The Data Protection Act 2018 (DPA 2018) / UK General Data Protection Regulation (UK GDPR) places a general obligation on data controllers to adopt a data protection by design and default approach to protect the personal data they process. Controllers are required to implement appropriate technical and organisational measures to show that they have considered and integrated data protection into their processing activities. This means that the necessary safeguards have been integrated into their processing activities at the planning and development stage.
Data Protection Impact Assessments (DPIAs)
DPIAs are tools that help organisations deliver data protection by design and default by ensuring they meet the expectations of individuals regarding the security and privacy of their personal information. The DPIA process helps identify and minimise the data protection risks of a project. By law a DPIA must be done for processing that is likely to result in a high risk to individuals but it is good practice for assessments to be carried out for any other major projects which require the processing of personal data
A DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks
Our policy is that any change project involving personal data processing is assessed via the DPIA process. DPIAs are reviewed by our Data Protection Officer to ensure compliance with data protection requirements and approved by our Senior Information Risk Owner to ensure that suitable actions are taken to mitigate any risks identified.
Below is a summary of the DPIAs completed during the last financial year:-
| Project Name | Project Overview | Approval Date |
|---|---|---|
| Medical device and software | Ventilator Management Software | 07/07/2022 |
| Web application | Home health population management solution | 21/06/2022 |
| New software | Patient assessment software | 07/10/2022 |
| New software | Clinical management system | 19/12/2022 |
| New software | Patient communications system | 21/06/2022 |
| External Staffing | External resource to support submission of a national return | 22/08/2022 |
| Online database | Access to clinical online database | 28/11/2022 |
| Web application | New referral platform | 13/12/2022 |
| Medical device software | Body composition analyser | 02/08/2022 |
| Alder Hey web application | National data opt out self check portal | 22/08/2022 |
| Patient Portal | Single point of access via digital portal | 14/04/2023 |
| Integrated service | Implementation of the North Mersey Integrated Care Community | 24/10/2022 |
| New service | New clinics to manage complications related to excess weight (CEW) | 10/01/2023 |
| New service | Introduction of virtual ward | 22/12/2022 |
| New service | Pilot support service | 01/03/2023 |
| Web application | Introduction of external EPR system | 02/03/2023 |
| Clinical application | Remote patient monitoring | 02/02/2023 |
| Medical Device | Trial before purchase of medical device | 02/02/2023 |
| Cloud Storage | Migration of intranet content | 13/03/2023 |
| Internal development | Wait list management | 15/02/2023 |
For more information about our process or completed DPIAs please contact the Information Governance Team – by email to [email protected]. Requests will be processed in line with the Freedom of Information Act 2000.