All the records held in the practice are completely confidential. No identifiable information is released without your written consent. Our computer is used to store some information and this information is covered by the Data Protection Act (1998).
Freedom of Information
The Freedom of Information Act 2000 obliges the practice to produce a Publication Scheme. A Publication Scheme is a guide to the ‘classes’ of information the practice intends to routinely make available.
A copy of this scheme can be obtained from Birmingham & Solihull NHS, Triplex House, Eckersall Road, Kings Norton, Birmingham B38 85S.
Data Protection Impact Assessment (June 2019)
A data processor acting on our behalf, EMIS Health, is changing certain technical aspects of the way in which it delivers services to us (see https://www.emisnug.org.uk/blog/next-generation-emis-x-announced), and as part of this transition it will be moving the data which it hosts on our behalf from its own data centre to a third party data centre, which is owned and operated by Amazon Web Services (AWS). Delivery of the services is subject to the terms of the GP Systems of Choice Framework (GPSOC) which is managed by NHS Digital on behalf of the Secretary of State for Health. The exercise will involve a change to the manner in which data is being processed on our behalf. Although this change does not introduce processing that is likely to result in a high risk to individuals (which would necessitate the undertaking of a DPIA), given that the data includes special category data we nevertheless feel that it is appropriate that we undertake a review.
As detailed above, the data (which includes special category data (i.e. health data) which is collected via the processor’s clinical IT system and which forms the patient’s medical record) will be stored in a third party data centre (which will act on the instructions of EMIS Health, who in turn will act in accordance with instructions received from (or on behalf of) ourselves as the relevant controller pursuant to our call off contract under the GPSOC framework or as otherwise documented). Aside from the manner in which the data is being hosted, we have not identified, as part of this change, any material change to the manner in which the data is being processed (in terms of data sharing and/or use). The scope of the data processing is as detailed in the relevant GP Systems of Choice contract (and related call off contract (and deed of undertaking)) or as otherwise agreed in writing between EMIS Health and ourselves. As noted above, aside from the hosting element the manner in which the data is being used or otherwise processed will not materially change as a result of this change. This DPIA distinguishes between: (i) the day to day processing undertaken (by us as a controller and EMIS Health as a processor acting on our behalf (and which will not change and so is not covered in detail)); and (ii) the change to the manner in which the data is being hosted by or on behalf of the processor (and which is the focus of this DPIA).
We are aware that cloud computing is an established technology and the adoption of which is something which is being driven within the public sector – https://www.gov.uk/guidance/use-cloud-first
The use of cloud computing has been recognised by the Government as being beneficial because:
- You can avoid upfront investments in your infrastructure, reducing overall costs;
- There’s greater flexibility to trial new services or make changes, with minimal cost;
- Pricing models are scaleable - instead of building for the maximum usage you buy for less usage and increase or decrease as appropriate;
- It will be easier to meet the Greening Government Commitments - cloud facilities typically try to use server space and power in the most efficient way possible;
- Upgrades and security patches can be applied continuously; and
- The supplier will have responsibility for making sure the service has good availability for users.
In terms of issues of public concern, we understand that individuals may have an issue with their medical record being held by a commercial organisation but, the fact is that the relevant patient records are already being held by third party commercial organisations (either EMIS or one of the other primary system suppliers under GPSoC (or by sub-processors acting on their behalf)) and the only real change here is the identity of the third party (i.e. the data is moving from a processor to a sub-processor).
With regard to questions of security we are aware that the National Cyber Security Centre has issued guidance on cloud security - https://www.ncsc.gov.uk/collection/cloud-security and we understand that the relevant service provider in this instance (AWS) operates at the very highest levels of security (details of which are set out at https://aws.amazon.com/security/).
As noted under the question above, the move to a third party cloud environment is seen as beneficial for a number of reasons for us as a controller (in terms of improved availability, resilience and service in respect of the services being delivered to us by the processor) and in respect of the patients (in terms security, integrity and availability of their data).
The GPSoC services are provided pursuant to a framework agreement as between NHS Digital and EMIS Health (with services then being purchased at a CCG level on our behalf as a service recipient). Under the terms of the GPSoC framework, NHS Digital essentially acts for and on our behalf in terms of approving the appointment of processors to the framework and, once they are appointed, the use of any sub-contractors (and so sub-processors). We understand that EMIS Health has engaged with NHS Digital in order to secure a variation to the framework agreement to provide for the appointment of AWS as an approved material sub-contractor.
EMIS Health has notified the relevant GP practices, including ourselves, so that we have an opportunity to raise any concerns with regard to the proposed change but as this change is a universal technical/operational change it is more appropriate for such matters to take place at a framework level (which is why the GPSOC Framework Agreement is structured as it is). In any event, the Guidance issued by the ICO would suggest that this is a move which the processor is entitled to drive on its own behalf provided that it remains within the scope of the relevant contract (i.e. in its Controller/Processor detailed guidance the ICO states “In certain circumstances, and where allowed for in the contract, a processor may have the freedom to use its technical knowledge to decide how to carry out certain activities on the controller’s behalf.”). The lawful basis for processing (a mixture of consent, explicit consent, fulfilling public duties and providing direct healthcare) the patient records does not change as a result of this proposed change, the only difference is a technical one in terms of how the services is being delivered by the relevant processor (i.e. EMIS Health). We have in place a privacy notice which refers to the use of third party processors/service providers, which would include EMIS Health. We are informed that the data will not be transferred overseas in connection with this change of service. The processing which is undertaken by EMIS Health on our behalf is governed by the terms of the GP Systems of Choice Framework Agreement (together with the relevant Call Off Contract) which includes broad data protection obligations and we are able to directly enforce those obligations against the processor pursuant to a deed of undertaking which has been signed by EMIS Health and which each individual practice can rely upon.