surrey provision of care information sharing agreement web viewio. n (s) identified in this ....

Schedule A 12

Schedule A to the Surrey Provision of Care Information Sharing Agreement

Project Specific Sharing Specification

Reference No: SCC ASC IG Team to complete

Sharing Start Date:Sharing Specification Review Date:Lead Organisation(s):

Summary of the Sharing Requirement

Add a summary of the initiative - this may be taken from a business case or project plan

The Sharing Organisation(s)

Within the framework established in The Agreement the organisations detailed below agree to make the PCD identified in this Project Specific Sharing Specification available for use to the User Organisation(s) identified in this Project Specific Sharing Specification.

For the purposes of this sharing initiative the Sharing Organisation(s) may create, edit, archive and delete the PCD.

The Sharing Organisation(s):

1. Are Signatories to The Agreement;

Schedule A 13

2. Have confirmed that the User Organisation(s) are Signatories to The Agreement and Trusted Organisations or have independently assessed any Statements of Compliance and are satisfied that the necessary controls are in place to allow the User Organisation(s) to access the PCD in compliance with The Agreement;

3. Have approved the PIA documentation associated with this Project Specific Sharing Specification; and4. Have confirmed that this Project Specific Sharing Specification complies with the terms of The Agreement

Organisation identifier

Organisation name Designated Officer Data Protection Designation

[Data Controller / Data Processor/

Data Controller in Common/

Data Controllers – Joint]




[Insert additional rows to the table above as required depending on the number of Sharing Organisations]

Schedule A 14

The User Organisations

Within the framework established in The Agreement the organisations detailed below agree to use the PCD identified in this Project Specific Sharing Specification for care purposes in compliance with the terms of The Agreement.

For the purposes of this sharing initiative the User Organisation(s) may [create, edit, archive and delete] the PCD.

[For the purposes of this sharing initiative the use of PCD is restricted to (e.g.) viewing of the data]

The User Organisation(s):

1. Are Signatories to The Agreement; 2. Are Trusted Organisations or have provided a Statement of Compliance which has been independently assessed by the Sharing

Organisation(s) to confirm the necessary controls are in place to allow the User Organisation(s) to access the PCD in compliance with The Agreement;


Organisation name IGTK level/Assurance Statement

Date checked

Designated Officer

Data Protection Designation

Teams using the confidential data

Reason for using data




Schedule A 15




[Insert additional rows to the table above as required depending on the number of User Organisations]

Schedule A 16

The Shared Categories of Data

Within the framework established in The Agreement the following categories of data will be shared under this Project Specific Sharing Specification. Persistent data sharing refers to situations where a distinct copy of data is transferred from one data controller to another. Temporary data sharing refers to situations where no distinct copy of data is transferred from one data controller to another with the original data being viewed by another data controller ‘temporarily’.

The data identified below includes PCD as well as data which may not be confidential or personal. All categories of data shared under this Project Specific Sharing Specification are included for completeness and not because the data is necessarily regarded as PCD.

ID Data category Abbreviation Primary Data Controller

Source application Persistent or Temporary

1 [e.g. Demographic data including:

Full Name Full Address Date of Birth NHS Number]

[e.g. Demographics] [e.g. Organisation A] [e.g. Organisation A instance of EMIS]

[e.g. temporary (view only)]

2 [e.g. Pseudonymised data including:

Pseudinymised ID based on NHS Number

Attendance date

Treatment]

[e.g. Pseudonymised dataset]

[e.g. Organisation B] [e.g. Organisation B data warehouse]

[e.g. permanent (transfer of data to Organisation C Data Warehouse]

Schedule A 17

[Insert additional rows to the table above as required depending on the number of Data Categories being shared under the Project Specific Sharing Specification]

Responsibilities

Within the framework established in The Agreement the Sharing Organisation(s) and User Organisation(s) will have the following responsibilities under this Project Specific Sharing Specification.


Organisation name Services to be provided

[e.g. Org A] [e.g. Organisation A] [e.g. Access Control:

granting system access terminating access authorisation maintaining lists of authorised users technical support (hardware, software, etc.) RA services training (provision, completion and monitoring) etc.

Monitoring/Auditing:

routine monitoring/reporting requesting ad-hoc reporting responsibility for responding to any actual or suspected inappropriate access etc.]

[e.g. Org B] [e.g. Organisation B]

[Insert additional rows to the table above as required depending on the number of Sharing Organisations and User Organisations]

Schedule A 18

Schedule A 19

Data Protection Compliance

Within the framework established in The Agreement, data shared under this Project Specific Sharing Specification will maintain compliance with The Act as detailed below.

Principle Requirement Compliance

Fair and Lawful ProcessingAll sharing of PCD under The Agreement must be accompanied by Fair Processing or Privacy Notices which comply with the Information Commissioner’s Office Privacy notices code of practice. As a minimum these must be readily available to the Individuals whose PCD will be shared and will ensure those Individuals are informed of:

the identity of all organisations/parties involved in the information sharing;

the purpose or purposes for which the organisations/parties intend to Process the information; and

any extra information necessary in the circumstances to enable PCD to be processed fairly.

A Project Specific Fair Processing Notice has been developed which covers all processing of data which will be conducted as part of the information sharing initiative (including Direct Care and Secondary Purposes):

Yes

No

The Fair Processing Notice has been reviewed against and complies with the Information Commissioner’s Office Privacy notices code of practice.

Yes

No

[Describe how the Fair Processing Notice will be made available to Individuals whose PCD will be shared]

Schedule A 20

The sharing of PCD will only occur where this is likely to facilitate the provision of health or social care services to the Individual and is in the Individual’s best interests.

Yes

No

Information that concerns, or is connected with, the provision of health services or adult social care by an anonymous access provider will not be shared under The Agreement without the Explicit Consent of Individuals as specified within Schedule 2 (1) and Schedule 3 (1) of The Act.

Anonymous access provider data will be shared as part of this information sharing initiative:

Yes

No

If Yes, Explicit Consent will be sought prior to this data being shared:

Yes

No

N/A

For all other sharing of PCD under The Agreement, wherever possible the Explicit Consent of Individuals as specified within Schedule 2 (1) and Schedule 3 (1) of The Act will be sought prior to PCD being shared under The Agreement.

Explicit Consent will be sought prior to this data being shared:

Yes

No

Schedule A 21

Where Explicit Consent cannot be sought:

Schedule 2 (3) of The Act will be relied upon to ensure organisations comply with the Duty to Share within the Health and Social Care (Safety and Quality) Act 2015; and

Individuals will be provided with the opportunity to object to the sharing and any objections will be fully considered and respected unless capacity and competence are in question in which case The Mental Capacity Act 2005 Code of Practice will be followed to assess whether a best interest’s decision should instead be made; and

Schedule 8 (1) of The Act will be relied upon by ensuring the Processing is necessary for Medical Purposes and is only undertaken by a Health Professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a Health Professional.

[If No, Describe how the requirement will be satisfied including the opt-out process]

Specified and lawful purposesSharing of PCD under The Agreement will only occur for the purpose of the Provision of Care.

Yes

No

Schedule A 22

Adequate, relevant and not excessive The minimum necessary PCD required the fulfil

the purpose of the Provision of Care will be shared under The Agreement.

[Describe how the requirement will be satisfied – provide justification for the level of PCD being shared. Where appropriate, refer to the findings of the PIA which should have assessed the level of data being shared]

Accurate and up to dateAll parties will take appropriate steps to ensure all PCD shared under The Agreement is accurate and kept up to date.

The Sharing Organisation(s) have appropriate Data Quality processes in place and these have been reviewed against this Project Specific Sharing Specification to ensure they are fit for purpose:

Yes

No

A procedure for the User Organisation(s) to feedback Data Quality issues identified to the Sharing Organisation(s) has been developed:

Yes

No

[Provide references to any existing or newly developed procedures for dealing with data quality issues identified]

Not be kept for longer than necessary PCD shared under The Agreement will only be A retention period has been identified for

Schedule A 23

retained for the minimum period of time necessary to fulfil the purpose of the Provision of Care.

the PCD shared under this Project Specific Sharing Specification:

Yes

No

[Confirm the identified/agreed retention period for the PCD being shared and provide justification (e.g. the Records Management Code of Practice for Health and Social Care 2016). Where appropriate, refer to the findings of the PIA which should have assessed the need to retain the PCD being shared]

Rights of data subjects All sharing of PCD under The Agreement will occur in accordance with the Rights of Individuals. As a minimum each information sharing initiative must uphold the Rights of Individuals whose PCD is shared to:

access to a copy of the information; object to Processing that is likely to cause

or is causing damage or distress; prevent Processing for direct marketing; object to decisions being taken by

automated means; in certain circumstances have inaccurate

personal data rectified, blocked, erased or destroyed; and

The Sharing Organisation(s) have Subject Access processes in place and these have been reviewed against this Project Specific Sharing Specification to ensure they are fit for purpose:

Yes

No

[Provide references to any existing or newly developed procedures for dealing with Subject Access Requests]

The Sharing Organisation(s) have processes to enable Individuals to object to Processing that is likely to cause or is causing damage

Schedule A 24

claim compensation for damages caused by a breach of The Act.

or distress at any stage of the project and these have been reviewed against this Project Specific Sharing Specification to ensure they are fit for purpose:

Yes

No

[Provide references to any existing or newly developed procedures for dealing with objections to Processing and explain how these are made available to all Sharing and User Organisations]

Will direct marketing occur as a result of this information sharing initiative?

Yes

No

If Yes, a procedure is in place to enable Individuals to opt out of direct marketing:

Yes

No

N/A

[If Yes, provide references to any existing or newly developed procedures for dealing with objections to

Schedule A 25

direct marketing and explain how these are made available to all Sharing and User Organisations]

Will any decisions relating to Individuals be taken by automated means?

Yes

No

If Yes, a procedure is in place to enable Individuals to object to the automated decision making:

Yes

No

N/A

[If Yes, provide references to any existing or newly developed procedures for dealing with objections to automated decision making and explain how these are made available to all Sharing and User Organisations]

A procedure for the User Organisation(s) to refer Subject Access Requests and other issues, feedback or complaints received to the Sharing Organisation(s) has been developed and is available to all User

Schedule A 26

Organisations:

Yes

No

[Provide references to any existing or newly developed procedures and explain how these are made available to all Sharing Organisations]

Technical and organisational measures against unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data

Sharing of PCD under The Agreement will only occur where appropriate technical and organisational measures are in place that take account of the nature of the information in question and the harm that might result from its improper use, or from its accidental loss or destruction.

An assessment of the risks will be completed for each sharing initiative in the form of a PIA which as a minimum will consider:

Management and organisational measures;

Staff vetting and training; Physical security; Technical security; Business continuity and disaster recovery; Incident management.

All Sharing and User Organisations are Trusted Organisations under The Agreement:

Yes

No

[Describe the specific controls/security in place for this project – outline any existing or newly developed procedures to ensure the security of PCD. Where appropriate, refer to the findings of the PIA which should have assessed the Information Security Risks]

Schedule A 27

Transferred outside the EEAPCD shared under The Agreement will not be transferred outside of the EEA.

Will PCD be shared under this Project Specific Sharing Specification be transferred outside the EEA?

Yes

No

If Yes, has the proposed transfer of personal data outside the EEA been assessed in line with the with the Information Commissioner’s Office Assessing Adequacy International data transfers and a finding of adequacy been made?

Yes

No

N/A

[Describe the specific controls/security in place for this project – outline any existing or newly developed procedures to ensure the security of PCD. Where appropriate, refer to the findings of the PIA which should have assessed the Adequacy of he controls]

Schedule A 28

Consent / Legal Basis

[Describe how Explicit Consent will be obtained]

[Where Explicit Consent will not be obtained:

Describe why this cannot be sought and the process by which Individuals will be provided with the opportunity to object to the sharing (with reference to the Fair Processing Notices where relevant) and how those objections will be fully considered and respected;

If relevant, describe the process by which capacity and competence will be assessed in line with The Mental Capacity Act 2005 Code of Practice and whether best interest’s decisions may be made;

Confirm whether Schedule 8 (1) of The Act will be relied upon by ensuring the Processing is necessary for Medical Purposes and is only undertaken by a Health Professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a Health Professional (e.g. a Social Care Professional) – if not (e.g. data will be shared with the non-care professionals, the Voluntary Sector, etc.) , describe what alternative legitimising condition of The Act will be relied upon;

Confirm that information that concerns, or is connected with, the provision of health services or adult social care by an anonymous access provider will not be shared under The Agreement]

Schedule A 29

Access Control, Auditing and Monitoring

Within the framework established in The Agreement and in order to comply with the requirements of The Act, data shared under this Project Specific Sharing Specification will be subject to the following arrangements to ensure appropriate access to data held electronically.

[complete the table below for each system/information asset to which individuals or organisations require access to facilitate the sharing of data]

System Name

Access Control ProcedureThe Sharing Organisation has Access Control Procedures in place and these have been reviewed against this Project Specific Sharing Specification to ensure they are fit for purpose:

Yes

No

[If Yes, provide references to any existing or newly developed procedures which will be relied upon/followed. As a minimum the procedure should cater for access by third party employees (User Organisation employees) and document:

The requirements for access (e.g. training, authorisation, completion of forms, etc.)

Authorisation process (the individuals/roles within each organisation that are required to authorise access and the process by which authorisation will be obtained e.g. completion of form and senior manager sign off)

The account creation/access setup process, including how credentials will be distributed to users

The account deletion/termination process, including how identification of accounts requiring termination are identified (e.g. notification by user, organisation, monitoring of account activity, etc.]

Schedule A 30

The procedure for the User Organisation(s) to obtain access has been developed and is available to all User Organisations:

Yes

No


Monitoring/Auditing ProcedureThe Sharing Organisation has Monitoring/Auditing Procedures in place to identify inappropriate access and these have been reviewed against this Project Specific Sharing Specification to ensure they are fit for purpose:

Yes

No

[If Yes, provide references to any existing or newly developed procedures which will be relied upon/followed. As a minimum the procedures should cater for access by third party employees (User Organisation employees) and document:

The type of reports available The procedure for routine reporting (running, distributing and following

up reports) The procedure for requesting Ad-hoc reporting; The procedure for incident management (e.g. reporting to

managers/IAOs/Caldicott Guardians, investigation processes and actions available against individuals such as disciplinary action, suspension, etc.]

The procedures for Monitoring/Reporting inappropriate access is

Schedule A 31

available to all User Organisations:

Yes

No


A shared Incident Reporting and Management Procedure has been developed to respond to any identified or suspected incidents of inappropriate access and is available to all Sharing and User Organisations:

Yes

No


Schedule A 32

Business Continuity

Within the framework established in The Agreement and in order to comply with the requirements of The Act, data shared under this Project Specific Sharing Specification will be subject to the following Business Continuity Arrangements to ensure operational processes and services reliant on the data sharing can be maintained during any unavailability.

System Name

Business Continuity ProcedureThe Sharing Organisation has procedures in place for maintaining Business Continuity during any period of downtime which may occur and these have been reviewed against this Project Specific Sharing Specification to ensure they are fit for purpose:

Yes

No

[Describe which users/User Organisations may be affected by any downtime/service disruption and how the Business Continuity Procedures have been shared with/made available to users and User Organisations.

Where no Business Continuity arrangements are in place, this should be documented and the risks assessed within the Full Scale PIA. The outcome of the risks assessment and the approval by Designated Officers should be explicitly detailed in this section.]

Schedule A 33

Signature

Reference No: SCC ASC IG Team to complete

Sharing Start Date:Sharing Specification Review Date:

Lead Organisation(s):

Signatory

Name

Job Title of Person signing this agreement (Designated Officer)

Organisation

Signature

Date of signing

Head of IG name and contact details

surrey provision of care information sharing agreement web viewio. n (s) identified in this ....

Documents