changes to scope (e.g. to dataset) without patients being aware. To mitigate this, we have the following control measures in place: Crown Copyright 2015 Page 10 of 18

11 Under the Health and Social Care Act 2012, the HSCIC was established as a 'safe haven' with powers to collect and analyse confidential information about patients Identifiable data stored only where necessary and destroyed or aggregated, anonymised or pseudonymised as soon as possible in line with legislative frameworks A centralised extraction reduces the need for local processing of personal confidential data where patients are more likely to be identifiable HSCIC provides assurances regarding Information Governance through: Information Assurance Management System, with reporting lines to the Executive Board satisfactory completion of the NHS Information Governance Toolkits and compliance with Information Security Standards, which include: Staff training and contracts Information technology system security and audit trails Robust management arrangements Full compliance with legislative requirements Provision of the safe haven for sensitive information The onward of disclosure of data from the HSCIC The human rights legislation, data protection legislation, and the common law duty of confidentiality all require us to protect information that could identify an individual. The Health and Social Care Act 2012, however, allows the HSCIC to obtain and disseminate information about patients when acting under direction from the Secretary of State or NHS England. The possible impacts of privacy is that in some cases a small residual risk that identifiable data could be revealed as data are made available, to another organisation. To mitigate this, we have the following control measures in place: purpose limitation, i.e. the data can only be used by the recipient for an agreed purpose or set of purposes training of recipients staff with access to data, especially on security and data minimisation principles Data are used to understand the outcomes that patients receive, as well as the patient experience and efficiency of the service Robust information governance controls are applied and managed in line with the contract management processes in place between PHE and the 3 rd party. Disclosures of personal confidential data will be limited in the first instance to exceptional circumstances for example in the event of a civil emergency Registrants will be told in the terms and conditions included in the welcome that PHE and its partners will use their data for delivery of the service and in an anonymised way to analyse and improve the service if they are not content with this they can opt out at any time. Information Governance Control Crown Copyright 2015 Page 11 of 18

12 (3.2) Given the sensitivity and scope of the information collected, what are the privacy risks and how might the security controls mitigate them? See 3.1 for further details. Information security details contained in the 3 rd party supplier contract covers risks and mitigation actions. (3.3) Given the sharing of personal information with external organisations, what are the privacy risks and how might they be mitigated? Personal information is not shared other than between the point of care (Maternity Unit) and Public Health England and to deliver the service. (3.4) What are the privacy risks associated with internal sharing within the NHS and how they might be mitigated? Information sharing agreements are in place between NHS Trust Maternity Units and PHE to cover legal and policy obligations when handling personal information. (3.5) Are the proposals regarding use of personal information proportionate to the expected outcomes? A minimum data set (see 2.2 above) is established. This minimum data set is established to ensure that every parent-to-be has the opportunity of point of care signup for the S4L ISP. Contribute to PHE s priority to give every child the best start in life, by providing information, advice and support to expectant and new parents of young children on health, wellbeing and development milestones. The primary purpose of collecting this minimum data set is to provide personalised information, advice and support to expectant and new parents. The system will only collect the minimum amount of personal data necessary to achieve the purposes of delivering Best Start in Life and are able to reach their potential ready for school From Evidence into Action: Opportunities to Protect and Improve the Nation s Health (4) The legal basis for using personal information (Legal basis) (4.1) Does the assumed legal basis for use of the personal information present any privacy risks? The Programme operates under the direction by the Secretary of State, providing the legal basis for personal information to be gathered and used for the purpose. Personal information is volunteered by patients, with the understanding of the limitation of its use by PHE and the ability to opt out (unsubscribe) at any time either Crown Copyright 2015 Page 12 of 18

13 by using the unsubscribe link placed on every or by sending an SMS to unsubscribe. (4.2) How could risks associated with individuals being unaware of the collection be mitigated? Patients are made aware of and consent to information about them being used for the purposes of the project. The first or SMS that they receive upon registering will include information about how their data will be used and making it clear that they can unsubscribe at any time. (4.3) What are the privacy risks associated with the balance between individual s rights and legal acceptability of processing personal information? How might they be mitigated? Patients can exercise their right to opt out (unsubscribe) at any time and they can request access to information held about them (Subject Access Request, Data Protection Act). (4.4) Given the access and security controls proposed as part of the programme / project, what privacy risks were identified and how might they be mitigated? See 3.2 (above) re information security controls. (5) Other questions (5.1) Do proposed changes in the use of technology present any privacy risks? No changes in technology. (5.2) Does the proposed information sharing (cross-referencing or data matching of personal data) from different sources present any privacy risks? No data matching carried out using the data collected. The risks of jigsaw attacks in S4L ISP service is very limited, however there is a small risk that the analysts granted access to these pseudonymised flows could potentially re-identify patients maliciously by combining the pseudonymised data with other available datasets (a technique known as a jigsaw attack) such an attack would be illegal and would be subject to sanction by the ICO. To mitigate this, we have the following measures in place: purpose limitation, i.e. the data can only be used by an authorised analyst and for a specific purpose training of recipients staff with access to data, especially on security and data minimisation principles access is monitored Also considered the following potential risks to privacy: Q: Loss of individual autonomy from use of patient identifiable data without consent Crown Copyright 2015 Page 13 of 18

14 A: Obtain and process only the minimum necessary patient identifiable data from other organisations Q: Risk of confidential information being accessed and viewed without knowledge or consent of patients A: Store and process data in its capacity as "safe haven", under the Health and Social Care Act Explore the possibility of automated systems to limit human contacts with data sets. Q: Risk of data being accessed illegally and then sold or otherwise misused by commercial organisations, criminals or others A: Destroy data held in identifiable form as soon as they are no longer required, or in accordance with the PHE / HSCIC's retention policy. b Risk of data being accessed legally and then the data being misused A: Monitor who accesses patient identifiable data by maintaining an audit trail to record, retain and report on system events as highlighted above (i.e., which staff members have been assigned access rights to view patient identifiable data). This is performed as part of monitoring contract. 3 Risk Management Our approach to conducting PIA on point of care sign-up to the S4L ISP is a flexible one that is integrated and run alongside our programme management approach; ensuring ongoing issues are identified, discussed and mitigated. We are keen on further development and testing of our approaches by consulting with people who will be working on, or affected by point of care sign-up to the S4L ISP as part of the demonstrator phase. Strategically, privacy issues are highlighted and discussed at the: S4L ISP Governance Board (monthly) with representative from Department of Health, NHS England and Public Health England S4L ISP Programme Group Meeting (monthly) with representative from leads of NHS Engagement, Marketing, Point of Care Sign-Up workstreams and Information for Parents Service Lead. Operationally, privacy issues are discussed at the: Weekly tele-conference between Public Health England and HSCIC Monthly Delivery Management Meeting between management staff of PHE & HSCIC In addition, we have a dedicated Clinical Lead, whose responsibility is to ensure compliance with requirements contained in the policies and procedures as well as legislative frameworks. Crown Copyright 2015 Page 14 of 18

15 Contributions of subject matter expert are sought as and when necessary. 3.1 Analysis of feedback Managing risks within the S4L ISP programme is a process that includes risk assessment and a mitigation strategy for those risks. Risk assessment includes both the identification of potential risk and the evaluation of the potential impact of the risk. All risks are recorded and discussed at appropriate level, depending on the severity of the risk. High risks are escalated as appropriate through the designated operational and strategic management process. Risks are identified continuously, as part of the development process. See section 3 Risk Management. 3.2 Risks identified The following privacy risks were highlighted following stakeholder consultation: Risk 1: 2.3 (above) retention policy agreed with NHS Choices as part of previous PIA- Risk 2: 3.1, information security policy held by PHE to be confirmed Risk 3: information sharing agreements between PHE and Maternity Units to be confirmed Risk 4: postcode necessary for the purpose? Risk 5: consider a suppression list for patients opting out to avoid mailing them further 3.3 Impact of Risks and Countermeasures Recommended The following changes are recommended to mitigate privacy risks identified during the PIA process: Mitigation 1: There is a requirement to retain data for longer than 2 years. This is because timed S4L ISP s and texts start pre-birth during pregnancy, and originally covered the period of pregnancy and first two years of life. S4L ISP content is now being created to reach to age 5 so retention will be needed for up to 6 years to cover pregnancy and the first five years of life. Crown Copyright 2015 Page 15 of 18

16 Mitigation 2: The GIG s hosted solutions are hosted within a UK Tier 3 Data Centre partner, Node 4. Their UK locations are in Derby, Northampton and Wakefield and these data centres are fully certified to both ISO and ISO 9001 requirements. Site visits can be arranged on request with their IT team. These data centres have been designed for high levels of physical security and system resilience for client hardware or applications using these facilities. The benefits of these facilities include: 100% SLA on power and cooling Resilient power with N plus 1 generators for the site and UPS on each rack Fire suppression systems 24 hour manned security CCTV coverage and controlled access Perimeter fencing and electric gates Multiple 10GB links between the sites and our office in London In addition to physical security, the GIG s multilayer approach protects client s information and systems holding client data from unauthorised access, use disclosure, disruption, modification and disruption. Access to any of the GIG s client solutions are restricted to only those working on the solution and will only have the required level of access needed for their role. Access rights are regularly reviewed and updated by System Administrators. Mitigation 3: Information Sharing Agreement to define the data that will be shared between NHS trusts and PHE has been produced for the demonstrator sites in the first instance with the intention to produce a national information sharing agreement for the national rollout across NHS Trusts in England. Crown Copyright 2015 Page 16 of 18

17 Mitigation 4: The justifications for asking for full postcode are: To enable provision of information about local services and information on local groups. To allow monitoring of take-up by socio-demographic area, including whether the service is reaching areas of deprivation this will inform any further work to reach out to certain groups in areas of deprivation through other means as a way of addressing inequalities To indicate that the user is a resident of England Note: The use of partial postcode has also been considered but this was not deemed to be feasible due to the geographical specificity required to direct parents to the appropriate services within their area. Full postcode is already captured on the existing sign-up page. Mitigation 5: The Gig s text messaging and services platform product called SmartCast has an unsubscribe function built-in. If a user clicks the unsubscribe link in any they receive, from that moment, they will be suppressed from all future communications 3.4 Further Actions This PIA will be revisited during the lifecycle of the programme to ensure; (i) Risks identified are still relevant (ii) Actions recommended to mitigate the risks have been implemented and (ii) Mitigating actions are successful. The PIA will be revisited at the following key milestone(s) in the project s lifecycle: Milestone 1: PIA document will be left open and amended if there are any changes between demonstrator phase and national roll-out 3.5 Register Risks Risks identified by the PIA may have a wider impact and consideration must be given to recording risks on other risk registers as appropriate. Privacy impacting risks have been recorded in the following Risk Register: The project has a Tracking Database (TDB) for managing risks. The identified risks are recorded in the TDB Crown Copyright 2015 Page 17 of 18

18 3.6 Signatories The Privacy Impact Assessment has been read and approved (in accordance with NHS policy and Cabinet Office policy see Related Documents ) by the following: Document Author Signature and Date Senior Responsible Owner (SRO) Signature and Date Crown Copyright 2015 Page 18 of 18