DPIA (EU)

Owned by Mohammad Al-Ubaydli
Last updated: May 21, 2024 by Sarah Roberts
12 min read

Patients Know Best (EU) Data Protection Impact Assessment 

Version 2-EU

Kaleidoscope Consultants | United Kingdom | +44 (0) 20 3637 1111 | info@kaleidoscopeconsultants.com

Kaleidoscope Data Privacy Consultants | Republic of Ireland | +353 (0)153 14430 | contact@kaleidoscopeconsultants.ie

Kaleidoscope Data Privacy Consultants | España | +34 (0)938 004910 | hola@kdpc.es

http://www.kaleidoscopeconsultants.com  

Date 16 March 2021  

Author Joe Stock 

The structure of this DPIA is that the analysis is in the accompanying appendices, whilst a summary of the findings is contained in the report. Each section references the applicable appendix and discusses findings and recommendations. Full details are in the appendix. 

1 Overall assessment 

Risk Number

Risk 

Score

Recommended Control

  • Risk numbers are taken from the full PKB Risk Register in Appendix 6.1.

11, 13, 16, 18

Failure to have  organisational procedures and processes in place for staff to comply with individual right requests.

Significant Assurance

Processes are in place for all individual right requests to be adhered and responded too, however an individual rights management procedure is currently being drafted by end of March 2021 (complete, 2022).

52

Privacy material does not meet requirements of Articles 12 and 13.

Significant Assurance

Privacy material is currently  drafted to be updated and made live by end of March 2021 (complete, 2022).

2 Note 

This Data Protection Impact Assessment (DPIA) is designed to meet the requirements of the UK General Data Protection Regulation (UK GDPR), and where relevant and stated, as amended by EU Member State derogation. 

This DPIA is locked to prevent further editing and to provide assurance that the assessment has been undertaken by Kaleidoscope Consultants Limited and that no changes or amendments have been made once the final version has been issued to our client. 

As with any risk assessment, a DPIA is a snapshot in time based on the best available information. It is to be expected that the DPIA will change, as new information becomes available, new risks emerge from the internal and external environments, and further risk-mitigating controls are designed and implemented. You should check that the version you have is the current version. 

Errors and omissions are excepted. 

3 Introduction 

Patients Know Best (PKB) has developed a patient-centric repository which allows for both patient access and patient contribution to their own health record. It further provides some control to the patient over their health record by allowing them to determine which organisations and teams can view their personal data. PKB have contracts with over 50 health and social care service provider customers in the UK alongside customers in EU jurisdictions.

PKB have been exploring their role in regard to its relationship with the patient, patient-entered data, health and care providers, and data entered by health and care providers. PKB have consulted legal advisors and legal counsel regarding PKB and its role in relation to data protection laws. It has been determined that PKB are both a Sole Controller and Joint Controller depending on the dataset and purpose of processing (see section 4.1.1. below). 

This DPIA will conduct an end-to-end assessment of the processing operations by PKB in line with privacy and confidentiality laws, identifying any potential risks in the processing to both PKB as an organisation and the rights and freedoms of the individuals whose personal data PKB will be processing. 

The structure of this DPIA is that the analysis is in the accompanying appendices, whilst a summary of the findings is contained in the report. Each section references the applicable appendix and discusses findings and recommendations. Full details are in the appendix. 

4 Risk 

4.1 Product Architecture 

4.1.1 Relationship between the parties 

Kaleidoscope has mapped PKB personal data processing operations in Appendix 6.2.1. To understand the role of PKB as a Controller or Joint Controller, it is important to distinguish between two core unique datasets held by PKB. These are: 

  • Patient Records – copies of abbreviated patient health and care records provided by  Provider organisations, with access to the data shared between multiple providers and  patients; 

  • Patient Accounts – Personal data entered by the patient, once they have activated their account, and shared with the Providers. 

If personal data in a Patient Account is accessed by a Provider, it becomes a part of the Patient  Record.  

  • PKB acts as a Joint Controller with the Provider of the Patient Record. 

  • PKB acts as the Sole Controller of the Patient Account. 

A patient can only create a Patient Account where a Patient Record exists, and the patient is invited by their Provider.  

This is explained and detailed within the Relationship Map document in Appendix 6.2.1. 4.1.1.1 Contract review 

The following Processor has been identified and contract reviews have been carried out. Google Cloud (providing hosting services) 

This contract provided a high level of assurance around the technical and organisational controls in place. However, in common with many Software as a Service (SAAS) systems, Google Cloud requires settings to be activated within the system to implement controls, rather than have them written into the standard terms. This would include the location of the data centre.  

PKB has confirmed that they have set the location for these data centres and they will only be within the UK.  

4.1.1.2 Joint Controller Arrangement review 

A Joint Controller Arrangement has been created and will be signed by all necessary parties before processing commences. This Arrangement outlines the roles and responsibilities of PKB and has been reviewed against the latest guidance from the European Data Protection Board on this subject.

4.1.1.3 Data Sharing Agreement review 

There are no Data Sharing Agreements involved in PKB data processing operations. 

4.1.2 Data flow mapping 

The flows of data have been mapped in Appendix 6.2.1. There are several purposes for which the  data within PKB may be processed, and typically NHS Providers, as Controllers, may rely on any or all  of the following for which they have an exemption for processing special category data under UK  GDPR Article 9: 

  • Medical Purposes (9(2)(h)) 

  • Vital Interest Purposes (9(2)(f)) 

  • Public Health (9(2)(i)) 

  • Civil Contingency (9(2)(g)) 

  • Archiving and research (9(2)(j)) 

  • Management of healthcare systems and services (9(2)(h)). 

Where available to a Provider Controller, the Controller must continue to ensure that every use of personal data within PKB has a lawful basis and complies with the principles of privacy law. 

Where PKB act as Sole Controller for the Patient Account, they rely on Article 6(1)(f) and Article  9(2)(h). Where PKB act as Joint Controller for the Patient Record, they rely on Article 6(1)(e) and  Article 9(2)(h).  

4.1.2.1 Data schema 

There is no set data schema for PKB. This is because the Providers configure individually what data they wish to transfer to the PKB platform. It is part of the Provider’s responsibility, as the organisation supplying the data, to undertake a data minimisation challenge exercise to determine that they are only transferring to PKB the data necessary for the agreed purposes. 

In relation to the Patient Account, PKB collects the minimum data necessary to (a) allow a user to create an account and (b) verify that the individual is the correct individual. Each patient is able to add whatever data they wish. Patient-entered data, as with all data, is encrypted and cannot be viewed by PKB. 

4.1.2.2 Data quality 

An individual record is created using the NHS number as the single unique identifier. There can only be one record per patient and using the NHS number ensures duplicate records are not created. If an organisation tries to create a record using an NHS number already in the system, a request is made to the originating organisation to add to this record. If these organisations are in different commissioning areas, they will only be able to see the part of the record from their area.  

As part of the separation of responsibilities in the Joint Controller Agreement, Providers are responsible for the quality of data they provide to the PKB platform. Where PKB act as a Sole  Controller, patients can upload their own symptoms, figures, and messages to clinicians. PKB does not act in a medical capacity, so do not undertake data quality checks on these data items, nor do they have access to them. Such items are, however, flagged to clinicians, so that clinicians are aware of what is provided to a patient. 

4.1.2.3 Security assessment 

The PKB platform is hosted on UK-based Google Cloud servers and undergoes annual penetration testing by a CREST-accredited company commissioned by PKB. This includes a follow-up test to review changes implemented since the initial test. This was last conducted in June 2019, with the follow-up conducted in September 2019. 

Backups are also held on UK-based Google Cloud servers. A nightly backup of the system is taken,  along with a primary and secondary backup. In the case of the primary backup, data can be restored in a few minutes if required.  

4.1.2.4 Public task 

Where personal data is processed within the Patient Record, PKB and the Provider organisations act as Joint Controllers. The lawful basis (UK GDPR Article 6) for this processing by the Providers is typically UK GDPR Article 6(1)(e). This is because NHS Providers have a statutory function to deliver health care through their commissioning contracts and the NHS constitution. Whilst PKB does not have these same statutory functions, through the Joint Controller Agreement, PKB supports Provider organisations in discharging their statutory functions, and as such the lawful basis can be extended to PKB for the purposes of supporting the delivery of their functions. This has been validated by external legal opinion. 

4.1.2.5 Legitimate Interest Test  

To process personal data in the Patient Account, PKB relies on Article 6(1)(f). A legitimate interest test has been completed. See Annex 6.2.2.4 

These interests include: 

  • Provision of the service to the individual; 

  • Allowing the patient to upload data to the PKB platform. 

4.1.3 Transparency and Data Subject Communication 

Where PKB act as Joint Controller, the Joint Controller Arrangement specifies that responsibility for transparency is assigned to the Provider organisation and for meeting PKB’s communication duties  (UK GDPR Article 14) as PKB initially has no direct relationship with the data subject, and all of the initial data originates from the Provider organisation. PKB further support the meeting of this duty by making further information available on its website. 

When a patient who has been invited to PKB reaches their website/portal to register, the current  PKB transparency material is currently being updated to satisfy the communication requirements  (UK GDPR Article 13), especially as PKB will be the Sole Controller for the Patient Account.  

The required information will be made available to the patient before registering and made available within the platform itself in ways that meet the communication standards (UK GDPR Articles 12-14).

 

4.1.3.1 Cookie control 

There are three cookies within the PKB WebApp, all of which are considered operationally necessary, with no third-party cookies installed. These are: 

  • Security cookie 

  • Language cookie 

  • Random session ID cookie. 

‘Strictly necessary' cookies do not need consent and PKB has created a cookie policy to inform users of their cookie use. 

4.2 Technical and Organisation Controls 

PKB operate a mature information governance assurance model which includes the annual completion of the NHS Data Security and Protection Toolkit, Cyber Essentials Plus and annual penetration testing. All staff are appropriately trained in line with their role. Access to personal data is limited to where strictly necessary and this access is audited. These are documented within the Technical and  Organisational measures spreadsheet in appendix 6.3. 

4.2.1 Cookie control 

PKB operates several websites including: 

http://My.patientsknowbest.com was reviewed for its cookie content in section 4.1.3.1, but the other sites also drop cookies, especially the marketing website which uses analytical cookies. This website employs appropriate cookie control and allows individuals to reject all unnecessary cookies. 

4.2.2 Transparency and Data Subject Communication 

Where PKB act as Sole Controller the responsibility for transparency as an organisation will fall on themselves as per 4.1.3. This will also include managing and responding to individual rights requests in relation to the Patient Account.

As Article 6(1)(f) will be relied upon for the Patient Account, the  following rights will apply (as limited by their scope): 

  • Right of Access 

  • Right to Object 

  • Right of Erasure 

  • Right to Rectification 

  • Right to Restriction (of the processing)

PKB have the technical and organisations controls to manage such rights and is currently documenting these procedures. 

Where PKB act as Joint Controller for the Patient Record, the transparency requirement can be detailed as a responsibility of the Provider who already has an established relationship with the data subject. PKB can further support this by making further information available on its website.  Where an individual right request is received from a data subject the responsibility must be identified within the Joint Controller Agreement.

As Article 6(1)(e) will be relied upon, the following  rights can be used:

  • Right of Access 

  • Right to Object 

  • Right of Erasure 

  • Right to Rectification 

  • Right to Restriction (of the processing)

Regarding Subject Access Requests, the majority of data will already be available to the data subject via their access to the system, if the Patient Account is activated. Where the Patient Account is not activated, the Provider organisation is responsible for responding to such a request as the originator of the data, and in line with the requirement for a clinical review of health data before release.  

Where a patient makes an erasure request, PKB has outlined the approach to be taken based on whether it involves the Patient Record or Patient Account, along with any access by a healthcare professional. This is detailed in Appendix 6.2.3. 

4.3 Compliance risk (UK GDPR Article 5(2): accountability) 

As Controller and Joint Controller, all organisations involved in processing have responsibilities around their compliance with the principles of UK GDPR. These are reviewed below to ensure that  PKB has evidence to demonstrate compliance with each. 

  • Personal data must be processed lawfully, fairly and in a transparent manner

Where PKB act as Controller there is clear lawful basis under UK GDPR Article 6 to process personal data and exemption to process special category personal data (UK GDPR Article 9).  Regarding transparency, the privacy material is currently being updated to reflect the Sole and Joint Controller model.  

  • Only use personal data for specified purposes 

PKB only use personal data for the purposes of managing the healthcare record and service to the patient where there is a lawful basis to do so, as will be outlined in the transparency material. PKB does not use personal data for any commercial purposes, nor do they sell any of the personal data.  

  1. Only use the minimum necessary personal data 

The PKB platform holds personal data about individuals transferred to the platform by  Provider organisations. The Provider organisations have the responsibility for ensuring only necessary data is sent to the platform. Where PKB collect data directly from the data subject, aside from key data items required to create a patient account, PKB requires no personal data from individuals, and individuals are able to determine how much and what type of personal data is provided to PKB. 

  • Ensure data are accurate and up to date 

Providers have the responsibility to ensure that the data they send to the Patient Record is kept accurate and up to date. Data is periodically updated from Provider platforms via an interface with the Provider system (API), which provides a route for data to be kept accurate and up to date. Data accuracy and requests for erasure of data within the Patient Record will be handled in accordance with the Providers local information rights policies.  

  • Only keep personal data for as long as necessary

The retention of the Personal Data with the Patient Record is kept in line with the NHS  Records Management Code of Practice and to ensure continuing access to that information,  both for care purposes, and for related purposes involving such matters as audit, complaints handling, and litigation. This is therefore for a period of 8 years. Where personal data within the Patient Account is not accessed by a user for a set period to be determined by PKB, this will be deleted after 8 years of last access, unless a request for deletion is made. 

  • Processed securely to ensure integrity and confidentiality 

PKB maintains a high level of security of its data in both a technical and organisational manner. This includes encryption so that although PKB is a Controller for this data, they are unable to access this data internally aside from the management of the record. PKB further allows for patients to control who can see their health records, ensuring confidentiality is managed by the patient.  

5 Conclusion and recommendations 

PKB is a well-established product in use across the UK providing patients control over their health record. It allows patients to not only view their records and decide who to share personal data with but to upload their information and share this with nominated individuals. PKB acts in both a Sole and Joint Controller role. This dual role aspect has been reviewed and validated by external legal counsel.  

A Joint Controller Agreement has been created in line with Article 26 of UK GDPR which clearly identifies the responsibilities of the organisations involved. PKB’s responsibilities will be limited to the management of the data on the platform, whereas the Providers will maintain responsibility for data quality, minimisation, and the lawfulness of using the personal data for purposes other than the management of the platform. 

This review has identified the requirement for the PKB transparency material to be updated to reflect the communications requirements of UK GDPR (UK GDPR Articles 12-14), and especially how the role of PKB as a Joint Controller is managed. PKB has undertaken a number of mitigating actions since the first iteration of the DPIA to ensure that the rights and freedoms of individuals are maintained and patients remain at the forefront of managing their patient record. 

 

6 Appendices 

6.1 Risk register and recommendations Attached (1. PKB Risk register and recommendations v2 ) 

6.2 Product Architecture 

6.2.1 Relationship map 

Attached (2. PKB Simple Relationship v0.2) 

6.2.1.1 Contract review 

Attached (3.PKB Checklist Contracts v1.1) 

6.2.1.2 Joint Controller Arrangement review Attached (11. PKB Joint Controller Arrangement V1.0) 6.2.1.3 Data Sharing Agreement review 

N/A 

6.2.2 Data flow mapping 

Attached (4. PKB Data Flow v2.0) 

6.2.2.1 Data Quality  

Attached (5. Data Quality v0.1 PKB) 

6.2.2.2 Security assessment 

Attached (6. PKB Audit Product Security v2) 

6.2.2.3 Public Interest Test 

Completed 

6.2.2.4 Legitimate Interest Assessment 

Attached (7. PKB Legitimate Interest Test v1) 

6.2.3 Transparency and Data Subject Communication Attached (12. PKB Record Deletion V1) 

6.2.3.1 Cookie control 

No cookies on the platform  

6.3 Technical and Organisation Controls Attached (9. PKB Audit Tech and Org Controls v2.0)

 

 

7 Version history 

Â