Data protection impact assessment (DPIA) template

Why is this DPIA needed?

Concentric, owned and developed by Concentric Health, is a digital consent to treatment application. It is used in place of traditional paper-based consent forms for any treatment or investigation where written consent is documented.

A DPIA is required as the implementation of Concentric involves the processing - by Concentric Health as the data processor on behalf of the healthcare organisation as the data controller - of patient personal data, special category data, and clinician personal data.

Data processing description

Nature of the processing

The healthcare organisation is the source of the patient and clinician personal data, either through manual entry or via integration. Special category data relating to the consent episode is entered by the clinician.

Third party processors, used for data hosting and communications, are detailed within Concentric Health’s data processing page. This page details what each third party processor is used for, the agreements between Concentric Health and the third party, UK GDPR compliance, whether the processing involves cross-border transfer of data.

Scope of the processing

The types of data processed, and the justification for processing, are outlined in Concentric Health’s data processing page.

The volume of data processed is dependent on the size of the organisation. Depending on the local context and ease of access to different data sources, this may be estimated based on existing paper consent form use, or case numbers passing through the key areas documenting consent (surgical theatres, endoscopy, outpatients, etc.)

The approach to data retention is outlined in Concentric Health’s data retention policy. Concentric does not hold all the information needed to determine how long a record should be kept at therefore Concentric Health deletes data only on instructions to do so from the controller.

Context of the processing

The clinician creating a consent episode with the patient has a direct care relationship with the patient, with consent information shared during or following a conversation between clinician and patient.

Processing may include children and young people if they may be cared for within the healthcare organisation.

There are no prior concerns relating to this type of processing, and is not considered novel data processing.

Purpose of the processing

The processing is required in order to facilitate the benefits of digital consent:

• digitally transform the consent process, allowing a paperless process
• reduce errors, omissions, and variation in the consent process
• improve patient understanding of the treatment and risks

Consultation process

This section should outline the consultation process followed locally, including how the process contributed to the identification and assessment of risks. The following are usually represented during the consultation process: information governance, clinical leadership, Digital/IT, Cyber/IT security, patients.

Necessity and proportionality

Concentric Health is the data processor on behalf of the healthcare organisation. The purpose of processing is for the delivery of direct care. The legal basis for processing is usually:

If public sector healthcare organisation:

• Art.6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• Art.9(2)(h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

If private sector healthcare organisation:

• Art.6(1)(b) - processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
• Art.9(2)(h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

A data processing agreement is required to be in place between Concentric Health and the healthcare organisation to state the agreed scope of processing. The data processing proposed meets the purpose of the processing and there is no acceptable alternative to proceeding with data processing to this extent. The application has been designed to meet the GDPR individual rights requirements by design, including providing a privacy notice to patients.

Data processing risks

Staff misuse: Appropriately authenticated staff may access patients records not under their direct care, share care records inappropriately, or access Concentric using a device and browser that does not meet the browser support policy. This risk is mitigated by appropriate information governance training by the healthcare organisation to all staff users.

Inappropriate access: Staff who should not be given access to patient data may be given access by error. This risk is mitigated by limiting access to the admin application, additional training for staff with access to the admin application, and enforced multi-factor authentication (MFA) for the admin application.

Information shared with incorrect patient: It is possible for emails and SMSs to be sent to the incorrect patient, either via incorrect recorded contact details or manual entry error. This risk is mitigated by consent information being protected behind an additional layer of authentication (date of birth entry) and no special category data being shared within the email or SMS.

Cloud provider data breach: A malicious external threat could compromise Concentric Health’s infrastructure, exposing processed data. This risk is mitigated by Concentric Health’s use of industry leading encryption technologies providing high levels of data security at rest and in transit, maintenance of cyber security certifications, and annual independent penetration testing of the Concentric application.