Privacy Impact Assessment and Project Overview

Transcription

1 Privacy Impact Assessment and Project Overview Scottish Primary Care Information Resource (SPIRE) Project SPIRE Privacy Impact Assessment v3.1 Page 1 of Feb-17

2 DOCUMENT CONTROL SHEET KEY INFORMATION Name Privacy Impact Assessment Questionnaire (SPIRE Project) Date Published/ Issued 01 Feb 2017 Date Effective From 10 Feb 2017 Version/ Issue Number 3.1 Document Type Document Status Author Owner Privacy Impact Assessment Approved SPIRE Project Team SPIRE Steering Group Intended Audience SPIRE stakeholders including representatives for patients, the medical profession and general practices incl. quality leads. Medical research professionals. Privacy experts. Specialist journalists. Approvers Contact see Approvals table below File Name SPIRE Privacy Impact Assessment v3.1 Word version.docx with compatibility REVISION HISTORY Version Date Summary of Changes Name Changes Marked /07/13 Initial draft Eddie Adie N/A /07/13 Revisions to section 3.8, 7 & 8 Service Delivery Workstream No /08/13 Revisions to section 1, 3.2, 3.5, 3.8, 4 & /09/13 Revisions throughout document after meeting with Libby Morris /06/15 Updated to new PIA template and revisions throughout document Service Delivery Workstream Service Delivery Workstream Eddie Adie No No No /07/15 Revisions to section 2.2 & 3.8. Eddie Adie No /01/16 Revisions throughout document Eddie Adie Catherine Thomson Hester Ward /01/16 Revisions throughout document Eddie Adie Scott Heald Libby Morris Hester Ward Janet Murray No No SPIRE Privacy Impact Assessment v3.1 Page 2 of Feb-17

3 0.9 12/02/16 Added appendix 5b Eddie Adie No /03/16 Minor change to appendix 4 Eddie Adie No /04/16 Revisions to sections1.3, 1.4, 2.2, 2.3, , 6 and 7 following discussion with Janet Murray. Also added appendix 5 Eddie Adie No /04/16 Final Version for approval Eddie Adie No /06/16 Changes following comments from Colin Brown/Frances Elliot/Libby Morris /07/16 Further changes to section 1.3 from Libby Morris. Eddie Adie Libby Morris No Yes /09/16 Revisions throughout document following Caldicott 3 and care.data cancellation. Colin Brown Eddie Adie Hester Ward Janet Murray 2.1 Revisions throughout Colin Brown SCIMP Janet Murray 2.2 Appendices re-configured Colin Brown Yes 2.3 Revisions throughout Colin Brown Maureen Falconer 2.4 Revisions Post SSG Hester Ward Janet Murray Libby Morris /11/16 Changes by HW, JM and LM, and prepare for meeting with ICO Jill Thomas No Yes Yes No changes in red /11/16 Revised Info Sec after meeting Jill Thomas David Proud and Colin Brown Eddie Adie (based on JT notes) Yes /11/16 IG sections and definitions updated after ICO meeting /12/16 Access management, Info Security updates, AAA, "Secondary Uses" /01/17 Intro re-configured Appx 2 diagrams reconfigured Appx 6 update re SSG/PPBP Appx 11 Data Sharing Agreement added Appx 12 Secondary Uses example list. Bookmarks to Appendices added Colin Brown Eddie Adie Colin Brown Jonathan Cameron Colin Brown Eddie Adie Janet Murray Hester Ward /02/17 Version for approval Eddie Adie No /02/17 Minor amendments to S2.5, 8 & App 1 Eddie Adie No (Approved by FE/JM/SH) Colin Brown Yes Yes Yes APPROVALS Version Date Name Designation /04/2016 Janet Murray ISD Caldicott Guardian /04/2016 Scott Heald Assoc. Director & Head of Profession for Statistics /02/2017 Janet Murray ISD Caldicott Guardian /02/2017 Frances Elliot Chair, SPIRE Steering Group /02/2017 Scott Heald Assoc. Director & Head of Profession for Statistics SPIRE Privacy Impact Assessment v3.1 Page 3 of Feb-17

4 Contents Background & Summary 6 0. Legal data handling role of NHS National Services Scotland (NSS) 8 1. Collecting personal information List / describe personal information & frequency of data transfers / updates Whose information is being collected? Is the data personally identifiable? How will you receive the information? What is the source of the personal information? Is the data collection part of an existing process & how are data subjects informed? What is the legitimate purpose for which personal information is obtained? Will the project bring a new way of processing personal information? Is a new linkage to other datasets intended, or is there potential to link? What do you perceive the privacy risks to be? Will processing bring any change to privacy risk? Are these risks entered into the appropriate risk register? How have data subjects been informed about processing? Use and Disclosure Describe how the information will be used Who will have access & are they appropriately trained in privacy/data protection? Will the information be modified prior to access to enhance privacy? How will access levels be decided? What safeguards will be in place to control & monitor access to data? What technical/procedural measures will safeguard security of personal information? Will safeguards change depending on the level of information made available? Describe the processes for monitoring information Governance issues Data Quality Will there be monitoring to assess the personal information s fitness for purpose? Will there be monitoring to assess the personal information s relevance? Will there be monitoring to assess the personal information remains up-to-date? 26 SPIRE Privacy Impact Assessment v3.1 Page 4 of Feb-17

5 5. Retention and Destruction For how long will the data be retained? Is the personal information covered by the NSS Document Storage & Retention Policy? How will the data be securely disposed of when no longer required? Recommendations Is a more detailed assessment needed? Completed function / policy 30 Appendix 1: Content of GP Reporting Database 31 Appendix 2a: SPIRE Extract & Processing Overview 32 Appendix 2b: SPIRE Extract Process Diagram & Example 33 Appendix 2c: Standard edris Linkage process 36 Appendix 3: Legal Provisions to support Data Processing without Explicit Consent 37 Appendix 4: Patient Opt-out Form Final 39 Appendix 5a: SPIRE Access Assurance 40 Appendix 5b: SPIRE Advanced Access Assurance 42 Appendix 6: SPIRE Steering Group and Public Benefit & Privacy Panel 43 Appendix 7: Patient Consent Model 44 Appendix 8: SPIRE Physical Security Overview 53 Appendix 9: SPIRE and NSS System Security Standards 54 Appendix 10: SPIRE Pseudonymisation & Encoding Paper 55 Appendix 11: Extract of specimen GP SPIRE Data Sharing Agreement 58 Appendix 12: Examples of secondary uses of Data 61 SPIRE Privacy Impact Assessment v3.1 Page 5 of Feb-17

6 Background and Summary of the project for which this Privacy Impact Assessment is being carried out: In 2011, the Scottish Government convened a short life working group (SLWG) to consider the potential benefits of accessing data from electronic patient records held at General Practices nationwide. A major conclusion was that although clinical data were being used effectively to support the Direct Care and treatment of individual patients, there could be more system-wide Secondary Use 1 of these data to improve the health and wellbeing of the Scottish population. Such Secondary Uses would require data from practices to be collated in a more systematic way across Scotland, transformed into intelligence and fed back to practices and other stakeholders. In particular it was recognised that consistent system-wide data could: inform and improve quality assurance and service management of NHS and care services, such as policy planning, service development and implementation, audit, and performance management inform national policy support research. It was also seen as essential that that no person's privacy was reduced by wider access to their Personal Identifiable Data and the intelligence produced from it. The group proposed that: a new national service be developed by NHS National Services Scotland (NSS) to facilitate the extraction of data and to improve its utilisation to inform or answer questions of quality assurance and service management, and for research the service should be underpinned by robust information governance policies and procedures to ensure patient confidentiality is effectively protected, including use of Privacy Enhancing Techniques such as those developed under the SHIP Programme, and that any use of data be subject to the agreement of participating practices, and participation would be open to all consenting GP practices, with a single extraction mechanism transferring data securely from GP IT systems without impacting on practice or NHS Board workload or clinical care Further, unifying the current extract mechanisms into a single national extract mechanism would streamline and reduce the workload that practices currently have in collating and reporting the data they hold electronically. 1 "Direct Care" is defined for this paper, at section 1.6, as: Care delivered both when ill, and when engaging with screening or preventive services when well." Secondary Uses of NHS data are illustrated by example at appendix 12 SPIRE Privacy Impact Assessment v3.1 Page 6 of Feb-17

7 These recommendations were endorsed in December 2012 and the Scottish Government Primary Care Division asked NSS to take this work forward through a (then) new service called the Scottish Primary Care Information Resource (SPIRE). In summary, the SPIRE project aims to deliver this service through a wide-ranging program to manage the development of several existing information systems across NHS Scotland at these 4 architectural levels 2 : Socio-cultural: have a national conversation on the public benefits of sharing NHS data for quality assurance, service management or research, while protecting privacy, by a communication campaign to inform the public and key stakeholders Roles and responsibilities: develop the discourse 3 around Information Governance, to form questions about NHS quality assurance, service management and research, and inform or answer them, including o the scrutiny and approval processes before any specific data extraction o analyse data extracted and share reports and findings with other parts of NHSScotland, policy makers or researchers. Informatics: develop the informational content of the data extracted to answer these questions, by setting up a new team of data managers and analysts to support the service, and to o design, schedule and deploy routines to extract data from GP practices for each such question o develop reports for GP practices to use locally to improve their care o develop reports customised for each NHS quality assurance, service management or research question o manage the processing of and access to the data returned to NSS Engineering: upgrade the infrastructure, by developing and implementing the Information Technology required including o a new single data extraction and reporting system, that also provides support to practices with data reporting, and that will manage the extraction of data from practices o improving communication links with GP practices to transfer the extracted data securely and efficiently to NSS o new data processing facilities to receive and store data, manage it over its lifecycle and manage user access The diagram at appendix 2a outlines how the data flow and processing meets these aims at the Informatics and Engineering levels. This Privacy Impact Assessment follows the questionnaire format used by NHS National Services Scotland for healthcare IT projects, which is adapted, in consultation with the ICO's office in Scotland, from that published by the ICO at PIA code of practice 2 Enterprise Modeling 3 Conversation Theory SPIRE Privacy Impact Assessment v3.1 Page 7 of Feb-17

8 CONSIDERATIONS ANSWERS ACTIONS 0. What legal data handling role does NHS National Services Scotland (NSS) have in relation to the personal information involved in the project? Data Controller? (NSS alone decides the purposes for, and manner in which, the personal information is used and disclosed) Yes. Each GP Practice alone is the Data Controller until the data is in transit to NSS, which becomes sole Data Controller thereafter. NSS takes on Data Controller status while data is in transit (via elinks) and when data reaches the NSS Secure Storage Area, and implements the Secondary Uses and lifecycle management of the data. This is under the general governance of the SSG, and specific projects may also be governed by the Public Benefit and Privacy Panel (PBPP). NSS will use the data only in accordance with the purposes defined in each SPIRE request, authorised by the individual GP Practices. The Secure Storage Area will have all the technical and other measures required by a Data Controller. Data Controller, jointly or in common with other Data Controller(s)? No. NSS works as sole Data Controller under the governance of the SSG (as above). (NSS works either jointly or alongside another Data Controller in deciding the purposes for, and manner in which, the personal information is used and disclosed) SPIRE Privacy Impact Assessment v3.1 Page 8 of Feb-17

9 1. Will the project involve the collection / obtaining of personal information? 1.1 List / describe the personal information to be collected / obtained, and the frequency of data transfers and/or updates. 1.2 Whose information is being collected / obtained e.g. patient, donor, family health Personal information is collected in regular extracts using, as their source, a "GP reporting database" generated overnight in each GP Practice. This is a temporary working copy of selected parts of the full data in the GP Record, and is a table of patient records. The maximum possible content of each dataset is attached as appendix 1 and shows in bold those items considered to be "personal identifiers" within the Personal Identifiable Data (PID) 4. Extracts also include Read codes for clinical features, conditions, procedures and tests, prescribing data, and selected other data for disease surveillance, and for some NHS management such as payment verification. These data are known also as "payload" data, and in some circumstances may be partly identifiable: see sections 1.3 and Each data extract will only contain the minimum data items required for the purpose of that extract (as discussed at section 3) and for its duration, after which it is destroyed. The frequency of data extracts and transfers will be flexible subject to the capacity and usage of the elinks transport system. Information is collected about Persons registered with a GP practice in Scotland. Clinicians engaged in clinical and management activity in these GP practices. Other NHS staff engaged in supporting this clinical activity. Update the Privacy Impact Assessment if the content of the GP reporting database changes. 4 Not every item of data comprising Personal Identifiable Data will always be confidential: for example, some data may already be in the public domain as the person may have lost privacy by disclosing such data on the internet e.g. on Facebook. PID that has not been disclosed is often referred to as Personal Confidential Data, in particular by the Data Protection Act which applies only to PCD. As it cannot reliably be predicted which items in PID may no longer be confidential, this system design document assumes that all PID is still all confidential, and so uses the term PID. "Personal" is also the DPA 1998 term for identifiable data applied to living people, so as SPIRE applies to data about people living & dead, the term identifiable' is appropriate here, as in "PID". SPIRE Privacy Impact Assessment v3.1 Page 9 of Feb-17

10 services contractor or NHS staff data? 1.3 Is the data personally identifiable? How are nonidentifiable data and identifiable data processed appropriately? This section summarises the data processing within SPIRE, details are later in the document. The extracted data has variable content of personally identifiable data clear personal identifiers such as CHI, names, date of birth, postcode, and clinical data, as at section 1.1 above SPIRE uses three models to process raw data with information governance appropriate to the level of risk of re-identification due to the personally identifiable content of the data, and to its purpose. Each model requires that the GP practice has given consent to the extract before it leaves the practice, but has different processes for obtaining personal consent. Each model is currently in use in NSS or elsewhere in NHS Scotland, but differing in scale, extraction and processing methods. A. Aggregate: data are aggregated to include everybody in a group, and will be presented for analysis initially in the form of total numbers per GP practice. This is much the most common type of information output, the best-known purpose being for the Quality and Outcomes Framework (QOF), and soon for NHS Scotland's new Transitional Quality Arrangements. Other purposes are NHS quality assurance, service management and research at levels starting with the GP practice, then for local clusters of GP practices, NHS Boards, and finally Scotland-wide Consent is required from GP practices for these extracts, but there is no consent process for each person to opt out of aggregate extracts as this information is anonymised 5. 5 When numbers are very small, further de-identification is ensured by use of Statistical Disclosure Protocol - see Section 3.6 SPIRE Privacy Impact Assessment v3.1 Page 10 of Feb-17

11 B. Limited Personally Identifiable Data: a limited selection of data are presented for analysis for each person's record. These datasets support the purpose of population-level inclusion of persons including those in hard-to-reach groups. The data may be "personally identifiable" to an extent that varies with each record, which contains variable amounts of clear personal identifiers such as CHI, names, date of birth, postcode; and also clinical data. The richer the clinical payload data, the more it is also potentially identifiable. For each extract, PID will be minimised, by extracting only the minimum no. of data 6 items required for each report. For example: no free text or narrative data is extracted, but only clinical terminology codes for clinical features, conditions and procedures each extract is retained in the GP Practice until they, as Data Controllers, approve its release to SPIRE. Further, it is used for the minimum time and is then destroyed: it is not stored or "warehoused". Personal identifiers are used within NSS for the purposes of linking each person's data to their data in other datasets, or creating derived items such as age and Scottish Index of Multiple Deprivation score 7. They are then deleted, and only the clinical payload and derived items passed to those granted controlled access to the data, e.g. researchers approved by the Farr Institute 8 : see section 3 When personal identifiers are required, they will be routinely separated from the clinical payload data before leaving the GP practice. The personal identifiers file is then encrypted before both files are transmitted separately to NSS over the secure Scottish Wide Area Network (SWAN) using 6 The Least Principle from "Fair Shares for All" British Computer Society 2012 "The risk of de-identified data being re-identified depends on the way it is shared and with whom, as well as its intrinsic content... It is greatest with rich data... where anyone may take it and use it for any purpose(s). In such cases the risk may be so high that de-identified data should be treated as if it were identifiable data. In the light of this, we advocate that, where possible, data are collected for specific purposes. Applying the Least Principle - the least data, copied the least number of times, held for the least time and used by the least number of people necessary for the purpose - substantially reduces the privacy risk" 7 In future the derivation of items such as SIMD score could be performed by SPIRE Local within the GP practice, to further reduce export of data. This would be a Change Request. 8 Farr Institute: What is Health Informatics Research? SPIRE Privacy Impact Assessment v3.1 Page 11 of Feb-17

12 elinks, which also encrypts all files during transfer. (see section 3.3) This pseudonymisation of the data at its source greatly reduces the identifiability of the dataset. Re-identification is easy only for NSS staff in legitimate possession of the decryption keys, in the above example to create derived items (see section 3.3), but with extreme difficulty by others: see section No staff in NSS will ever have access to both the identifiers and the clinical payload data, this being a key principle of the SHIP blueprint: see appendix 2c and appendix 10. Further, no end-user staff outwith the NHS will ever have access to PID from this type of data. These data are considered suitable for processing without explicit consent if using de-identification methods such as the above, and also if consistent with legal requirements such as those of the Data Protection Act, and the common law: see section 1.7 and appendix 3. Processes for consent or its withdrawal (dissent) give additional safeguards for each person and for GP practices an individual's dissent applies to all extracts of this type. the GP practice consents to each extracted dataset based on the practice's view of the benefits and risks of each one. A further safeguard is provided by a Data Sharing Agreement, which is a legal framework for the use by NSS of the limited PID that is extracted from GP records: see appendix 11. C. Fully Personally Identifiable Data: Where identifiable data are requested to be released for purposes that do not meet the above provisions, such as clear personal identifiers for direct, repeated or long-term access by researchers (e.g. a research request on individual patients such as those in a specific disease register, or those found to be at risk) explicit consent will also be required from each patient. Each request would need approval of SSG and PBPP: see appendix 6. This is the current process for research on individual persons using GP Records, and consent is normally managed directly by researchers, or on their behalf by GPs, using paper systems. SPIRE Privacy Impact Assessment v3.1 Page 12 of Feb-17

13 It is proposed that the unified SPIRE data extract technology can also be used for these custom extracts, and that the SPIRE team will work with researchers and the Farr Institute to facilitate the management of these research projects: see section How will you receive the information (e.g. CD, network transfer, etc)? 1.5 What is the source of the personal information? 1.6 Is the data collection / obtaining part of an existing process and if so, how are data subjects informed about the current and proposed processing? If data subjects are not informed, explain why. When Personal Identifiable Data (PID) are requested, an automated data extract process will deliver the data as two files: one, encrypted, containing all clear personal identifiers as listed in appendix 1, and the other containing the remaining limited clinical information requested. This data transfer uses elinks to further encrypt both files in transit over the secure SWAN NHS network to a temporary storage area within NSS: see section 3.3 and appendix 10. If the information requested does not identify individual persons (e.g. aggregated data such as a count of the number of patients in a practice aged over 65 with a common condition) then only one file will be transferred, using the automated data extract process described above. Clinical systems within General Practices across Scotland. Data are currently routinely provided to and recorded by GP practices as part of their provision of General Medical Services to NHSScotland, of which people are informed when registering with a GP practice, and when accessing healthcare. This use for Direct Care applies both when ill, and when engaging with screening or preventive services when well. Some clinical data are currently extracted and used for limited Secondary Uses e.g. aggregate data to support payments to practices, currently by the Quality & Outcomes Framework (QOF) see section 3.1 Currently there are different mechanisms for informing and for opting out of some of these extracts, each administered by GP practices. Information about them and about SPIRE is available in leaflets on NHS premises such as GP practices, and on NHS Inform; see also section 2.4. SPIRE will not go live until a Public Information Campaign, using print and radio media, with patient leaflets and posters available at the point of contact with the service, has taken place. The Public Information Campaign is planned to cover 93% of the population, will provide general information about SPIRE, and will also clearly describe each person's method to opt out of all individual limited data SPIRE Privacy Impact Assessment v3.1 Page 13 of Feb-17

14 extractions, by completing a standard opt-out form, available in practices or online to download: see appendix 4. The patient s dissent from these limited data extracts will be recorded using the Read code 9NuD. so that all these extracts exclude data from those who opt-out. This dissent status can be applied at any time, or rescinded by use of Read code 9NuF, the code for dissent withdrawn. Since SPIRE data is deleted once its approval period expires any data in SPIRE will be destroyed: see section 5.3. The opt-out will not apply to aggregated data, because that data is not identifiable. Further, the GP practice has the option to dissent from the transmission of each extract to SPIRE, for instance if that extract's Secondary Use is not supported by the practice. SPIRE will publish the purposes approved for each proposed extract: see section 2.5. There is currently no proposal to inform individual persons directly about each specific Secondary Use to which their PID may be put, nor to enable them to directly specify consent to these different Secondary Uses. 9 There is now UK-wide consultation on Caldicott's 3rd Report, in which Chapter 3 discusses granularity of consent. 10 International research is also ongoing into the types of such uses that will be most meaningful for the public, 11 for example to represent more granular consent using broad, dynamic or meta-consent models. There is potential for an individual person to specify their own consent choices via a portal such as My Account at with storage in the new electronic Master Patient Index recently procured to replace the Community Health Index. Some technical issues are discussed here and in a paper published by SCIMP: see appendix 7. 9 Call for electronic consent for secondary uses 10 Review of Data Security, Consent and Opt-Outs (Caldicott 3) 11 Wellcome: public attitudes to commercial access to health data 12 Meta consent a flexible solution to the problem of secondary use of health data 13 A dynamic model of patient consent 14 SCIMP Consent Archetype Nov 2013 presentation SPIRE Privacy Impact Assessment v3.1 Page 14 of Feb-17

15 1.7 What is the legitimate basis or stated business purpose for which the personal information is obtained? Administration of Health and Care Services (as described in the Data Protection Register Z ). This term includes Secondary Uses such as NHS quality assurance and service management uses. This accords with the founding duty of the NHS in relation to the health and wellbeing of the population in the National Health Service (Scotland) Act 1978, The statutory functions of NSS are defined in the National Health Service (Functions of the Common Services Agency)(Scotland) Order 2008, Two conditions for lawful processing of personal health data apply under the Data Protection Act 1998: 1. DPA 1998 Schedule 3 (8): processing is necessary for medical purposes" which is defined as including the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.' 2. The Data Protection Statutory Instrument 2000 number 417 research condition is processing that is is in the substantial public interest is necessary for research purposes does not support measures or decision with respect to any particular individual, and does not cause, nor is likely to cause, substantial damage or substantial distress. See appendix 3 for fuller discussion of legal supports for SPIRE's approach to Information Governance. There is no risk of Government access under the Health & Social Care Act 2012 because this does not apply in Scotland. 15 A proposed consent model SPIRE Privacy Impact Assessment v3.1 Page 15 of Feb-17

16 2. Will the project bring a new way of processing personal information? 2.1 Is a new linkage to other datasets intended, or is there potential to link to other datasets? if so, describe, including whether an application has been made to the Public Benefit and Privacy Panel Yes, there will be requests to link SPIRE extracts to other data sources. These will not be routine: all requests for new data linkage will be considered by the SPIRE Steering Group, and then by the Public Benefit and Privacy Panel (PBPP): see appendix 6. If the linkage is required as part of a request from an approved researcher, then the process identified for the electronic Data Research and Innovation Service (edris) will be followed (described further in appendix 2c and appendix 10) and linkage will be carried out using standard edris processes. These are automated wherever possible, to minimise the number of analysts processing Personal Identifiable Data, normally to no more than 2 16 : see appendix 2c. These processes have been established for use in NSS with Farr-accredited Research Organisations in Scotland following the development of the SHIP Information Governance Toolkit and related secure processes under the earlier SHIP Program since This current work by NSS in partnership with the Farr Institute governs a number of researchers both local, national and international using NHS data for many research activities. SPIRE's GP data extracts can be specified to complement that other NHS data, and will have security governed as above. Researchers employed by the pharmaceutical industry do not have direct access to any PID made available by NSS through edris at the Farr Institute: only aggregated data (anonymised, see section 1.3) and results of analyses are shared with them. Pharmaceutical companies may also develop and commission research in collaboration with the NHS or academic institutions. In such a collaboration, only their NHS/academic partners would have 16 In a few exceptional cases, e.g. to cover staff absence, a third person may need to be involved; we do not expect more than three analysts to have sight of the same set of PID. SPIRE Privacy Impact Assessment v3.1 Page 16 of Feb-17

17 access to PID, as approved by SSG and PBPP, and through the edris team at Farr Safe Haven. The pharmaceutical industry-employed researchers would only have access to the final nondisclosive, aggregated outputs (e.g. anonymised data in tabular form) and only via edris staff at Farr working directly with them to ensure all privacy protection systems are fully implemented. 2.2 What do you perceive the privacy risks to be? Risk Actions Risk Owner There may be a data breach due to accidental, intentional or fraudulent access to information. All steps in the SPIRE technical solution are described in a System Security Policy (SSP). Please see sections 1.3B, 3.5 and appendix 9 for details including ISO27000 status. Some specific security examples the frequency of data extracts, transfers, and transmission schedules is unpredictable when personal identifiers are extracted they will be encrypted before being securely transferred from the practice access is authorised by individual logons and passwords physical security is also addressed 17 to current requirements. information via a web browser is available only through SWAN and secure private network. user access is secured by 2-factor authentication, and users are required to access only using encrypted PCs & laptops, and are subject to password training and guidance underpinned by standard NHS procedures: there are five server environments: Production, UAT, Report Development, System Test and Development, hosted in the Atos Data Centre. This meets all NHS data security standards, is supported by a Service Level Agreement and meets the requirements set out in NHS Scotland Information Security Policy at ehealth standards library. GP data is only ever held within the Secure Storage Area in the Production environment. before releasing statistical data, the ISD Disclosure Control Protocol will be followed to ensure that individual persons are not identified e.g. due to small numbers: see section 3.6. Assoc. Director 17 Appendix 8: Summary of NSS Physical Security SPIRE Privacy Impact Assessment v3.1 Page 17 of Feb-17

18 2.2.2 Personal Identifiable Data (PID) may be accessed, used and viewed without the knowledge or consent of patients Inference threat: combining rich clinical data from breach or other inappropriate access, with public data to reidentify. Access control is fully discussed at section 3.2, and includes these features: Only the minimum number of staff will have access to PID, most commonly 1 and normally no more than 2; see also appendix 2c. This is a key design feature for approval by the PBPP and the SPIRE Steering Group: see section 3.5. Each staff member will only be granted access to personal identifiers or clinical payload data, but not both. This separation of roles is a feature of the SHIP Blueprint. There are full audit trails of all accesses to PID. This retrospective assurance on all accesses made is administered by NSS on request from individual persons via their GP practice managers, NHS24 or NSS. Advanced Access Assurance (see appendix 5b) will also be available to persons who can give a name of specific NHS staff alleged to be a potential adversary. Section 3.2 expands the Human Resource issues in managing access, and appendix 5 expands the mitigation of risk for intentional data breach. This risk cannot be generally quantified as it requires details of the scale of Personal Identifiable Data (PID) in each dataset, and assessment of the related information that may be available to an adversary. Assessment can then be made of the privacy risks to individual persons from reidentification, to inform the assessment by the SPIRE Steering Group and PBPP before approval. Each data extract will only contain the minimum data items required for the purpose of that extract (e.g. to support an NHS research study) and for its duration, after which it is destroyed. As an example of related information, an adversary may already know dates to apply to coded items in a target person's payload data, to link with their dates at a postcode from public data. A review by Yakowitz 18 states that while such inference attacks have been shown in public datasets, there were no known instances of a successful such attack on a medical research dataset. Service Mgr. Service Mgr. 18 Jane Yakowitz: Tragedy of the Commons pp35-39 SPIRE Privacy Impact Assessment v3.1 Page 18 of Feb-17

19 For further protection, in SPIRE: data is not in human-readable document format any person's data may be absent due to opt out from the limited extracts program, and any GP practice' data may be absent due to opt out of any extract. Thus an adversary cannot know if or how any person's data has been coded, nor if it exists in any one dataset, nor the dates between which any dataset may exist. These form major obstacles to illicit re-identification of individuals by inference. 2.3 Will processing bring any change to privacy risk? If so, describe. As SPIRE will provide more data to a wider range of people, there might be an increase to privacy risk from current NHS Scotland practice. However, there is no large persistent dataset, but multiple smaller, temporary datasets. These can be easily regenerated as needed, this being feasible due to the small datasets and speed of current extract technology. Stable data persists only in the GP record, where it is cumulative and curated for Direct Care by the GP practice as its Data Controller. SPIRE thus avoids data storage or "warehousing" with the risks of large rich datasets: see section SPIRE's pseudonymisation of the data at source provides both major technical barriers, and the deterrence of being illicit, to reduce the privacy breach risks compared to current extraction practices. Some GP practices in Scotland already contribute PID to other large UK-national datasets e.g. CPRD, THIN, QResearch and their discussions of pseudonymisation and data linkage methods may be referenced:. 19 Some research projects use other software e.g. the North node of NHSScotland Primary Care Research Network uses OpenPseud within Albasoft software: see appendix 10. SPIRE introduces no additional types of risk to these. 19 QResearch Openpseudonymiser; also see appendix 10 ResearchOne SAIL THIN CPRD Also Research One SAIL Databank The Health Improvement Network Clinical Practice Research Datalink Sapior Safemerge SPIRE Privacy Impact Assessment v3.1 Page 19 of Feb-17

20 2.4 Are these risks entered into the appropriate risk register? 2.5 How have data subjects been informed about processing? If not, how will it? Yes, the above risks are covered by risk numbers 3694, 3740, 3745 and The Risk Register holds regularly updated values for Likelihood and Impact of all risks; each risk is allocated an owner. See section 1.6 above for details of SPIRE Public Information Campaign. 20 As a Notice of Fair Processing to the public, the SPIRE website will publish decisions of the SPIRE Steering Group (SSG). This will clearly identify those applications that have been approved along with relevant details about the purpose of the extract and how long data will be retained for. This information will help people make informed decisions about whether or not to opt-out of SPIRE. 3. Use and Disclosure 3.1 Describe how the information will be used. Each data extract is designed to inform or answer each research, quality assurance, or service management question 21. A wide range of such Secondary Uses is listed at appendix 12. Information will be fed back to GP Practices, clusters and NHS Boards to support and inform local decision making, including quality improvement, benchmarking and performance management. SPIRE will enable data from GP records to be extracted across Scotland in a consistent manner and used more widely than currently. Collation, analysis and production of intelligence from these data will contribute to improvements in the quality 20 Also, until September 2014, GP records at about 60 practices across Scotland supplied limited data for the Practice Team Information (PTI) scheme. Patients of these PTI practices received general information about this on notices and leaflets from those GP practices who took part. 21 The processes of forming questions and informing the answers are generally included within those known as Secondary Uses of the data: see appendix 12 "Secondary Uses" have been suggested to be known as "Indirect Care Uses" as a better complement to the term Direct Care when classifying the multiple uses of data in the NHS. These definition issues are under professional debate. SPIRE Privacy Impact Assessment v3.1 Page 20 of Feb-17

21 and outcomes of health and social care in Scotland; the management and improvement of NHS services and their resource allocation; national policy on the NHS in Scotland; public health surveillance and healthcare research. There is a recognised value in the potential of linking to other datasets, however, no routine linkage is planned. Requests to link SPIRE data with any other datasets will require approval from both the SPIRE Steering Group and the Public Benefit & Privacy Panel (PBPP): see appendix 5 & appendix 6. Further use of SPIRE data i.e. by researchers other than NSS, is recommended to be onsite through edris at Farr Institute i.e. via the National Safe Haven which is wholly within NSS systems. The Safe Haven is a secure penetration-tested Citrix Virtual Desktop Infrastructure for remote access that removes all functions except selected analysis functions that it alone provides. Therefore no data can be copied or saved outside the Safe Haven; further, all researcher activities are recorded on video. Other research requests e.g. for use of SPIRE data off-site, which might include for use outside the UK, would depend on the project s assessment by the SSG and then PBPP, in favour of research design that does not require off-site copy. Since routine access to SPIRE by researchers would be recommended through edris at Farr Institute, offsite access requests would be rare events, and so considered as they arise by the SSG and PBPP to ensure benefits are realised with minimum privacy and security risks. If there is any intention to use PID, then no offsite copy will be approved, only access is provided under these strict conditions: Researchers may access remotely from outside Safe Haven premises only on workstations provided by their host institution, and for limited periods of time. When researchers are from non-uk academic institutions they must work in partnership with researchers in UK Universities, which are responsible for providing the evidence that they and their employing Institution are bona fide. All users and their employing institutions sign a user agreement defining their responsibilities and sanctions which may be applied to the individual and institution. UK Institutions are also liable for any breach of the agreement by non-uk partners. 3.2 Who will have access and are they appropriately Within NSS: all staff are vetted prior to employment. Dependent on the post, checks will include some or all of the following: verification of identity; right to work; professional registration and qualification; employment history and reference; criminal record checks; and occupational health checks. SPIRE Privacy Impact Assessment v3.1 Page 21 of Feb-17

22 trained in relation to privacy / data protection? Provide this information for persons: within our organisation e.g. have our relevant staff signed the corpor-ate Confid-entiality Policy, when within the wider NHS outwith the wider NHS 3.3 Will the information be modified prior to access to enhance privacy All PHI staff complete specific training in confidentiality, and the rules in the NSS Confidentiality Policy that govern the care and release of confidential data. New staff must sign that they understand and accept them; all staff renew this declaration annually. Our staff contracts lay out the need to respect and preserve confidentiality. In addition, all PHI staff must complete the intermediate level IG online training module, and update every three years. For example, PHI staff will be able to apply Statistical Disclosure Control: see section 3.6. Access can only be given with special permission for a set time period, on NSS premises only. Type A aggregate data (not containing PID) may be seen by several members of Public Health Intelligence. For type B data extracts containing limited PID, in the great majority of cases the PID will be seen by one or two analysts 22 selected from a small number of appropriately authorised staff within the SPIRE service team within Public Health & Intelligence (PHI) Strategic Business Unit (e.g. data managers and data analysts). Within or outwith the wider NHS: approved researchers may request access to SPIRE data, and this will follow the process developed as part of the edris service and must also comply with requirements of the SPIRE Steering Group: see appendix 6. Researchers must complete training to ensure they are fully aware of the policies and procedures governing individual privacy, data protection and freedom of information. For more detail on the content of this training, please see the links below: Health and Social Care Information Centre Information Governance Training Tool (for NHS staff only) MRC Regulatory Support Centre: Research Data and Confidentiality e-learning Administrative Data Research Network - Safe Users of Research Environment Training Before transfer of PID from GP Practices (via elinks) to the Secure Storage Area in NSS, personal identifiers and clinical data will be split into two files and transferred separately. At the same time encryption will be applied to the file containing personal identifiers, providing pseudonymisation of the dataset. This process follows the established SHIP Blueprint, and is more fully discussed in appendix In a few exceptional cases, e.g. to cover staff absence, a third person may need to be involved. We do not expect more than three analysts to have sight of the same set of PID SPIRE Privacy Impact Assessment v3.1 Page 22 of Feb-17

23 e.g. anonymised or pseudonymised? Additionally, elinks encrypts all files that it transfers using SWAN. For some extracts, subject to those extracts being approved by the SSG and Public Benefit & Privacy Panel (PBPP), reversal of the encryption by NSS s SPIRE team will be allowed to permit: Temporary recovery of the patient s CHI number to allow data linkage with other national datasets, as described in appendix 2c, such as those relating to the patient s Hospital Episodes of Care Temporary recovery of patient identifiers to allow data linkage with other datasets (where the CHI number is not available) The generation of Personal Identifiable Data (PID) where its use can be justified and it is approved by the SSG There may also be a requirement to gain the consent of the patients involved if, for instance, personal identifiers are required for research purposes that occasionally arise during analysis. For example, a new research question may be generated by the early results of limited data research, such as identifying a risk profile for a new adverse drug reaction. In such a case, identification of the individuals affected would require reversal of the encryption of demographics, which would involve the GP practice. The general framework for these uses of the data is specified in a Data Sharing Agreement, see appendix How will access levels be decided? 3.5 What safeguards will be in place to control and monitor access This will depend on the roles and responsibilities of individual staff. For each data extract, it will be agreed who will be required to manage and analyse data; only those individuals will be granted access. The numbers of analysts with access to PID will be minimised, normally to 1 or 2 individual staff, this being a key feature of approval by the SSG and PBPP: see section 3.2. Access levels for authorised NSS staff will be agreed by senior staff following standard procedures. Access at NSS to SPIRE is controlled by individual user identifiers and passwords uses several profiles for each user with separate credentials, to reduce risk if any one credential set is compromised i.e. there is no Single Sign-On system which can be a single point of weakness SPIRE Privacy Impact Assessment v3.1 Page 23 of Feb-17

24 to data? e.g. an audit trail with date and user authentication. 3.6 What technical /procedural measures will safe guard the security of the personal information? 3.7 Will safeguards change depending on the level uses security profiles that define level of access on a least-privilege basis 23 places time-limits on all accesses to PID uses only fully-encrypted devices with machine access also secured by 2 factor authentication. Usage is monitored by system monitoring reports currently using full file-level access logs 24. Staff who have accessed PID are monitored by maintaining an audit trail to record, retain and report on each staff member's accesses to view PID. This information will be available to the public if requested, administered by NSS on request from patients via their GP practice managers, NHS24 or NSS. PHI will also maintain a list of those staff with potential access to PID to support Advanced Access Assurance; this applies to all SPIRE data and is available should a request be made: see appendix 5. In addition to those described in section 3.5, ISD has developed over many years a Statistical Disclosure Control policy to ensure that where statistics provide information on small numbers of individuals that those individual persons are not directly, or indirectly, identified, by hiding, combining, or modifying data before release. ISD's Statistical Disclosure Protocol 25 complies with the Anonymisation Code of Practice 26 of the Information Commissioner s Office (ICO) All steps in the SPIRE technical solution are described in a System Security Policy: see appendix 9. Access will be controlled as described in section 3.5 above, and as data may be sensitive even if it is aggregated, for instance when numbers are very small, also as at section 3.6 above. Users will be granted different levels of access depending upon their individual roles in each project. 23 see Principle of Least Privilege 24 NSS is also evaluating specific audit software tools from a number of suppliers 25 ISD Statistical Disclosure Control Protocol sets out how the organisation reduces the risk of disclosure by suppressing, aggregating or modifying data before release. 26 ICO Guide to data protection: anonymisation SPIRE Privacy Impact Assessment v3.1 Page 24 of Feb-17