Data protection
| Authority | Manx Care |
|---|---|
| Date received | 2022-04-28 |
| Outcome | Upheld - partial |
| Outcome date | 2022-07-17 |
| Case ID | 2417413 |
Summary
A request was made for all Data Protection Impact Assessments (DPIAs), data breach logs, and data protection team salary details from Manx Care. The authority partially upheld the request, disclosing a specific DPIA for the Public Access Defibrillator Scheme while withholding other requested documents.
Key Facts
- Manx Care disclosed a DPIA for the Public Access Defibrillator Scheme.
- The current defibrillator registration process is paper-based and prone to errors.
- An online registration and mapping system is proposed to improve data accuracy.
- The scheme involves collaboration between IMAS, Craig's Heartstrong Foundation, and other local organizations.
- The request for the full Data Breach Log and team salary details was not fully satisfied in the provided text.
Data Disclosed
- 2022-04-28
- 2022-07-17
- 60
- 3
- 2417413
Exemptions Cited
- 3rd Party Information Redacted
Original Request
1. Copies of all your DPIAs from when Manx care was formed to now 2. Copy of your Data Breach Log or other document you keep from when Manx care was formed to now 3. A structure of your data protection team including annual pay details and bonus, enhancements etc. for all of your team
Data Tables (31)
| Question | Y/N | Additional Comments (please give reasons for either a ‘yes’ or’ no ‘answer here) |
|---|---|---|
| Is there a requirement under GDPR to carry out a PIA? NB if there is a legal requirement to carry out a PIA there is no requirement to complete the remaining questions. | ||
| Will the project involve the collection of new information about individuals? | Yes | Name, email address, telephone number and organisations address. |
| Will the project compel individuals to provide information about themselves? | Yes | Minimal information is required and this is a name, phone number and email address. |
| Will information about individuals be disclosed to third party organisations or people? | Yes | Only those directly involved in the administration of the defibrillator scheme. |
| Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used? | No | |
| Does the project involve you using new technology that might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition. | No | The website will use location services but this will not be stored. It will only be used for the person finding their own current location on a map. It will not use any biometrics. |
| Will the project result in you making decisions or taking action against individuals in ways that can have a significant impact on them? | No | |
| Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union information, biometric data, health or information concerning an individual’s sex life or sexual orientation or other information that people would consider to be private. | No | |
| Will the project require you to contact individuals in ways that they may find intrusive? | No | |
| Will the data be held in relation to children or vulnerable adults? | No |
| Name | Job Title | Email address | ||||
|---|---|---|---|---|---|---|
| Project Manager owning DPIA | Senior Paramedic Officer |
| Project Name | Public Access Defibrillator Scheme |
|---|---|
| Department / Service Area | Manx Care/Urgent and Emergency Care/Ambulance Service |
| Parties involved with the Project (internal and external) | |
| Date |
| Privacy Risk | Risk to individuals & Department | Action Identified | Risk Control Plan (Treat/Control/ Tolerate/Accept/ Terminate/Transfer | Evaluation: is the final impact on individuals and the Department after implementing each solution a justified, compliant and proportionate response to the aims of the project? | Approved by |
|---|---|---|---|---|---|
| Personal data shared or given to a 3rd party without authorisation. | Data shared. | MannGIS to ensure that the only data made publically available is the data that has been authorised. ESJCR will not be permitted to give personal details out to anyone. | IT will ensure that data is controlled appropriately. Consent will be given for the data to be provided and used for the scheme. | The information being collected is minimal and the risk is low. | |
| Data provided maliciously. | Data will be checked. | Malicious or suspicious data will be removed. | The information being collected is minimal and the risk is low. | ||
| Guardians Personal data provided by a 3rd party. Consent may not have been gained and | Person completing the registration confirms that | If they have not given consent this notification will allow them to contact us to | The guardian will receive an email with the registration details on it. There will be a statement included that will |
| Who is responsible for integrating the DPIA outcomes back into the project plan and updating any project management paperwork? Who is responsible for implementing the solutions that have been approved? Who is the contact for any privacy concerns that may arise in the future? | ||
|---|---|---|
| Action to be taken | Date for completion of actions | Responsibility for action |
| (a) Consent: the individual has given clear consent for you to process their personal data for a |
|---|
| specific purpose. |
| (b) Contract: the processing is necessary for a contract you have with the individual, or because |
| they have asked you to take specific steps before entering into a contract. |
| (c) Legal obligation: the processing is necessary for you to comply with the law (not including |
| contractual obligations). |
| (d) Vital interests: the processing is necessary to protect someone’s life. |
| (e) Public task: the processing is necessary for you to perform a task in the public interest or for |
| your official functions, and the task or function has a clear basis in law. |
| (f) Legitimate interests: the processing is necessary for your legitimate interests or the |
| legitimate interests of a third party unless there is a good reason to protect the individual’s |
| personal data which overrides those legitimate interests. (This cannot apply if you are a public |
| authority processing data to perform your official tasks). |
| Question | Y/N | Additional Comments (please give reasons for either a ‘yes’ or’ no ‘answer here) | |
|---|---|---|---|
| Is there a requirement under GDPR to carry out a DPIA? NB if there is a legal requirement to carry out a DPIA there is no requirement to complete the remaining questions. | Yes | Sensitive (health record information) and patient identifiable data/information will be | |
| transferred securely via a referral form from Manx Care to the Cheshire and Merseyside | |||
| Hepatitis C Operational Delivery Network (ODN) in the UK for discussion and management of | |||
| Hepatitis C virus (HCV) treatment decisions. | |||
| Manx Care will refer patients with a diagnosis of Hepatitis C for discussion at the weekly virtua | |||
| HCV multi disciplinary team (MDT) meeting. | |||
| Manx Care will refer a maximum of 5 patients for the virtual MDT discussion each week, with a | |||
| maximum of 70 patients annually, | |||
| The Hepatitis C MDT will discuss and communicate treatment decisions with the Manx Care | |||
| clinical team (Hepatitis C Specialist Nurse and Consultant Gastroenterologist) in attendance on | |||
| the MDT. | |||
| The Hepatology and/or Infectious Diseases nursing team will provide treatment advice and | |||
| guidance to the clinical team, where requested. | |||
| Will the project involve the collection of new information about individuals? | No | This project will not involve the collection of any new information about individuals to what would normally be collated as part of routine patient elective service within Noble’s Hospital. | This project will not involve the collection of any new information about individuals to what |
| Will the project compel individuals to provide information about themselves? | No | The patient’s details will be discussed by the clinical teams in attendance at the virtual MDT | |
| meeting to support the clinical decision making process, but patient’s will not be present at | |||
| those meetings and would therefore not be compelled to provide further information abou | |||
| themselves. | |||
| Will information about individuals be disclosed to third party organisations or people? | Yes | Cheshire and Merseyside Hepatitis C ODN clinicians will have access to the patient informatio | |
| be shared outside of their organisation. | |||
| Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used? | No | The information will be used in the same way as it is currently. Cheshire and Merseyside | |
| Hepatitis C ODN clinicians will just be adding their expertise to the clinical decision making | |||
| process for patients on that pathway, the purpose for using the information remains as it would | |||
| be were Manx Care making those decisions in isolation. | |||
| Does the project involve you using new technology that might be perceived as | No | No foreseen technology to be used at this stage which may be perceived as being privacy | |
| intrusive. The patients will not be involved in the MDT meetings. |
| being privacy intrusive? For example, the use of biometrics or facial recognition. | |||
|---|---|---|---|
| Will the project result in you making decisions or taking action against individuals in ways that can have a significant impact on them? | Yes | The information will be used in the direct and ongoing care of the patients involved. This may require Manx Care and Cheshire and Merseyside Hepatitis C ODN’s clinical professionals using the information to make decisions regarding patients’ healthcare which will impact upon them. | |
| Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union information, biometric data, health or information concerning an individual’s sex life or sexual orientation or other information that people would consider to be private. | Yes | The referral forms will contain personal identifiable and sensitive health record information about the patients being discussed in the MDT meeting. | |
| Will the project require you to contact individuals in ways that they may find intrusive? | No | The patients will not be involved in the MDT meetings. There will be no perceivable impact on how their care is being delivered. | |
| Will the data be held in relation to children or vulnerable adults? | Yes | Data could be held for vulnerable adults if they are in the cohort of patients to which these | |
| services apply. The MDT is for patients aged 16 and over, so there is no scope in this project to | |||
| cater for paediatric patients. |
| The information will be used in the direct and ongoing care of the patients involved. This may |
|---|
| require Manx Care and Cheshire and Merseyside Hepatitis C ODN’s clinical professionals using |
| the information to make decisions regarding patients’ healthcare which will impact upon them. |
| The referral forms will contain personal identifiable and sensitive health record information |
|---|
| about the patients being discussed in the MDT meeting. |
| The patients will not be involved in the MDT meetings. There will be no perceivable impact on |
|---|
| how their care is being delivered. |
| Name | Job Title | Email address | |
|---|---|---|---|
| Project Managers owning DPIA | Service Development Manager, Manx Care | ||
| General Manager Medicine, Urgent Care and Ambulance Service CARE group, Manx Care |
| Project Name | Provision of virtual MDT for Treatment of Hepatitis C (HCV) Patients via Cheshire and Merseyside HCV Operational Delivery Network (ODN) to Manx Care |
|---|---|
| Service Area | Noble’s Hospital |
| Parties involved with the Project (internal and external) | Manx Care, a Statutory Board of Isle of Man Government, Liverpool University Hospitals NHS Foundations Trust (LUHFT) – as Liver Transplant Pre-assessment Unit - Cheshire and Merseyside HCV Operational Delivery Network (ODN) |
| Date | 01st February 2022 |
| information held by Manx Care in relation to these services is as accurate as possible. Treat – Mechanisms to ensure that subject access requests and the information subjects’ rights and freedoms are upheld will be included in the contract documentation. | |||||
|---|---|---|---|---|---|
| Facilitation of data subject rights | High Moderate | Treat | Treat – PN to reflect processing Treat – Article 30 ROPA to detail processing activity etc. Treat – Manx Care will ensure that Equality legislation has been considered and applied as appropriate in the contractual arrangement, clarifying the systems that will be used for this purpose. Treat – Patient Information leaflet | High Low | |
| Secure transfer of patient data | Low | Treat | Treat –Manx Care organisational policies and procedures. Use of nhs.net secure email. | High Low | |
| Unauthorised access or loss | Moderate Low | Tolerate | Control existing role based user access controls as per Manx Care and LUHFT will be used when granting access to the information. Only the relative staff from both organisations will be granted access to the virtual MDT by the LUHFT MDT Co-ordinator. The electronic Patient records systems used have an audit functionality which records user access to confidential data items. Audit data will be routinely used for review of actual or potential IG breaches/incidents. Where more than one user accesses an information system, each user of that system will have a unique and verifiable identity. All transactions on shared information systems will be attributed to the individual who initiated them. All | Moderate Low |
| accounts will be password-protected and regularly changed at the appropriate frequency and strength and without recurrence, according to the security protocols per the organisations’ IT security / governance processes. Treat Both organisations will adhere to their respective organisational policies and procedures regarding Data Security and Confidentiality. Control referral form format and agreed terms of reference for virtual MDT meeting within contract. | |||||
|---|---|---|---|---|---|
| Information assets unavailable – PENS | Moderate Low | Tolerate | Accept – same impact to Manx Care. | Moderate Low | |
| Data could be subject to cyberattack | Low | Tolerate | Accept – Security provided by Manx Care (GTS) and LUHFT Treat – Regular staff communication on cyber security means of attack Treat – IOM Government Information security policies and procedures Treat – Due diligence | High Moderate |
| Who is responsible for integrating the DPIA outcomes back into the project plan and updating any project management paperwork? Who is responsible for implementing the solutions that have been approved? Who is the contact for any privacy concerns that may arise in the future? | ||
|---|---|---|
| Action to be taken | Date for completion of actions | Responsibility for action |
| Patient/Referrer Details | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Patient Name: | DOB: | NHS Number: | |||||||||
| Post Code: | Gender: | Weight: | Ethnicity: | ||||||||
| Referrer: | Date: | Treatment Centre: | |||||||||
| Investigations | |||||||||||
| Hep C PCR: | |||||||||||
| Genotype: | |||||||||||
| Fibroscan: | |||||||||||
| APRI: | |||||||||||
| Bilirubin: date: | AST: date: | ALT: date: | |||||||||
| GGT: date: | AFP: date: | Albumin: date: | |||||||||
| Haemoglobin: | Platelets: | INR : | |||||||||
| Creatinine: | eGFR: | ||||||||||
| Reason for admission (if Inpatient) | Date: | Date of discharge (if Inpatient) | |||||||||
| Decompensation Current / Previous | Signs of Decompensation Low Albumin & Raised Bilirubin - Yes / No Bleeding varices - Yes / No Jaundice - Yes / No Ascites - Yes / No Encephalopathy - Yes / No Is patient on Rifaximin? - Yes / No | ||||||||||
| USS: (Please enter details) (last Uss date: / / ) | |||||||||||
| Previous Hep C treatment: Interferon: Yes / No Direct Acting Antiviral (DAA): Yes / No (If yes please state treatment & date commenced) ---------------------------------------------------------------------------------------------------------------------------------- - | |||||||||||
| Current Medication: 1. 6. 2. 7. 3. 8. 4. 9. 5. 10. Is the patient on: Atrovastatin / Simvastatin Yes / No Carbamazepine / Phenytoin Yes / No Lansporazole / Omeprazole Yes / No Apixiban / Edoxaban / Rivaroxaban Yes / No Amiodarone Yes / No Rifampicin Yes / No |
| Is patient on any HIV Medication? Yes / No (If yes please state below) ---------------------------------------------------------------------------------------------------------------------------------- | |||
|---|---|---|---|
| Alcohol: | |||
| Potential DDI’s (please also supply DDI Form): | |||
| Decision (treatment): | Date of Decision: | Comments: | |
| Approved by: |
| Question | Y/N | Additional Comments (please give reasons for either a ‘yes’ or’ no ‘answer here) | |
|---|---|---|---|
| Is there a requirement under GDPR to carry out a DPIA? NB if there is a legal requirement to carry out a DPIA there is no requirement to complete the remaining questions. | Yes | Sensitive (health record information) and patient identifiable data/information will be accessible to a visiting clinical team from Synaptik both on Island and remotely, as part of an insourcing model to reduce waiting times for Elective Care. Synaptik will also be providing an aggregated commissioning dataset based on the outcomes of the activity provided for payment and reconciliation purposes (this will contain no patient identifiable data). | |
| Will the project involve the collection of new information about individuals? | No | This project will not involve the collection of any new information about individuals to what would normally be collated as part of routine patient elective service within Noble’s Hospital. | |
| Will the project compel individuals to provide information about themselves? | Yes | Patients will be managed through a standard pathway to undergo elective surgery at Noble’s | |
| Hospital, Manx Care utilising a clinical team from Synaptik to deliver this service locally. | |||
| Patients will not be compelled to provide any additional data about themselves beyond tha | |||
| that would normally be required for providing these services at Noble’s Hospital, but they may | |||
| need to provide additional information to the Synaptik clinical team during the provision of | |||
| their treatment as required. | |||
| Will information about individuals be disclosed to third party organisations or people? | Yes | Synaptik staff will have access to Manx Care systems the same as a substantive/locum | |
| practitioner. All information will be maintained internally and not shared outside of Manx Care | |||
| systems. | |||
| Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used? | No | The information will be used in the same way as it is currently. Synaptik will be using the information in the delivery of the elective services as it would be used were Manx Care delivering those services. | The information will be used in the same way as it is currently. Synaptik will be using the |
| information in the delivery of the elective services as it would be used were Manx Care | |||
| delivering those services. | |||
| Does the project involve you using new technology that might be perceived as being privacy intrusive? For example, | No | No foreseen technology to be used at this stage which may be perceived as being privacy | |
| intrusive. Patients will be managed as standard as part of the pre-assessment pathway, but the | |||
| process involved will minimise the potential for any perceived intrusion of privacy. |
| Sensitive (health record information) and patient identifiable data/information will be accessible |
|---|
| to a visiting clinical team from Synaptik both on Island and remotely, as part of an insourcing |
| model to reduce waiting times for Elective Care. Synaptik will also be providing an aggregated |
| commissioning dataset based on the outcomes of the activity provided for payment and |
| reconciliation purposes (this will contain no patient identifiable data). |
| This project will not involve the collection of any new information about individuals to what |
|---|
| would normally be collated as part of routine patient elective service within Noble’s Hospital. |
| the use of biometrics or facial recognition. | |||
|---|---|---|---|
| Will the project result in you making decisions or taking action against individuals in ways that can have a significant impact on them? | Yes | The information will be used in the direct and ongoing care of the patients involved. This may require Manx Care and Synaptik’s clinical professionals using the information to make decisions regarding patients’ healthcare which will impact upon them. | |
| Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union information, biometric data, health or information concerning an individual’s sex life or sexual orientation or other information that people would consider to be private. | Yes | Clinical letters will contain personal identifiable and sensitive health record information about the patients. These will be dictated onsite using Manx Care’s standard secretarial provision. | |
| Will the project require you to contact individuals in ways that they may find intrusive? | Yes | Patients will receive written/telecoms correspondence regarding pre-assessment appointments. The process involved will minimise the potential for any perceived intrusion of privacy. | |
| Will the data be held in relation to children or vulnerable adults? | Yes | Data could be held for vulnerable adults if they are in the cohort of patients to which these | |
| elective services apply. There is no scope in this project to cater for paediatric patients, the | |||
| cohort being entirely adult. |
| The information will be used in the direct and ongoing care of the patients involved. This may |
|---|
| require Manx Care and Synaptik’s clinical professionals using the information to make decisions |
| regarding patients’ healthcare which will impact upon them. |
| Clinical letters will contain personal identifiable and sensitive health record information about |
|---|
| the patients. These will be dictated onsite using Manx Care’s standard secretarial provision. |
| Patients will receive written/telecoms correspondence regarding pre-assessment appointments. |
|---|
| The process involved will minimise the potential for any perceived intrusion of privacy. |
| Name | Job Title | Email address | |
|---|---|---|---|
| Project Managers owning DPIA | (Contracting Lead) | Head of Strategic Partnerships, Manx Care | |
| (Operational Responsibility) | Director of Operations, Manx Care |
| Project Name | Provision of Elective Pathways of Care delivered by Synaptik to Manx Care |
|---|---|
| Service Area | Nobles Hospital |
| Parties involved with the Project (internal and external) | Manx Care, a Statutory Board of Isle of Man Government, Synaptik |
| Date | 21st January 2022 |
| to these services is as accurate as possible. Treat – Mechanisms to ensure that subject access requests and the information subjects’ rights and freedoms are upheld will be included in the contract documentation. | |||||
|---|---|---|---|---|---|
| Facilitation of data subject rights | High Moderate | Treat | Treat – PN to reflect processing Treat – Article 30 ROPA to detail processing activity etc. Treat – Manx Care will ensure that Equality legislation has been considered and applied as appropriate in the contractual arrangement with Synaptik, clarifying the systems that will be used for this purpose. Treat – Patient Information leaflet | High Low | |
| Secure transfer of patient data | Low | Treat | Treat –Manx Care organisational policies and procedures | High Low |
| Unauthorised access or loss | Moderate Low | Tolerate | Control existing role based user access controls as per Manx Care staff will be used when granting Synaptik access to our systems. Treat Synaptik will adhere to Manx Care’s organisational policies and procedures regarding Data Security and Confidentiality. Control written patient referral letters | Moderate Low | |
|---|---|---|---|---|---|
| Information assets unavailable – Medway/Mediviewer/RiO | Moderate Low | Tolerate | Accept – same impact to Manx Care. | Moderate Low | |
| Data could be subject to cyberattack | Low | Tolerate | Accept – Security provided by Manx Care (GTS) Treat – Regular staff communication on cyber security means of attack Treat – IOM Government Information security policies and procedures Treat – Due diligence | High Moderate | |
| Use of Synaptik, some patients/families may raise concerns reference an invasion of privacy | Low | Treat | Treat – Patients will be managed as per the usual pathway. Arrangement is no |
| Date of Breach | Nature of Breach | No of Data Subjects Affected | Remedial Action |
|---|---|---|---|
| 01.04.21 | OPMHS - Cushag House telephone OPMHS service advising that copies of 2 appointment letters had been posted to them rather than the Manager, Crovan Court | Cushag House requested to return letters to OPHMS | |
| 06.04.21 | JCMW Hosp no and name of mother supplied to GTS to obtain NHS number for baby | ||
| 12.04.21 | Info left at sign in desk Crookall House | ||
| 13.04.21 | Sensitive PID to 111 swabbing appointments team | 1 | Revised process in place; Process distributed to care group leads |
| 20.04.21 | Sick note sent to wrong client returned by CMHP who happened to be visiting the person who had received it. | 1 | Sick note returned to CMHSA office |
| 21.04.21 | Patient admitted to Ward 2 from ED had been sent up with ECG and NEWS paper documentation belonging to another patient | 1 | Document removed from patient medical record and sent to Med Recs for filing. All ED staff reminded of process and need for vigilance |
| 23.04.21 | Airport - email sent to DOI Admin x 10 staff at the airport in error as well as Diabetes and Endocrinology staff | e-mail recalled. Contained no patient identifiable information | |
| 23.04.21 | Patient appointments and sensitive data questionnaires left in staff/public toilet in CCHC by Physio Dept | 33 | |
| 25.04.21 | User unable to access EMIS live system | 1 | |
| 04.05.21 | A patient arrived for a fracture clinic appointment, she brought along her appointment letter with her and that of another patient. | 1 | Patient has been informed. Investigation being conducted and any areas for improvement identified and appropriate action taken including ensuring staff member is up to date with data protection training |
| 06.05.21 | Community Health - Telephone conversation with patient discussed presenting symptoms - patient denied and when checked on EMIS letter had been uploaded to wrong patient (uncle). | 2 | EMIS record updated and Same Name alert added Apology to patient |
| 11.05.21 | Blood tests were requested on the wrong patient and given to the patient. The patient became aware only when going for the blood test. | 1 | See data breach form |
| 13.05.21 | Patient documents found in On Call room | 1 | The surgical admission proforma notes were incomplete and in draft format - as they did not relate to a hospital episode they should have been destroyed as they did not form part of the patient’s record. The Dr has agreed that in future he will not prefill surgical admission proforma and hand to another doctor to facilitate a subsequent hospital admission on another day. |
| 04.06.21 | Fostering Newsletter emailed to all foster carers. The newsletter does not contain personal data but email should have bcc | 54 | To remind individual responsible and other staff on the need to be careful when sending group emails and that these should be bcc’d if it isn’t appropriate for recipients to see other’s email addresses. |
| 11.06.21 | Request for results on the incorrect patient | 1 | Improved process put in place as detailed within the investigation report |
| 14.06.21 | Email sent to wrong school teacher | 1 | Contact made with Head Teacher who confirmed that the email had been deleted without opening. |
| 16.06.21 | Ward 1 AMU Staff member receiving e-mails from paediatric unit, by mistake should be another staff person with same surname | Email to all staff asking them to check that they have the right email address Apology issued | |
| 17.06.21 | Patient information printed in wrong area | ||
| 29.06.21 | Martin Ward - documents filed in wrong patient's notes patient unknown to Martin Ward | Incorrect notes removed from Martin Ward in patient and sent back to responsible ward |
Full Response Text
FOI 2417413 - Data Protection – Q1 DPIA - Public Access Defibrilator Scheme
Privacy Impact Assessment – Screening Questions
Question Y/N Additional Comments (please give reasons for either a ‘yes’ or’ no ‘answer here) Is there a requirement under GDPR to carry out a PIA? NB if there is a legal requirement to carry out a PIA there is no requirement to complete the remaining questions.
Will the project involve the collection of new information about individuals? Yes Name, email address, telephone number and organisations address. Will the project compel individuals to provide information about themselves? Yes Minimal information is required and this is a name, phone number and email address. Will information about individuals be disclosed to third party organisations or people? Yes Only those directly involved in the administration of the defibrillator scheme. Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used? No
Does the project involve you using new technology that might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition. No The website will use location services but this will not be stored. It will only be used for the person finding their own current location on a map. It will not use any biometrics. Will the project result in you making decisions or taking action against individuals in ways that can have a significant impact on them? No
Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations?
For example, health records, criminal records, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union information, biometric data, health or information concerning an individual’s sex life or sexual orientation or other information that people would consider to be private. No
Will the project require you to contact individuals in ways that they may find intrusive? No
Will the data be held in relation to children or vulnerable adults? No
FOI 2417413 - Data Protection – Q1 DPIA - Public Access Defibrilator Scheme
Step 1 Project
Name Job Title Email address Project Manager owning DPIA
Senior Paramedic Officer
Step 2 Project Summary
Project Name Public Access Defibrillator Scheme Department / Service Area Manx Care/Urgent and Emergency Care/Ambulance Service Parties involved with the Project (internal and external) Date
Step 3 Requirement for DPIA – issues to be addressed
To include: Automated External Defibrillators (AEDs) are now a common sight in various locations around the Island. However, the vast majority are situated in shops and offices and are therefore unavailable outside normal business hours. The concept of Public Access Defibrillators (PAD) started in the south of the Island but the demand for providing such a facility in local communities has grown in recent years. The Isle of Man Ambulance Service (IMAS), Craig’s Heartstrong Foundation, The Rushen Emergency Ambulance, St John Ambulance (IOM) and the Manx Heart Foundation have come together to form a Public Access Defibrillator steering group which aims to ensure a standard approach to providing PAD’s exists across the Island. Members of the public may be directed to these PAD sites by the Emergency Services Joint Control Room (ESJCR), therefore, it is vital that they meet the requirements of IMAS and the scheme and that the equipment is regularly checked and serviceable.
3rd Party Information Redacted FOI 2417413 - Data Protection – Q1 DPIA - Public Access Defibrilator Scheme
The scheme aims to provide support to those who wish to install Automated External Defibrillators (AEDs) in the Isle of Man. Specific focus will be given to provide PAD sites in areas which fall outside the optimum response time of either the Ambulance Service or a volunteer First Responder, or where large numbers of people regularly gather.
An essential control for the continued safe use of the Defibrillators is the central register / registration process that is currently maintained by IMAS.
The current registration process is paper based, labour intensive, prone to keying errors and relies upon two staff members undertaking the activity on a voluntary basis alongside their main operational duties. The method upon which registrations are currently recorded is periodically updated and an excel spreadsheet is used to identify defibrillators near to an address. This is time consuming, can be inaccurate and errors can be made. The information may not be up to date.
An online registration and mapping system would allow the data to be collected and processed once. The data could then be displayed on a map which would allow the Emergency Services Joint Control Room (ESJCR) to easily visualise the location and surrounding defibrillators that may be available. This would also allow us to map defibrillators that are not available to the public but may be available to the people in the organisation that registers it.
Step 4 Information Flows/nature of processing
- Registrant goes to www.gov.im/ambulance or www.defibs.im and selects the register defibrillator link.
- The www.defibs.im link will take the person directly to the online public map portal.
- Registrant follows online prompts and enters the required information and completes the online registration form.
- An email is sent to the person registering the defibrillator and the two guardians that are registered at the same time. This ensures that the guardians receive a copy of the registration and allows for the data to be checked for accuracy by 3 people linked to the defibrillator.
-
The person submitting the registration has to accept the terms and must also click a check box to state that the guardians have given consent to have their detail added to the system. FOI 2417413 - Data Protection – Q1 DPIA - Public Access Defibrilator Scheme
-
Depending on what option is selected by the registrant there will be 3 different views available to the public mapping system (public, restricted and private). The control room will be able to view all details for every registered defibrillator as this will allow the control room to search for the nearest defibrillator to an address and make it available for anyone suffering a cardiac arrest depending on the circumstances.
Every registration will collect data as shown in appendix 1.
If the defibrillator is public or restricted then basic defibrillator information will be available on the public mapping system. This information will include the following information. • Name of organisation registering the defibrillator • Location of defibrillator • Location description • Additional comments • Location photograph if the user wishes to provide/upload one.
Private defibrillators will only be viewable by the ESJCR. All information regarding a defibrillator will be accessible by the ESJCR for administration purposes.
Any data provided will only be kept for the purposes of the administration of the defibrillator scheme and will be deleted when a defibrillator is removed from the system or where contact with the organisation or guardian cannot be made. Any organisation may at any time amend or remove their registration by contacting the administrator of the scheme. An email is sent to each person and will contain a statement that informs hem that they can opt out at any time and if they are not allowing for their data to be included it will be removed on request.
When consumables are about to expire there will be additional functionality whereby the registering organisation and guardians will be contacted by email reminding them to replace their consumables.
FOI 2417413 - Data Protection – Q1 DPIA - Public Access Defibrilator Scheme
Step 6 Information shared
Identify what information will be shared, how and when Information shared online via public map will be; • Name of organisation or individual registering the defibrillator • Location of defibrillator • Location description • Additional comments • Location photograph if the user wishes to provide/upload one.
Information available to the Ambulance Service scheme administrators and the Emergency Service Joint Control Room will be; • Name of organisation or individual registering the defibrillator • Organisation contact name, email and phone number • Individual registering the defibrillator • Location of defibrillator • Location description • Additional comments • Location photograph if the user wishes to provide/upload one • The names, phone numbers and email addresses of 2 nominated guardians • The key code to access any external cabinets.
FOI 2417413 - Data Protection – Q1 DPIA - Public Access Defibrilator Scheme
Step 7 Consultation Requirements
There is a strong public demand for this type of system and its inception will be positive and generate good publicity for Manx Care, IMAS the DHSC and MannGIS. • Consultation was carried out by way of conversations with PAD group members. • Michaela Morris previously signed the project off from an ELT perspective and gave authorisation to proceed with the SRF. • Testing has been carried out by IMAS, PAD group members and MannGIS will identify any errors in process and allow the notification side of the system to be tested. • There will be a requirement to meet with the Information Governance Manager to discuss this DPIA, demonstrate the system and through process to ensure that this project meets GDPR requirments. • If required the Information Commissioner will be consulted.
Tests have been conducted by MannGIS and improvements have been made based on the testing results. Tests have been carried out by IMAS and members of the PAD group. Testing has identified that some data was going to be collected for no valid reason, therefore, changes have been made to exclude this data from the collection process. Only required data will be collected.
FOI 2417413 - Data Protection – Q1 DPIA - Public Access Defibrilator Scheme
Step 8 Identify Privacy Risks, Solutions and Approval
Privacy Risk Risk to individuals & Department Action Identified Risk Control Plan (Treat/Control/ Tolerate/Accept/ Terminate/Transfer Evaluation: is the final impact on individuals and the Department after implementing each solution a justified, compliant and proportionate response to the aims of the project? Approved by Personal data shared or given to a 3rd party without authorisation.
Data shared. MannGIS to ensure that the only data made publically available is the data that has been authorised. ESJCR will not be permitted to give personal details out to anyone.
IT will ensure that data is controlled appropriately. Consent will be given for the data to be provided and used for the scheme. The information being collected is minimal and the risk is low.
Data provided maliciously.
Data will be checked.
Malicious or suspicious data will be removed. The information being collected is minimal and the risk is low.
Guardians Personal data provided by a 3rd party. Consent may not have been gained and
Person completing the registration confirms that If they have not given consent this notification will allow them to contact us to The guardian will receive an email with the registration details on it. There will be a statement included that will
FOI 2417413 - Data Protection – Q1 DPIA - Public Access Defibrilator Scheme
the guardian may not wish for this to be included.
consent has been gained for the data to be used. Upon completion those who’s data has been given will receive an email which will include the data being used.
request that the data is removed or amended if required. state. “If you do not consent to your personal data being included then please contact the administrator of the scheme and the organisation making the registration so that your data can be removed. You have the right to remove this data at any time by contacting the administrator of the scheme”.
Step 9 Integrate the DPIA outcomes back into the project plan
Who is responsible for integrating the DPIA outcomes back into the project plan and updating any project management paperwork? Who is responsible for implementing the solutions that have been approved? Who is the contact for any privacy concerns that may arise in the future? Action to be taken Date for completion of actions Responsibility for action
Date of consideration by Data Protection Officer ……………………………………………………………………………… FOI 2417413 - Data Protection – Q1 DPIA - Public Access Defibrilator Scheme
Linking the PIA to the GDPR principles Answering these questions during the PIA process will help you to identify where there is a risk that the project will fail to comply with the GDPR or other relevant legislation, for example the Human Rights Act. Principle 1 Personal data shall be processed fairly and lawfully There must be lawful basis for processing the personal data as follows; (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). (d) Vital interests: the processing is necessary to protect someone’s life. (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks).
• Have you identified the purpose of the project and which lawful basis applies?
• Is the processing of the data necessary in terms of GDPR?
• How will you tell individuals about the use of their personal data?
Email sent to them when the defibrillator is registered.
• Do you need to amend your privacy notices?
• If you are relying on consent to process personal data, how will this be collected and what will you do if it is withheld or withdrawn?
• If special categories of personal data have been identified have
[Response truncated — full text is 92,094 characters]