Data Protection Impact Assessment Report

Sensely UK Ask NHS Application

Title Data Protection Impact Assessment

Project Sensely UK Ask NHS App

Author Emma Cooper, Data Protection Officer

Date August 2020

Version V2

Status Pending DPO Approval

Contents1. Introduction and Context.................................................................................2

2. Necessity of Privacy Impact Assessment.........................................................3

3. Information Assets...........................................................................................4

4. Processing Activities........................................................................................4

5. Overseas Information Flows............................................................................5

6. Controllers and Processors..............................................................................6

Non-Commissioned Locations.............................................................................6

Commissioned Locations....................................................................................7

Giving effect to Data Subject Rights...................................................................7

7. Lawfulness.......................................................................................................8

8. Legitimacy.....................................................................................................13

9. Data Minimisation..........................................................................................14

10. Records Retention......................................................................................18

11. Data Subject Rights....................................................................................18

Right to be Informed.........................................................................................19

Right to Object, Withdrawal of Consent and Erasure........................................19

Right to Rectification........................................................................................20

Right to Access.................................................................................................20

Right to Portability............................................................................................21

12. Accuracy / Data Quality..............................................................................21

13. Children and Young People........................................................................21

14. Profiling and Automated Decision Making..................................................21

15. Direct Marketing.........................................................................................22

16. Privacy by Design.......................................................................................23

17. Cyber Security............................................................................................23

18. Obligations of Secrecy................................................................................25

19. Governance................................................................................................25

1. SourcesData Protection Act 2018 (DPA)

General Data Protection Regulations (EU) 2016/679 (GDPR)

Information Commissioner – Guide to the General Data Protection Regulations (ICO Guide)

Information Commissioner: Age Appropriate Design, A Code for Online Services 1

2. Introduction and ContextSensely UK Ltd is a UK-based software and application development company providing healthcare technology solutions for a range of healthcare sector clients and registered as a Data Controller under ZA194147. The organisation is based in London.

Sensely UK Ltd is a subsidiary of Sensely Corporation which has its base in the United States.

3. Necessity of Privacy Impact Assessment

Whilst Sensely UK Ltd offers a variety of services, often providing bespoke offerings to customers, the intention of this DPIA is to provide an assessment for the core technical infrastructure and sharing processes that are common to the Sensely UK Ltd service, namely the Ask NHS provision. The Sensely UK Ltd Data Protection Officer will then be in a position to identify whether a new or revised DPIA is required for each customer where a deviation from the core product exists.1 At the time of assessment, the ICO code was a final version, yet to be laid in parliament and whilst not in force, the code will be used as a basis for privacy by design for this Ask NHS functionality

‘Regulation 2016/6791 (GDPR) applies from 25 May 2018. Article 35 of the GDPR introduces the concept of a Data Protection Impact Assessment (DPIA), as well as Directive 2016/680.

A DPIA is a process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data (by assessing them and determining the measures to address them).’

This approach is in line with GDPR article 35(1);

GDPR article 35(4) and recitals 71, 75 and 91 provide some examples of processing that pose a high risk to the rights and freedoms of data subjects and therefore warrant a DPIA.

Summarily these are;

1. Evaluation such as profiling and prediction, in particular health, behaviour, location or movements

2. Automated-decision making with legal or similar significant effect: processing that aims at taking decisions on data subjects producing and has an effect on the data subject such as exclusion or discrimination.

3. Systematic monitoring: processing used to observe, monitor or control data.

4. Sensitive data: this includes special categories of data as defined in Article 9 (such as health).

5. Data processed on a large scale: the GDPR does not define what constitutes large-scale but the Working Party 29 guidance puts forward the following for consideration; a. the number of data subjects, the volume of data; the duration, or permanence, of the data processing activity; the geographical extent of the processing activity.

6. Datasets that have been matched or combined, for example originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that the data subject might not expect.

7. Data concerning vulnerable data subjects: the processing of this type of data can require a DPIA because of the increased power imbalance between the data subject and the data controller, meaning the individual may be unable to consent to, or oppose, the processing of his or her data.

‘a single assessment may address a set of similar processing operations that present similar high risks’

8. Innovative use or applying technological or organisational solutions, like combining use of finger print and face recognition for improved physical access control, etc. The GDPR makes it clear (Article 35(1) and recitals 89 and 91) that the use of a new technology can trigger the need to carry out a DPIA.

9. Data transfer across borders outside the European Union.

For the purposes of this assessment, it would appear that examples 1, 2, 3,4,5,6,7 and 8 are relevant and so a DPIA is determined to be necessary.

4. Information AssetsThe Sensely UK Ltd service is built around 5 key information assets;

1. RedCentric Application Server2. RedCentric Database Server3. Clinician UK4. AWS EDM

5. Processing Activities App Registration User Spine Matching Link to GP System Provision of Symptom Checker Service Direction to 111 Service GP Appointment Booking

Sensely UK has developed a Processing Activities Log, in line with GDPR Article 30, that identifies all processing activities that involve personal data across the business. The log identifies the lawful basis, information rights, sharing partners and security measures.

6. Overseas Information FlowsThe Sensely servers are located in the UK and all processing of personal data occurs here.

There is no personal data, submitted via the app, held within the UK servers or software that are accessed from the US or other non UK locations.

Where a data subject raises a support ticket such as withdrawing consent, raising a technical issue or making an information rights request, this information will be logged within the Jira system and accessed from the US by the Operations Manager. These types of transfers are necessary to satisfy the contract in place with the App user since they are provided with the option to make these requests and to withdraw their consent so the appropriate derogation for the international transfer is assessed to be Article 49 (1) (b). Additionally, these types of transfers are perceived to be exceptional and occasional and as such the risk to the rights and freedoms of individuals is low.

Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary.

Inhe

rent

Lik

elih

ood

of h

arm

Inhe

rent

Sev

erit

y of

har

m

Inhe

rent

Ove

rall

risk

Options to reduce or eliminate risk

Effect on risk

Residual risk

Measure active and approved by DPO

There is a risk that the international transfers are occurring by virtue of access to Sensely UK data, servers or software by US staff members. These would not be subject to an appropriate safeguard as defined under Articles 44 to 50. This would result in a risk to the rights and freedoms of individuals and a breach of the lawfulness and transparency principles.

Mod

erat

e

Mod

erat

e

Mod

erat

e

DPO has confirmed that no Sensely UK personal data collected via the app and held in servers or software are accessed by US staff members and that no data is transferred internationally.

International transfers made via the JIRA (customer support) software are assessed to align with a suitable derogation under Article 49.

Elim

inat

ed

Low TBC

7. Controllers and ProcessorsIt is important that a determination is made about the role that sharing partners hold in respect to data protection legislation. The ICO explains that “It is important that the various organisations involved in a data processing activity establish their roles and responsibilities …. This will help to ensure that there are no gaps in organisations’ responsibilities”2

Non-Commissioned LocationsWhere the services are provided outside of any commissioning arrangement with healthcare partners, Sensely UK is clearly the Data Controller. For these services, they have exercised control over the purpose and manner of processing, the lawful basis and have been solely responsible for giving effect to the rights of individuals.

Since there are no other parties involved in this part of the Ask NHS product provision, and Sensely UK has an independent relationship with the data subject, prior to any sharing with the healthcare partners, Sensely UK clearly has autonomy.

Sensely UK has determined the information it will require to deliver the service prior to engagement with any third party, such as the EMIS ID and Spine Matching. Its service is designed and operated independently.

Commissioned LocationsIn some areas, the Ask NHS service has been commissioned by healthcare partners to cover the specific patient population there. Whilst the Ask NHS service has already been designed with a degree of autonomy and an independent relationship with the patient exists, the presence of commissioning bodies who can direct the purpose and manner for processing of the personal data generated lends itself to Sensely UK acting as a Processor. In these circumstances, Sensely UK will be directed by the customer with regards to the shape of the service and the collection and use of the personal data therein.

2 https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-guidance.pdf

Giving effect to Data Subject RightsSince the healthcare partners are not in a position to provide oversight for obtaining lawful consent, they are not able to give effect to the rights in relation to withdrawal of consent and objection. They cannot exercise control over requests for access to data held within the Ask NHS since they cannot make decisions about any exemptions that may apply due to a lack of insight into Sensely UK operations and the direct relationship between the App user and Sensely UK.

For commissioned areas, where Sensely UK is acting as Processor, it is understood that the responsibility for obtaining lawful consent and for giving effect to patient rights has been delegated and Sensely UK will collaborate with any audit necessary to demonstrate their compliance.

Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary.

Inhe

rent

Li

kelih

ood

of h

arm

Inhe

rent

Sev

erit

y of

har

m

Inhe

rent

Ove

rall

risk

Options to reduce or eliminate risk

Effect on risk

Residual risk

Measure active and approved

There is a risk that the pressure exerted by NHS Digital to establish Sensely as a Processor rather that a Controller in accordance with their previous assertions has resulted in an inaccurate definition of the Controller Processor relationship. This risks the GP Controllers not having adequate oversight of processing activities.

Mod

erat

e

Mod

erat

e

Mod

erat

e

Controller and Processor relationships defined in line with the direction provided by NHS Digital. Sensely has attempted to allocate data protection responsibility however this should be reviewed by the GP practice as Controller.

Redu

ced

Low

RD (21/10/2020)

There is a risk that the Processor is not engaged by virtue of an Art 28 compliant processing contract. This could result in the Processor managing data subjects’ personal data improperly.

Mod

erat

e

Mod

erat

e

Mod

erat

e

Since NHS Digital has redefined the Controller Processor relationship for the project, there is a need to draft and provide Processing Contracts for GP customers in commissioned areas.

Pend

ing

Pend

ing

8. LawfulnessGDPR Art.6(1) provides that in order for the processing of personal data to be lawful, the controller requires either the consent of the data subject or another lawful basis. This section will therefore explore the lawful basis for processing and identify how that lawful basis is satisfied.

The lawful basis for the processing of Personal and Special Categories of data collected from the App user (data subject) through the App interface (whether mobile or web), has been identified as;

Art.6(1)(a) - the data subject has consented to the processing

And

Art.9(2)(a) The data subject has given explicit consent.

GDPR provides that consent must be freely given affirmative action, unambiguous, specific, informed, accessible and distinguishable from other matters, evidenced and provide the ability to withdraw consent.

Freely Given Affirmative Action

In order to consent to be freely given, data subjects must have a genuine choice. For Sensely UK Ltd, data subjects that do not use the service will not experience any reduction or alteration to the service delivered by healthcare providers as a result. There is no element of their healthcare that is ‘conditional’ on the use of the service and no indication of a ‘power imbalance’ described at GDPR Rec.32, 43; Art.7(4). Sensely UK Ltd provides the data subject with the genuine choice to make use of Ask NHS App as a tool for signposting and information but, if not used, information can still be made available to them, or to those involved in their care through the current, albeit, less integrated methods.

Unambiguous

GDPR provides that consent can be obtained by any appropriate method but that consent must be given by a statement or a clear affirmative action and that opt out, silence inactivity, failure to opt-out, or ‘passive acquiescence’ would not constitute valid consent3.

Users of the Sensely UK Ltd App, having read both the Privacy Policy and the Terms of Service must confirm that they have read the privacy policy and wish to proceed by clicking the 'I Agree' button. They may not continue with their registration until these actions are completed.

3 Rec.32 and Art.7(2)

Specific

The WP29 (EDPB) has clarified (in Opinion 15/2011) that, in order to be specific, consent must be intelligible and that the controller must be clear and precise in its explanation of the scope and consequences of data processing.

In addition, consent must not apply to a set of open-ended processing activities, rather it should be limited to specific context.4 Sensely UK Ltd provides a comprehensive and specific privacy policy that describes the information flows and uses for the information provided by or about the user. The policy describes the primary uses for the information as well as technical / quality processes and marketing activities.

Informed

Consent must be ‘informed’ and so Sensely has ensured that all processing activities identified in the Article 30 Processing Activities Log are included in the privacy policy and therefore the data subject is aware of all the activities they are consenting to. This includes sharing partners such as Data Processors.

Accessible and Distinguishable from Other Matters

This means that the nature of the processing should be described in an intelligible and accessible form, using clear and plain language5. The explanation should include the identity of the controller and the purposes for which the personal data will be processed.

At present, the privacy policy is available in the form of the written policy on the website as well a video which provides information about who the Controller is and who the key sharing partners are.

The Terms of Service are separate from the Privacy Policy thus rendering them distinguishable. This provides the user with an opportunity to consider their agreement to both the use of the App and the information sharing associated with the App usage separately.

4 https://www.whitecase.com/publications/article/chapter-8-consent-unlocking-eu-general-data-protection-regulation5 Rec.32, 42; Art.4(11), 7(1)

In line with the recommendations of the WP29 (EDPB) Opinion, the policy avoids the use of the word “may” to remove ambiguity. The policy is broken down into headed sections to allow the user to find the information they seek. The use of icons is incorporated to provide a visual guide and technical language is avoided. The document is written with intention to reduce “information fatigue”.

Videos provide another option for users where text might prevent them accessing the information and the Icon versions support individuals with learning difficulties as well as children and young people.

Evidenced

Since the user is not able to proceed with accessing the App without having provided consent, the existence of an account is deemed to be evidence of consent.

Provide the ability to withdraw

Article 7 (3) provides that

“The data subject shall have the right to withdraw his or her consent at any time. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent”

The Sensely UK Privacy Policy makes it clear that the individual may withdraw their consent at any point and provides a mechanism to achieve this, whereby the data subject emails Sensely to request withdrawal. Sensely has a protocol in place to respond to such requests There are plans to automate this further, such that withdrawal would be as easy as provision of consent.

Where Sensely is acting as a Processor on behalf of the GP Practice, the lawful basis is defined by the GP Practice as Controller and likely to be;

Article 6 (1) (e) Public Task

Article 9 (2) (h) Medical Purposes

Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary.

Inhe

rent

Li

kelih

ood

of h

arm

Inhe

rent

Sev

erit

y of

har

m

Inhe

rent

Ove

rall

risk

Options to reduce or eliminate risk

Effect on risk

Residual risk

Measure active and approved

There is a risk that consent is not specific and therefore does not satisfy the four legal components of lawful consent. This may result in the project being without lawful basis.

Mod

erat

e

Mod

erat

e

Mod

erat

e The Privacy Policy must be updated to reflect NHS Log In, NHS App and Video Consultations. Pe

ndin

g

Pend

ing

There is a risk that consent is not informed and therefore does not satisfy the four legal components of lawful consent. This may result in the project being without lawful basis.

Mod

erat

e

Mod

erat

e

Mod

erat

e

The Privacy Policy must be updated to reflect NHS Log In, NHS App and Video Consultations.

The privacy policy should ideally be supplemented with the video.

Pend

ing

Pend

ing

There is a risk that consent is not Unambiguous and therefore does not satisfy the four legal components of lawful consent. This may result in the project being without lawful basis.

Mod

erat

e

Mod

erat

e

Mod

erat

e The Privacy Policy must be updated to reflect NHS Log In, NHS App and Video Consultations. Pe

ndin

g

Pend

ing

There is a risk that commissioners or controllers may request uses or disclosures of the data that have not been anticipated and are therefore not part of the consent provided by data subjects.

Mod

erat

e

Mod

erat

e

Mod

erat

e

The processing contract must make it clear to Controllers that, when a data subject withdraws consent, their details will be removed from the Sensely servers through de-identification.

Alter consent process so that it is made clear that in data subjects are consenting to their information being shared with healthcare provider where they are within a commissioned location.

Pend

ing

Pend

ing

9. Legitimacy Rec.50; Art.5(1)(b) provides that;

Whilst there may be a lawful basis for processing information about the data subject, there is still a need to ensure that each activity legitimately required for the purposes of delivering the service to which the data subject has consented and that it is included in the privacy materials.

The Processing Activities Log is scrutinised regularly at appropriate governance groups to ensure that there is no “mission creep” where growth and development of the business might result in unexpected uses of the data that the data subject has not consented to. Additionally, for any reports or data extracts required by customers, a Data Report Review Form is required to be completed. This form is reviewed by the Data Protection Officer who will provide

‘Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes’.

advice in relation to whether the disclosure aligns with the lawful basis for processing.

The core processing activities are explored below;

Processing Activity

Rationale / legitimisation Present in privacy notice?

NHS Log InSupports single sign-on across various NHS services including NHS App

In initial paragraph of redraft V2

NHS AppAllows the user to create an NHS App account to access various NHS Services

Currently only contains details of NHS Login. Presume NHS App notices will be within the NHS App.

User Spine Matching

Spine matching is required to allow integration with NHS systems. It supports data quality and validation of identity.

Under “How Does Sensely Use My Information?”

Link to GP System

Linking to GP system allows the data subject to use some of the offered functionality such as booking appointments

Under “How Does the App Use My Information?”

Provision of Symptom Checker Service

This is the core of the product; it allows the data subject to check their symptoms and

Under “How Does the App Use My Information?”

Direction to 111 Service

Directing to the 111 service is an optional element available to the data subject and a core part of the provided service

Under “How Does the App Use My Information?”

GP Appointment Booking

Booking a GP appointment is an optional element available to the data subject and a core part of the provided services

Under “How Does the App Use My Information?”

Video Consultation

The video consultation service is an optional element available to the data subject and a additional part of the

Under “What Information is Collected During Video Calls?”

provided servicesAdmin Requests

PendingPending

Long Term Conditions

PendingPending

Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary.

Inhe

rent

Inhe

rent

Sev

erit

y of

har

m

Inhe

rent

Ove

rall

risk

Options to reduce or eliminate risk

Effect on risk

Residual risk

Measure active and approved

There is a risk that the various uses of the App are not legitimised and made apparent to the data subject. This poses a risk to the rights and freedoms of data subjects.

Mod

erat

e

Mod

erat

e

Mod

erat

e The Privacy Policy must be updated to reflect NHS Log In, NHS App and Video Consultations. Pe

ndin

g

Pend

ing

There is a risk that growth and development of the project results in mission creep and unexpected uses of the personal data. There is a risk that the processing activities log is not regularly maintained such that it can be made available to the ICO on request.

Mod

erat

e

Mod

erat

e

Mod

erat

e

DPO has confirmed that the PAL is regularly reviewed at the appropriate governance group such that is may be made available to the ICO on request.

Elim

inat

ed

Low

10. Data MinimisationThe Symptom Checker provides the users with a dynamic questionnaire, the questions of which have been authored and governed by Sensely UK clinical steering group in association with the Advanced Clinical Knowledge Unit. The questions are periodically reviewed for accuracy through end to end audits, patient and clinician testing this serves to ensure that all questions are

necessary for the intended purpose and that superfluous information is not being collected.

Regarding other data fields collected, a rationale has been provided below to demonstrate that the minimum necessary data has been collected to deliver the intended and consented purposes;

Title Collection Source Use / rationale

Full Name Data Subject Account CreationNecessary for the user to have a unique accountNecessary for identity validationNecessary to link with health record

Gender Data Subject Account CreationNecessary for dynamic questions (i.e. could you be pregnant?)

DOB Data Subject Account CreationNecessary for identity validationNecessary for dynamic questions (i.e. could you be pregnant?)

Postcode Data Subject Account CreationNecessary for identity validationNecessary to establish locality for advice (i.e. nearby pharmacy)

Email address Data Subject Account CreationNecessary to validate identityNecessary to provide individual with outcome of questionnaire

Password Data Subject Account Creation Necessary to secure account

Full Address Returned from Spine MatchingNecessary for the user to have local services signposted to themNecessary for identity validation

EMIS No Linkage with GP System Necessary to support integrated functionality

Health Information Symptoms Data Subject Entry Core element of the serviceNHS Number Spine Matching Mandatory identifier in health and care

Audio File Data Subject EntryNecessary to support verbal option within the App (where selected by user)

Weight Data Subject Connected Device Use or Data Entry (Long Term Conditions)

Necessary to support additional elements of the service; to provide symptom checking, signposting or triage services

Blood PressureData Subject Connected Device Use or Data Entry (Long Term Conditions)

Necessary to support additional elements of the service; to provide symptom checking, signposting or triage services

Smoking Status / E-cigarette use Data Subject Entry (Long Term Conditions)Necessary to support additional elements of the service; to provide symptom checking, signposting or triage services

Alcohol Consumption Data Subject Entry (Long Term Conditions)Necessary to support additional elements of the service; to provide symptom checking, signposting or triage services

Physical Activity Data Subject Entry (Long Term Conditions)Necessary to support additional elements of the service; to provide symptom checking, signposting or triage services

Carer status Data Subject Entry (Long Term Conditions) Necessary to support additional elements of the service;

to provide symptom checking, signposting or triage services

Free text goal setting Data Subject Entry (Long Term Conditions)Necessary to support additional elements of the service; to provide symptom checking, signposting or triage services

Free text request Data Subject Entry (Admin Requests)Necessary to support additional elements of the service; to provide symptom checking, signposting or triage services

Confirmation of relation to child and confirm that they hold parental responsibility

Entry by parent or guardian where account opened for under 16s

Necessary to identify where account relates to a third party below 16 such that information will not be attached to the parent record in error – but rather to the child’s record

Communications usage information: time

During use of video functionalityDetermined by video software provider in their capacity as Controller in their own right (for this data collection)

Communications usage: duration of usage

During use of video functionalityDetermined by video software provider in their capacity as Controller in their own right (for this data collection)

Communications usage: source and destination identifiers

During use of video functionalityDetermined by video software provider in their capacity as Controller in their own right (for this data collection)

Communications usage: completion status

During use of video functionalityDetermined by video software provider in their capacity as Controller in their own right (for this data collection)

Communications usage: IP During use of video functionality Determined by video software provider in their capacity

address as Controller in their own right (for this data collection)Communications usage: amount of usage.

During use of video functionalityDetermined by video software provider in their capacity as Controller in their own right (for this data collection)

11. Records RetentionArticle 5 provides that personal data be;

“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed…”

Sensely has documented the consideration of how long records should be retained in certain circumstances. In summary, the App record will be remain active regardless of whether the use appears “active” this is because the App is for use when the individual is experiencing symptoms and requires signposting or information. This is not a daily activity and, in the same way as one may not visit their GP for months or years, it follows that the user may not access the App for long periods of time but still wish for it to be available to them when needed.

Instead, the user is made aware of their right to close their account at any time, thus withdrawing consent. Following a systematic review of each processing activity, it was determined that there is no compelling (or legal) reason for Sensely to retain the user personal data beyond their direct engagement with the App.

Therefore, below describes the agreed process for anonymising the user’s data in the event that consent is withdrawn.

Record

Owner Description Retention Period Trigger

Action Anonymisation / De-identification Process

Method of Review and Destruction

User App Account

Director

Personal data collected and retained as a single unit pertaining to the App usage of a specific individual.

User requests account closure / erasure of personal data.

De-activate, anonymise and inform data subject.

Following data categories are removed;

1. Surname2. First name3. Email address 14. Email address 25. Home address6. Phone number7. EMIS ID8. User's device ID

See Information Rights and Access Protocol.

9. NHS No

The following data categories are amended;

10. Date of Birth – converted to age

11. Home Post Code – converted to outer postcode

The following data categories remain;

12. Gender

It is determined that an individual cannot be identified through;

Gender Outer

postcode Age

And therefore, the information is no longer personal data.

In response to such a request, the data items set out above are removed, thus rendering the information anonymous (such that data subject is not or no longer identifiable pursuant to Recital 26).

12. Data Subject RightsWhere consent is the lawful basis for processing personal data, data subjects have the following rights;

Right to be Informed Right to Object Right to Portability Right to Rectification Right to Withdrawal of Consent Right to Erasure Right to Access

Right to be InformedArticle 12 provides that the individual has a right to transparent communication that in concise, easily accessible and clear. As discussed under section 6, there are various measures in place to ensure that the individual is providing informed consent and that the transparency requirements of GDPR are satisfied.

Additionally, Article 12 provides that there should me measures in place to give effect to data subjects’ rights. This is discussed in more detail below.

Recital 60 talks about the use of visualisation tools such as Icons and these have been incorporated into the Sensely UK Privacy Policy. This policy was moved from the bottom of the page to the top to ensure greater accessibility.

Recital 60 also provides that the notice should discuss profiling and automated decision making which has been incorporated into the Sensely policy within its own section.

Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary.

Inhe

rent

Li

kelih

ood

of h

arm

Inhe

rent

Sev

erit

y of

har

m

Inhe

rent

Ove

rall

risk

Options to reduce or eliminate risk

Effect on risk

Residual risk

Measure active and approved

There is a risk that the consent of children between 16 and 18 is invalid since it is missing the ‘informed’ element such that the consent could then be lawful.

Mod

erat

e

Mod

erat

e

Mod

erat

e The Privacy Policy shall be updated to include the videos created for children and YP. Pe

ndin

g

Pend

ing

There is a risk that Sensely is not giving effect to patients’ right to be informed by not being transparent about the use of sub processor for video conferencing purposes.

Mod

erat

e

Mod

erat

e

Mod

erat

e The Privacy Policy shall be updated to reflect NHS Log In, NHS App and Video Consultations. Pe

ndin

g

Pend

ing

Right to Object, Withdrawal of Consent and ErasureArticle 21 provides that

“The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her … including profiling …. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims”

It was considered that Sensely may have a requirement to retain information beyond the period of consent in order to establish a defence to legal claims but essentially, as the App is not determined to be a medical device, and the action of the App is merely signposting, it was ultimately decided that, claims of medical negligence for example would not be possible. Ultimately it was decided

that, where an individual requests erasure of their personal data, through withdrawal of consent, Sensely UK will give effect to that right.

These three rights are grouped together as the process is largely the same. Individuals are provided with the details of the Data Protection Officer within the Privacy Policy to make information rights requests.

The Product Team maintains a log of information rights requests to ensure that the organisation is able to monitor compliance with legal timeframes and that Sensely are appropriately giving effect to data subjects’ rights.

The process is described under Section 10 ‘Records Retention’.

Right to RectificationAt present, the data subject is not able to make amendments directly through their profile but this has been raised as a development ticket. This is due to the potential complexities of breaking the match with NHS spine data and the individual losing functionality with the App because they have not updated their details with their NHS providers.

Data subjects can, however, email a request for their information to be corrected through our Data Protection Officer and there are SOPs in place to ensure a prompt and consistent response in line with Article 16.

Right to AccessIndividuals have the right to access their personal data and this right helps individuals to understand how and why you are using their data, and check you are doing it lawfully.

Individuals are able to contact Sensely to request access to their information although, there is little information that they do not already have access to by virtue of the App itself.

Users can access their profile information as well as having the symptom checker emailed to themselves.

Data subjects are made aware of this right in the Sensely UK privacy policy.

Right to PortabilityAs with the right to access, Sensely is able to obtain machine readable copies of the personal data held within the App and send to an alternative provider of their choice.

Data subjects are made aware of this right in the Sensely UK privacy policy.

13. Accuracy / Data QualityThe majority of information collected via the application comes from data subjects themselves. Data subjects can email a request for their information to be corrected through the Data Protection Officer and there are SOPs in place to ensure a prompt and consistent response in line with Article 16.

JIRA tickets are regularly raised and reviews where the algorithms are seen to be producing outputs that are considered inaccurate or inappropriate and so a process of continual improvement is in place.

The Symptom Checker provides the users with a dynamic questionnaire, the questions of which have been authored and governed by Sensely UK clinical steering group in association with the Advanced Clinical Knowledge Unit. The questions are periodically reviewed for accuracy through end to end audits, patient and clinician testing.

The Sensely UK Clinical Steering Group will also review the outcome of user interaction with the application to scrutinise whether the correct signposting was delivered by the tool. Any anomalies will be fed back into the development team for improvement.

14. Children and Young People Research indicates that people’s biggest data protection concerns ranked children’s

privacy second only to cyber security Organisations should conform to the code and demonstrate that their services use

children’s data fairly and in compliance with data protection law

Settings must be “high privacy” by default (unless there’s a compelling reason not to); only the minimum amount of personal data should be collected and retained

The code is a set of 15 flexible standards that aim to ensure the best interests of the child are the primary consideration when designing and developing online services

ISS Assessment ISS is defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”

The Ask NHS service is provided ‘at a distance’ because the service is provided without the parties being simultaneously present

The Ask NHS service is provided by ‘by electronic means’ since it is delivered via a software application

The Ask NHS service is ‘at the individual request of a recipient of services’ because the service is provided through the transmission of data on individual request.

The code makes it clear that “even if the ‘remuneration’ or funding of the service doesn’t come directly from the end user”6, the services would still fall within the definition of the ISS.The code also indicates that “If you are a public authority which provides an online public service then, as long as the type of service you offer is not typically provided on a commercial basis your service is not a relevant ISS”. However, since Sensely operate as a Data Controller, with a data subject relationship that is, at least initially, distinct from the healthcare providers comprising its commissioning and remunerating customers – it appears more likely that Ask NHS would be considered an ISS.That said, s 123 provides that the code does not apply to websites or apps specifically offering online counselling or other preventive services (such as health screenings or check-ups) to children. Whilst Ask NHS could be broadly be considered to be an ISS in the way that it is delivered, the nature of the service delivered - symptom checking and appointment booking services for patients, including children – places its

6 https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-guidance.pdf

services within the s 123 exception of “counselling and preventative services” and so not directly subject to the code.In providing an ISS, the expectation is that children younger than 13 are required to provide consent via a person with parental responsibility. But this is not the case for websites or apps specifically offering online counselling or other preventive services (such as health screenings or check-ups) to children. The ICO provides that parental consent should not be required for a child (13+) to use the service, an adult with parental responsibility may use the App on behalf of their child, providing they have parental responsibility.This means that, in usual circumstances children of all ages should be able to use the app and should not be required to obtain parent consent.However, consultation with clinicians during the development phase concluded that due to safeguarding concerns (clinical assessment held separately), allowing children younger than 16 posed too high a risk and should not be pursued at this time.The app is therefore be made available to;

A parent or legal guardian who may create an account in Ask NHS for their child from ages 0-16

A child aged 16 and above who creates an account for themselvesUse of the App by an Adult with Parental ResponsibilitySince children are generally considered to have competence to make information sharing decisions at 13 and could be considered competent at an even younger age, it is necessary to ensure that;

Ask NHS takes reasonable steps to ensure that the adult creating an account for the child does indeed have parental responsibility

Ask NHS takes reasonable steps to ensure that the person holding parental responsibility is aware of the child’s rights and is creating the account with their knowledge and consent

Measures should be put in place that reduce the risks of infringing on the rights of children to an acceptable level. The risk should be balanced with the interest found in allowing parents to use services to check their child’s symptoms as they

would their own, particularly where the child is very young or is lacking in capacity for other reasons.

Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary.

Inhe

rent

Li

kelih

ood

of h

arm

Inhe

rent

Sev

erit

y of

har

m

Inhe

rent

Ove

rall

risk

Options to reduce or eliminate risk

Effect on risk

Residual risk

Measure active and approved

There is a risk that Sensely Ask NHS App can be used by someone without parental responsibility

Mod

erat

e

Low

Mod

erat

e

The app now includes a statement which requires the user to indicate who they are in relation to the child and confirm that they hold parental responsibility

Sensely UK places the onus on the practice to validate that the person submitting is recorded as someone with parental responsibility before committing to health record or otherwise acting on information provided

Redu

ced

Low

There is a risk that Sensely Ask NHS App can be used by someone with parental responsibility but for a child without the consent or knowledge of the child and therefore without giving effect to the rights of the child.

Mod

erat

e

Mod

erat

e

Mod

erat

e

The app includes a statement that makes the adult user aware of children’s rights and asks them to confirm (positive affirmation) that the child is either aware and consenting or does not have capacity to consent.

Sensely UK places the onus on the practice to validate that the child (particularly a child 13+) is involved in information sharing decisions moving forward.

Redu

ced

Low

Use of the App by a Child or Young Person Independently (16 to 18)

The BMA guidance ‘0 – 18 Years: Guidance for All Doctors’ makes the assertion that children and young people should have a direct route to healthcare and that doctors should “make it clear that you [they] are available to see children and young people on their own if that is what they want.”. The guidance discusses the importance of the rights of young people and the need to ensure they can access services without a chaperone where that is their preference.This is supported by the s 123 DPA exception for “preventative and counselling services” which permit these online interactions, by children and young people without parental oversight.

Since Ask NHS is not being made available to children younger than 16 without parental consent, it is considered that younger children will need to access health services through more traditional routes.For children between 16 and 18, the design must be such that it complies with the ICO code around children and consent and minimises the risk to the rights and freedoms of the child.

Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary.

Inhe

rent

Li

kelih

ood

of h

arm

Inhe

rent

Sev

erit

y of

har

m

Inhe

rent

Ove

rall

risk

Options to reduce or eliminate risk

Effect on risk

Residual risk

Measure active and approved

There is a risk that a child (16 to 18) is not informed and therefore the consent they provide is invalidated

Mod

erat

e

Low

Mod

erat

e

Sensely UK has provided a privacy notice that is directed at children and young people, such that they are able to understand the consent they are giving

Redu

ced

Low

Data protection law provides that an individual’s right to erasure is particularly relevant if they gave their consent to processing when they were a child. There is a risk that the exception to the right to erasure in place for health information is not made clear to the child when disclosing their information.

Mod

erat

e

Low

Mod

erat

e Ensure that the right to erasure is drawn out in particular within the ‘child friendly’ privacy notice. Re

duce

d

Low

15. Profiling and Automated Decision MakingData Protection Law has provisions on automated individual decision-making (making decisions solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual).

GDPR Article 22 protects individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them

A legal effect is something that adversely affects someone’s legal rights. Similarly, significant effects are more difficult to define but would include, for example, automatic refusal of an online credit application, and e-recruiting practices without human intervention.

The ICO advises that, if your processing does not match this definition then you can continue to carry out profiling and automated decision-making.

For the Ask NHS App, there appears to be no automated decision making involved since the decision around following any signposting or engaging with healthcare providers via the App is made by the individual.

There is clearly profiling taking place since the algorithm used will identify choices that are appropriate for the individual based on their responses, however the resulting decisions are made by the individual and the profiling itself does not result in an impact on the legal rights of the individual nor any significant negative effect for those having decisions made about them. Where a clinician has identified risk and feel an intervention or care option is appropriate, the individual being profiled is likely to benefit from any decisions made. Additionally, the data subject retains choice and control about whether to take options provided to them such as referral to a third-party healthcare provider.

Since the processing does not fully match the definition, it is concluded that the processing can proceed without the additional restrictions under Article 22 whilst ensuring that information rights and transparency requirements are observed.

16. Direct MarketingRecital 70 provides that,

“Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right

should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information”

Sensely UK has a separate section within the privacy policy related to direct marketing and makes it clear about the two types of activity that take place. These are;

1. Using App User contact details to email them about new features and updates in relation to the App itself. Request feedback or send surveys to find out if the App is working well for them and how they used it.

2. Users are provided with an opportunity to object to this usage by virtue of an unsubscribe link in each communication. A suppression list is maintained to ensure that individuals are not contacted again once they have opted out of such messages.

3. Sharing App User personal data with third party analytics or marketing organisations such as Cookies, Google Analytics and Facebook.

The DPO has confirmed that there are currently no direct marketing activities taking place.

17. Privacy by DesignThis document represents a comprehensive consideration of privacy and how that is built into the App, in particular with reference to the changes brought by GDPR / DPIA 2018.

Moving forward, Sensely UK has a Change Management Policy which ensures that changes made by any area of the business are considered against a threshold of impact (this includes privacy). It provides a consistent approach to triggering Data Protection Impact Assessment. A DPIA protocol is also in place, allowing employees to determine whether the change warrants a DPIA and therefore should be referred to the Sensely UK Data Protection Officer (DPO).

18. Technical and Organisational Measures to Protect Data

Systems TrainingAll workforce members are instructed on how to use systems appropriately. This instruction will be appropriate for their job function and the systems they will need to use as part of their workday. Training is available for end users – both healthcare providers and users – to ensure proper use of systems and applications, and to ensure correct data entry.Data are validated against their source inherently, with the use of secure transmission protocols and encryption.

Each data integration workflow includes error handling.

Physical LossAny filesystem that could potentially store sensitive information is encrypted at the filesystem level using the AES 256 standard.Sensely has implemented encryption at rest in the backend database. All data in motion are encrypted via TLS 1.1 or greaterProtection from Cyber Attack

Sensely uses Suricata’s Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). Suricata is an open source-based IDS and IPS software developed by the Open Information Security Foundation (OISF).

Backup and recovery Procedures in Place to Protect Data There are two MySQL databases – 1 in the US and 1 in the UK. Each of

these databases is configured as a Master + Slave, with near real time replication (less than 1 second behind)

In addition, nightly backups are encrypted and stored on their host system or up to a week, then transferred to AWS Glacier for long term storage.

Secondary systems such as redundant power supplies and air conditions in place to physically protect the data

Secondary systems such as redundant communications, power, HVAC, alarms, etc. are provided by our Data Processor - Redcentric.

Physical Security (alarm systems, security personnel) in Place to Protect Data

Data are physically protected with multi-layered security including alarm systems, security guards, badged access controls and fire detection and suppression systems. These protections are provided by Redcentric as Data Processor.

Access Control and Authentication Appropriate user authentication is a critical element of good data protection practice and S 56 of Data Protection Act 2018 provides that;

(1) Each controller must implement appropriate technical and organisational measures to ensure, and to be able to demonstrate, that the processing of personal data complies with the requirements of this Part.

(2) Where proportionate in relation to the processing, the measures implemented to comply with the duty under subsection (1) must include appropriate data protection policies.

(3) The technical and organisational measures implemented under subsection (1) must be reviewed and updated where necessary.

Additionally, GDPR Article 5 (1) (f) provides that;

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Essentially, this means that Sensely are required to put in place measures to protect data against unauthorised or unlawful access to Personal Data that are proportionate to the level of risk that has been identified.

Assessment Criteria In assessing the level of risk associated with user authentication, Sensely has considered the following;

The likelihood, given (time, cost, effort), that an individual could gain access to information that might impact on the rights and freedoms of individuals

The nature of the information that may be accessed inappropriately The impact that such a disclosure might have on the rights and freedoms

of the data subject

GDPR Recital 85 provides that a breach may result in;

physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.

AssessmentThe current authentication process is;

1. User downloads Ask NHS App from App Store or similar2. User enters name, DOB, Gender, Postcode, Address3. User creates a password

Password change process is;

1. User requests a change of password via the App log in page2. Validation email is sent to original email address3. Validation email link is clicked to confirm password requires change4. Link takes user to page where password can be amended

Considered Scenarios1. An account is set up by someone masquerading as the data subject2. The data subject’s phone is lost / stolen, or a family member / partner

accesses their existing account

An account is set up by someone masquerading as the data subjectIn this example, an individual might use existing knowledge of the data subject (name, DOB, gender, postcode, address) to set up an account in their name and then use the App.

Likelihood Moderate It would not take an individual a great deal of effort to set up an account in this way. Such a scenario would simply require the prior knowledge described above and access to an android phone. There would be no cost. However, this kind of scenario is not commonly reported and there have been no reported incidents of this nature at the time of drafting the protocol.

Nature Low When setting up a new account, the masquerading individual would gain no new information about the individual other than confirmation of their registered GP surgery upon the completion of spine matching.

Impact - Moderate

loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by obligations of secrecy.

It is envisaged that, where the details required to create an account are in the hands of someone intending to masquerade, the individual has already suffered a loss of control over their data. However, this information is not difficult to come by for most people.

Whilst a determined individual might be able to obtain information about which GP practice the individual is registered at, it is very likely that, by knowing the persons full address, this information is already obvious given the catchment system (even with outer boundaries) that is in place with GP practice registration.

Following the creation of the account, the individual is then able to complete symptom checker questionnaires which might then be sent to the GP to form part of the health record. This could be used as a tool to cause intentional harm to the individual such as through giving false symptoms about stigmatised conditions for example drug addiction or mental health conditions.

The right to privacy is clearly impacted by this scenario, whereby the masquerading individual is able to interfere with the private life of the individual, potentially causing damage to reputation and distress.

Mitigations On balance, this could also currently be achieved without the App using similar available services. An individual could contact the emergency services NHS 111 service or access telephone

consultations pretending to be the individual and provide false information in this way.

The potential for masquerading seems to be inherent to any online service and adding additional measures such as email validation as part of initial registration would not alter the risk.

More technical measures such as biometrics seem, at this stage, to be disproportionate given the minimal amount of data that the individual would have access to in creating a new account.

Barring any potential measures to prevent masquerading when setting up new accounts, this is regarded as an accepted, inherent risk.

The data subject’s phone is lost / stolen, and an unknown person seeks to access their existing accountLikelihood Low Where a phone is lost or stolen individuals would need to

bypass the password log in function and phone owners will usually have a password / finger print locking function on the phone itself as well. It is clear that, to bypass these measures there need to employ technical effort and time. Once the phone has been accessed, it is difficult to reason any motivation for the individual to take such measures to access the Ask NHS App which provides no financial incentive (as a typical motive for theft).

There have been no reported incidents of this nature at the time of drafting the protocol.

Nature Low When setting up a new account, the masquerading individual would gain no new information about the individual other than confirmation of their registered GP surgery upon the completion of spine matching. The symptom checkers are only sent to the registered email address for the App user and are not stored within the App itself.

Impact - Low

loss of control over their It is envisaged that, where the details within the App are in the

personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by obligations of secrecy.

hands of someone who has stolen or found the User’s phone, the individual has already suffered a loss of control over their data. However, this is not solely a result of lack of security within the App, but additionally the phone itself which Sensely has no ability to mitigate.

If a determined and skilled individual did bypass the password to obtain information from the App, the Personal Data contained (profile information) is not sensitive data and does not seem to be, by nature, information that could cause damage and distress. If a person has the phone of the App User, it is very likely that information contained within the profile of the App will be available elsewhere on the persons device as well.

The symptom checker does not reside within the App and can only be sent to the registered email address.

Mitigations Since there is so little information to be gained from inappropriate access, low motivation for access by a stranger and no sensitive information available, it seems that the risk related to this type of access is low.

As the functionality of the App develops and the App contains more information visible to the user such as Manage My Appointments, where a person can see the GP appointments they have booked, there has been a need to consider additional authentication and access control measures. Manage My Appointments is currently disabled but, for areas where NHS Login is being enabled and used by the user (commissioned locations), it is possible that this functionality can be switched on since NHS Login provides a more robust level of access control. The NHS Login Privacy Notice can be found HERE .

19. Obligations of SecrecySensely UK uses a third-party provider to host and provide access to the personal data it processes and uses a third-party provider for spine matching services.

Both providers are engaged by virtue of a Data Processing Contract that complies with GDPR Article 28 and creates an obligation of secrecy such that the

processing is restricted to the narrow instructions provided by Sensely UK. These have been reviewed in year and compliance monitoring has been initiated.

Sensely UK employees and contractors are equally obliged to maintain confidentially through their employee and service contracts.

All employees are provided with annual Information Governance training by an experienced Data Protection Officer.

20. GovernanceSensely has appointed a Data Protection Officer who has expert knowledge of data protection law and practices in accordance with Art 37. Contact details have been provided to both the ICO and the public through the privacy notices.

Sensely UK has established a governance group which is attended by key team members including the DPO.

21. ConclusionIt is therefore concluded that, given the nature and volume of personal and special category data being processed for this project, there are technical and organisational measure in place such that the inherent risk is reduced to an acceptable level. If the identified mitigations are put in place, it is considered that there are no residual issues that result in a high risk to the rights and freedoms of individuals.

22. Sign Off

Item Name / Position / Date

Notes

Measures approved by:

Roger Davies,

It is concluded that the stakeholders have in place appropriate technical and organisational measures to

DPO, Sep 20

protect personal data and have identified no residual risks that would be considered high and require escalation to the ICO.

Residual risks approved by:

Roger Davies, DPO, Sep 20

Data Protection Advice provided:

Roger Davies, DPO, Sep 20

Periodic DPIA review dates:

Roger Davies, DPO

September 2021Review Due