Under GDPR, it is the responsibility of our Trust, not just to be compliant with the law, but to be able to actively demonstrate this compliance. One of the key ways of demonstrating compliance with Data Protection by Design is through the use of DPIAs.

Examples of DPIAs

A DPIA is a screening tool which is designed to help organisations systematically analyse, identify and minimise the data protection risks of a project or plan.

It allows issues to be recognised as early as possible and addressed appropriately, which in turn shows that data protection has been considered throughout the development of any new or changes to existing activities.

An innovative youth forum to share views and work with the Trust to improve delivery of care for children and young people. The DPIA covers the group set up and the use of digital media for group enablement sessions.

Recommendation and conclusion

Entry to the forum is using a consent model. The service has updated all member forms to comply with current legislation. Minimal risks involved with the digital media. However, staff are fully trained in its use and are provided with operating procedures, which will be reviewed as a minimum annually.

The use of a web-based video consultation platform to support direct patient care.

This is in the context of the coronavirus outbreak (Covid-19) and the Trust’s role as a category one responder under the Civil Contingencies Act 2004.

Recommendation and conclusion

The use of the platform is supported by NHS Improvement. The use of the platform and all technical assurances have been checked and/or risk assessed by the Trust prior to deployment.

The use of digital media to facilitate virtual consultations by staff working in a "clinical capacity for a clinical purpose" to support direct patient care. This includes such activities as group education sessions.

Recommendation and Conclusion

There will always be a choice in the use of these activities and, those not comfortable with the use of technology will be able to continue their care in person. The technical assurances are afforded to us by NHS Digital.

A survey link sent to a sample of patients which hopes to identify how patients feel if given the if given the opportunity to be seen or treated at a different hospital, if it meant they could be treated sooner than at Blackpool Teaching Hospitals. The survey will be sent by the Trust and Healthwatch will have no access to our confidential patient data for the purposes of this survey.

Recommendation and Conclusion

Healthwatch worked with BTH to ensure that the content of the letter meets our requirements.

The data will also be screened as per the national data opt out requirements which will ensure that patients who have registered an opt out preference have their wishes upheld. The results of the survey might affect how services are or could be planned to enable the restoration of services.

The Trust uses a Health Education England (HEE) tool to facilitate and support the transfer of information into the Electronic Staff Record (ESR) system. This will assist the Trust to maximise placement capacity and ensure the quality of the learning environment.

Recommendation and Conclusion

This approach is supported by the ESR national team. Minimal risks, installed locally and no supplier access to data. System added to the Trust Asset Management Register.

Electronic system to replace paper checklists used to log resuscitation trolley checks, order stock and monitor expiry dates. This will enable the Trust to actively monitor trolley stock compliance and effectively manage any product recalls.

Recommendation and Conclusion

System only holds minimal data, this being a staff member's name. The company has DSPR and ISO9001 credentials. Data is held on third party servers, whose company compliance includes DSPT and ISO27001. Supplier credentials to be monitored by IG on an annual basis and system added to the Trust Asset Management Register.

Implementation of a technical solution, backed by policy, procedures and communications (staff and public facing), to enable the Trust to meet the requirements of the National Data Opt Out as stipulated in the Caldicott 3 Review of Data Security Consent and Opt Outs.

Recommendation and Conclusion

Small risk of data being processed that may include patients who have opted out. Ongoing work by the IG and Data Analyst team will ensure Trust-wide compliance.

The in-house creation of an Overpayment Log Dashboard to ensure the Trust has full visibility of any overpayments made along with a process of recovery.

Recommendation and Conclusion

All data is held and managed internally, therefore minimal risks.

The implementation and use of a Trust-wide electronic Risk Register, providing additional reporting capabilities and monitoring for the CQC and NHSLA standards.

It also assists compliance with the yearly Data Security and Protection Toolkit.

Recommendation and Conclusion

The Licence Agreement covers all required aspects of a Data Processing Protocol. Supplier credentials to be monitored by IG on an annual basis and system added to the Trust Asset Management Register.

Direct interoperability allowing primary and community care sites to see a read-only view of the data via an embedded HTML view. This supports the Trust aims to better link physical and mental healthcare and effectively provides our clinical services better access the information they need.

Recommendation and Conclusion

Project is fully supported by all stakeholders. Both systems maintain full audits of inbound/outbound requests. Supplier credentials to be monitored by IG on an annual basis.

Software which is compatible with the Trust’s training mannequins. This will enhance staff training, enabling courses to be more interactive and provide realistic scenarios.

Recommendation and Conclusion

No data is stored within the software. Download of software completed following the request for change process.