Western Wellbeing Partnership

Authority	Department of Health and Social Care
Date received	2020-02-24
Outcome	Some information sent but not all held
Outcome date	2020-03-23
Case ID	1193050

Summary

A request was made for patient numbers, cost breakdowns, complaint procedures, privacy assessments, and data sharing agreements regarding the Western Wellbeing Partnership. The authority disclosed a Data Sharing Agreement but indicated that not all requested information was held.

Key Facts

The request was received on 2020-02-24 and the outcome was issued on 2020-03-23.
The response included 31 pages across 4 documents.
A Data Sharing Agreement between the Department of Health and Social Care and another party was provided.
The agreement references the Data Protection Act 2018 and the Applied GDPR.
The authority stated that some information was not held.

Data Disclosed

2020-02-24
2020-03-23
31
4
April 2018
2016/679
2018
2002
12 months

Original Request

I would like the following information regarding the Western Wellbeing Partnership reported on Energy FM on Tuesday the 18th February 2020. Question 1 How many people are actually signed up under the care of the partnership e.g. how many patients etc. just the total number? Question 2 Please provide a breakdown of all costs involved in setting up the partnership e.g. staff costs, building costs, project costs, and expenses claimed etc. This cost breakdown is required from April 2018 to date by month to include a final total. Question 3 Please provide details of who and how to complain or submit compliments about the partnership to. Question 4 Please provide a copy of the privacy impact assessment, if one was not carried out state not carried out and the reason why? Question 5 Please provide a copy of any data sharing agreements of all those involved in the partnership; if none are in place state none in place.

Data Tables (12)

Name	Job Title	Organisation	Telephone Number
*****	Interim Chief Executive Officer	Department of Health and Social Care	01624 656071
******	Chief Executive Officer	*******	********

DHSC Data Protection Officer
Crookall House Demesne Road Douglas, IM1 3QA DPO-DHSC@gov.im

Description	Details
Why is the data shared?
Duration of the processing
Nature and purposes of the processing

Type of Personal Data	
Categories of Data Subject
Plan for return and destruction of the data once the processing is complete UNLESS there is a requirement under the law to preserve that type of data

	Name	Job title	Email address (as contact point for future privacy concerns
Project Manager owning DPIA	Paul Jackson	Manager, Integrated Care Project Team	paul.jackson@gov.im

Project Name	Western Wellbeing Partnership
Department /entity	Department of Health and Social Care
Parties involved with the project (internal /external)	Department of Health and Social Care, Hospice, Live at Home, Crossroads, Residential care homes, GP, Pharmacy, Police.
Date	19th August 2018

	• improves safety by reducing the need for unnecessary repeated tests; • improves safety and experience by making comprehensive and reliable allergy, medication, diagnosis and social circumstance information readily available across all health and care settings, for example in A&E or when an ambulance is called; • prevents unnecessary admissions to hospital by giving health and care professionals more information about the individual when making their professional decisions; • saves time by reducing the need to manually request information; • saves money by avoiding duplicate tests or assessments; • improves people’s engagement in their own care and adherence with medications and care plans by providing individuals with access to shared records; • supports safeguarding by sharing alerts across multiple care settings for both adults and children; • supports more accurate understanding of local populations, allowing services to be designed more effectively around individuals’ needs. The Government Digital Strategy Group is currently working towards the development and implementation of a single integrated digital care record. Until then the Department will continue to operate two main recording systems; EMIS used by Community Care and RiO used by Social Care, Mental Health and Community Adult Therapy Service. Access is restricted to these user groups. To improve communication and avoid duplication where possible it is the intention to open access to both systems to Health and Social Care practitioners. The pilot commenced on 25th February 2019 and access by members of the Integrated Care Team to both systems is required at the earliest opportunity. The feedback from practitioners working in the Integrated Care Team in the West is that the lack of access to both EMIS and RiO is causing difficulty for team members to effectively coordinate care and support.
Why was the need for a DPIA identified? Explain role of personal data in the project	The Project will be working with areas within the Department, third sector and on occasions the Police to put in place a single point of contact for the data subject when accessing services relating to their care. The minimal amount of personal data will be shared to ensure that the data subject receives the necessary care and services they need to meet their individual needs. This will involve working with third sector partners.

• improves safety by reducing the need for unnecessary repeated tests; • improves safety and experience by making comprehensive and reliable allergy, medication, diagnosis and social circumstance information readily available across all health and care settings, for example in A&E or when an ambulance is called; • prevents unnecessary admissions to hospital by giving health and care professionals more information about the individual when making their professional decisions; • saves time by reducing the need to manually request information; • saves money by avoiding duplicate tests or assessments; • improves people’s engagement in their own care and adherence with medications and care plans by providing individuals with access to shared records; • supports safeguarding by sharing alerts across multiple care settings for both adults and children; • supports more accurate understanding of local populations, allowing services to be designed more effectively around individuals’ needs. The Government Digital Strategy Group is currently working towards the development and implementation of a single integrated digital care record. Until then the Department will continue to operate two main recording systems; EMIS used by Community Care and RiO used by Social Care, Mental Health and Community Adult Therapy Service. Access is restricted to these user groups. To improve communication and avoid duplication where possible it is the intention to open access to both systems to Health and Social Care practitioners. The pilot commenced on 25th February 2019 and access by members of the Integrated Care Team to both systems is required at the earliest opportunity. The feedback from practitioners working in the Integrated Care Team in the West is that the lack of access to both EMIS and RiO is causing difficulty for team members to effectively coordinate care and support.

Why was the need for a DPIA identified? Explain role of personal data in the project

The Project will be working with areas within the Department, third sector and on occasions the Police to put in place a single point of contact for the data subject when accessing services relating to their care. The minimal amount of personal data will be shared to ensure that the data subject receives the necessary care and services they need to meet their individual needs. This will involve working with third sector partners.

	What is the privacy risk to individuals? low/medium/high	How likely is the harm to individuals? remote/possible/likely	Risks identified	Solution/Action to be taken (including safeguards and security measures To ensure protection of personal data	Result: is the risk eliminated, reduced, or accepted?
(i) Lawfulness, fairness and transparency	Medium	possible	 Breach of confidentiality  Dept not exercising legislation powers appropriately  Breach of human rights	 Data Breach Policy in place  Staff are aware to report breaches to the DPO within 72 hrs  In order to access a record, practitioners are required to record reasons for accessing	Reduced
(ii) Purpose limitation	Low	possible	 Privacy Notice is outdated	 We review our processing and where necessary update our documentation and Privacy Notice	Reduced
(iii) Data minimisation	Low	possible	 Professionals collect information generally rather than on an individual basis	 Staff have undergone training  Staff know what is required to provide an individual service to the data subject	Reduced
(iv) Accuracy	Medium	possible	 Data subject challenges accuracy of opinion or record keeping	 Process in place, if the information is factually incorrect this will be amended; if it is a difference of opinion than the data subject views will be added to the record	Reduced
(v) Storage limitation	Low	possible	 Information may be kept after the end of the retention period	 Service areas have their individual Retention of Record Policies and each area is aware of their responsibilities under the Policy. This is raised and	Reduced

				monitor via the Information Governance Group
(vi) Rights of individuals	Low	possible	 Rights of individuals are breached.	 Subject Access Request process in place  Staff are aware of individual rights, any queries they will speak with their Manager to DPO.	Reduced
(vii) Security, integrity and confidentiality	Medium	possible	 Information shared by mistake  Information transferred without security  Breach of confidentiality	 Technical controls in place for systems  Audits in place  Data encrypted by password  Staff are aware to report breaches to the DPO immediately when possible but definitely within 72 hrs	Reduced
(viii) International transfer	Low	remote		 Unlikely as the project will not be transferring data internationally.	Reduced
(ix) Data processors	Medium	possible	 Partner agency does not have the adequate policies and procedures in place	 Information Governance Team carry out audits of partner agency to ensure adequacy	Reduced
(x) Local laws and regulations	Low	possible		 Chart shows the legislation powers the Dept and partners agency have.	Reduced

	Print Name	Signature	Date
Project Manager

Partnership Members:	Practitioners who regularly attend the partnership meetings.
 Corrin Home  Crossroads Services  Community Adult Therapy Services  Community Wellbeing Service  Day Care Services  Dietetics Team  Hospital Services  Peel Medical Centre  Public Health  Pharmacy Technicians  Podiatrists  Reablement  Speech & Language Therapies  Specialist Nurses	 Community Mental Health Service for Adults  Community Support Services  District Nursing Service  Hospice  Live at Home  Long Term Conditions Coordinator  Older Persons Mental Health Services  Social Work Teams.

Full Response Text

Data Sharing Agreement Page 1

THIS AGREEMENT is made this day of 2020 BETWEEN the DEPARTMENT OF HEALTH AND SOCIAL CARE (the Department) (a Department of the Isle of Man Government), of Crookall House Demesne Road Douglas Isle of Man IM1 3QA ("the Department") of the one part and * of ** of the other part.

RECITALS (A) The Parties wish to enter into this Data Sharing Agreement ("the Agreement") to fulfil a statutory requirement namely *.

(B) This Agreement is intended to ensure that data sharing between the Parties occurs in accordance with the provisions of the Data Protection Legislation.

1) Definitions The following terms shall have the following meanings: "the Agreement" has the meaning given to it in Recital (A) above and incorporates the Conditions; “Applied GDPR” means the General Data Protection Regulation EU 2016/679 as applied to the Isle of Man by virtue of the Data Protection (Application of GDPR) Order 2018; "the Conditions" means the conditions attached to this Agreement; "Controller" has the meaning given to it by Article 4(7) of the Applied GDPR; "the Data Protection Legislation" means the Data Protection Act 2018 and shall include the Data Protection (Application of GDPR) Order 2018 and the Data Protection (Application of LED) Order 2018 and any legislation made thereunder, and any references to the Data Protection Legislation herein shall be construed as made under the Data Protection Legislation for the time being in force in the Isle of Man; "Data Subject" has the meaning given to it in Article 4(1) of the Applied GDPR; "Data Subject Access Request" means a request for access to information by a data subject made under section 5 of the Data Protection Act 2002 or an equivalent request made under the Data Protection Legislation pursuant to the Applied GDPR (in particular section 2 of the Applied GDPR and any regulations made under the Data Protection (Application of GDPR) Order 2018 following the repeal of such provision; Data Sharing Agreement

Data Sharing Agreement Page 2 "Parties" means the Department and *** and "Party" means either one of them as appropriate; "Personal Data" has the meaning given to it in Article 4(1) of the Applied GDPR; "the Principles" means the data protection principles set out in Article 5 of the Applied GDPR; "Staff" means the employees, temporary staff or other persons employed by one or other or both of the Parties (as appropriate) who have access to or who potentially have access to data; "the Term" has the meaning given to it in paragraph 3 below.

2) The Agreement The Parties undertake to: a) Implement and comply with the provisions of this Agreement within their respective organisations. b) Ensure that their respective Staff are aware of and adhere to the policies, procedures and arrangements set out in this Agreement via appropriate training. c) Comply with the Conditions and use this Agreement to facilitate the sharing of Personal Data between the Parties.

3) Review of the Agreement

a) This Agreement shall continue for such period as the Parties continue to share Personal Data or for such periods as one Party holds Personal Data provided to it by the other Party (whichever is the later) ("the Term"). b) The Department shall, on behalf of the Parties, instigate a review of this document every twelve (12) months during the Term.

4) Signature By signing this Agreement, the signatories accept responsibility for its execution and agree to adhere to its provisions. Signatories must also ensure that they comply with all relevant legislation.

Data Sharing Agreement Page 3

Signed on behalf of the DEPARTMENT OF HEALTH AND SOCIAL CARE

…………………………………………………………………………..……….

Name: …………………………………………………………………………...

Position: …………………………………………………………………......

Date: …………………………………………………………………………...

Signed on behalf of **

…………………………………………………………………………………...

Name: *

Position: **

Date: ……………………………………………………………………….....

Data Sharing Agreement Page 4

THE CONDITIONS

The following named persons are responsible for ensuring that the Principles are adhered to on behalf of each of the Parties:

1.1 Each Party must nominate someone to be responsible for providing or obtaining expert advice with regard to Data Protection issues:

* Data Protection Officer DHSC Data Protection Officer

Crookall House Demesne Road Douglas, IM1 3QA DPO-DHSC@gov.im

1.2 Either Party may change the person or details contained in this Condition by giving notice in writing to the other Party.

Purpose of Sharing Information

2.1 The purpose for data sharing between the Parties is to enable the Department to fulfil a statutory requirement namely *.

Data items to be shared

3.1 Subject to the provisions of paragraph 4, where it has been determined necessary reasonable and proportionate to do so, the Parties may share the following information: Schedule of Processing, Personal Data and Data Subjects
Description Details Why is the data shared?

Duration of the processing

Nature and purposes of the processing

Name
Job Title
Organisation Telephone Number

Interim Chief Executive Officer Department of Health and Social Care 01624 656071

Chief Executive Officer

Data Sharing Agreement Page 5 Type of Personal Data



Categories of Data Subject

Plan for return and destruction of the data once the processing is complete UNLESS there is a requirement under the law to preserve that type of data

3.2 Personal Data will be shared as defined in the Data Protection Registry Entry.

3.3 On all occasions the minimum necessary Personal Data will be shared.

Basis for sharing

4.1

Access and individual rights:

5.1 Where one Party is the sole Data Controller, that Party will process any Data Subject access request in accordance with the provisions of the Act.

5.2 Where the Parties are joint Data Controllers, the Party who receives the Data Subject Access application will process it. If the Department receives the application they will inform *, who will provide all relevant redacted Personal Data to the Department for release to the data subject within the statutory one month timeframe. If * receives the request, they will notify the Department and both will separately provide all relevant Personal Data, with redactions, to the data subject within the statutory timeframe.

Data Quality Standards

6.1 The Parties will ensure that only relevant and proportionate amount of Personal Data necessary will be shared by the Parties.

6.2 Each Party will ensure that all information processed by it is accurate and up to date.

6.3 Each Party will establish procedures to regularly check with both staff and data subjects that the Personal Data they process is accurate and up to date.

Security

7.1 The Parties will establish appropriate policies and procedures establishing measures to ensure adequate protection of all Personal Data from accidental or intentional

Data Sharing Agreement Page 6 disclosure to unauthorised persons, deletion or modification, theft or damage, having due regard for the principles and standards of BS 7799 Part 2:2002 (or any subsequent ISO/IEC standards).

7.2 Any policies and procedures will be made available to the other Party upon reasonable request.

7.3 Staff must receive appropriate training. Each Party may inspect staff training logs upon request.

7.4 Measures to be taken must include:

 All Personal Data whether it is held on computer or on paper will be protected through appropriate access controls.

 Staff must not process the Personal Data on home computers or any other personal equipment, such as mobile phones, cameras, etc., unless expressly authorised to do so by the Data Controller.

 Procedures for the secure use of manual files, including the use of such files outside the office environment will be established.

 Data must only be stored on devices or equipment which belong to the DHSC, and have been approved by their IT provider and encrypted. All portable and mobile devices including laptops and other portable media (except USB flash drive memory sticks which must not be used) used to store and transmit Personal Data (the loss of which could cause damage or distress to individuals) must be encrypted using encryption software which meets the current standard (128-bit) or equivalent.

 Any Personal Data sent via e-mail should be secured in a password protected document or suitably encrypted document. The password should not be sent with the original e-mail, but must be communicated separately either by e-mail or telephone call.

 Any Personal Data sent via fax should only be sent if the person who wants the information is waiting at the machine to receive the document immediately. It is recommended that a cover sheet be transmitted first with the information itself sent only after a confirming response has been received.

 Any Personal Data sent via post must be placed in an envelope that will show if it has been tampered with (preferably inside another envelope), and marked 'Private and confidential addressee only'. It is recommended that if the Post Office system is used, Recorded Delivery or Registered Delivery is chosen, as this allows the mail to be tracked. A courier service could alternatively be used,

Data Sharing Agreement Page 7 depending on the sender's requirements or sensitivity of the information and marked 'Private and confidential addressee only'.

7.5 Each Party must nominate a person who will have responsibility for ensuring all information is backed-up regularly. Ideally, the master copy of programmes and back-ups of data will be kept in a fireproof safe, preferable in a separate building from the system.

Audit

Both Parties must have appropriate governance and risk assessment measures in place, to assure the safe storage, access and utilisation of Personal Data. Policies and procedures will be available for audit purposes with evidence of clear review dates.

Review, Retention and Disposal

9.1 The Parties undertake to: ensure that Personal Data will only be used for the specific purpose for which it was shared; keep Personal Data securely stored and dispose of it securely when it is no longer required in accordance with their organisation's retention and disposal policy which as a minimum standard must comply with retention and disposal periods, regardless of contract duration.

9.2 All Staff shall be made aware of the Data Controller's policy for the storage, use, transmission and disposal of Personal Data and shall be appropriately trained on how to follow that policy.

9.3 Disposal policies will include:

 All software and data will be erased from redundant hardware and media storage (e.g. tapes, disks) before the hardware is removed.

 Confidential paper waste is shredded or is collected and held in a secure area prior to shredding or incinerating.

Breaches and Complaints

10.1 All complaints or breaches of this Agreement will be notified immediately to the relevant Party's designated Data Protection Officer in accordance with their respective policy and procedures.

10.2 Each Party will be accountable for any misuse of Personal Data supplied to it and the consequences of such misuse.

10.1. Breaches of this Agreement must be dealt with by the signatory under their own established policies and procedures.

Data Sharing Agreement Page 8 10.2. Procedures must be developed by each Party to cover security breaches including how breaches of security will be logged and investigated and how adherence to policy and procedures will be monitored. These procedures should be reviewed on a regular basis.

10.3. Staff shall be required in their employment contracts/contracts of engagement to maintain confidentiality of both the Parties and the Data Subjects. Failure to do should be identified as gross misconduct and policies and procedures should make it clear of the consequences of a breach.

Data Protection Impact Assessment - Department of Health and Social Care

Why do I need to complete a Data Protection Impact Assessment (DPIA)? • A DPIA helps identify data privacy risks when planning new (and revising existing) projects and to identify actions to mitigate these risks. • A DPIA should be carried as it is a useful tool to help organisations comply with data protection law. • A DPIA is required: o where data processing is likely to result in a high risk of harm to individuals (e.g. new technology is used) o large volumes of data are processed o the data falls under the remit of sensitive personal data, or o where DHSC monitors publicly accessible areas (e.g. CCTV). • Where high risks cannot be mitigated, it may be necessary for the Data Protection Officer to consult with the Information Commissioner's Office (ICO) prior to processing. DHSC can be fined for not doing so. • Failing to carry out a DPIA correctly or failing to consult the competent supervisory authority where required can each result in a fine. When should I complete this DPIA? • As early as possible during project planning, prior to any contractual negotiations, and while there is still time to influence project design. • The DPIA should be started as early as practical in the design of the data processing operation. • The DPIA should be carried out prior to processing personal data as part of the project. Who should complete this DPIA? • The controller (i.e. DHSC) is responsible and remains ultimately accountable for ensuring that the DPIA carried out. • The Project Manager should own and complete this DPIA. • DHSC Data Protection Officer should be consulted where risks cannot be mitigated. • Relevant stakeholders (internal and external) should be consulted throughout the DPIA process to assist in identifying privacy risks How should a DPIA be completed? • This document must be read in conjunction with the guidance. It will assist you with the completion of this template. • This table sets out the steps DHSC should take to comply with data protection law when carrying out a DPIA prior to processing personal data. • It is important to note that the intensity of a DPIA should be proportionate to the size of the project and the related privacy risk. Account should be taken of the nature, scope, context and purpose of the data processing. Data Protection Impact Assessment

Step 1 Project Team

Name Job title Email address (as c

[Response truncated — full text is 57,821 characters]