DPIA policy

DATA PROTECTION IMPACT ASSESSMENT

Section 1: Background Information

Project Name

My Health Assistant (MYHA)

Lead person conducting DPIA

Kate Wild

Brief description

My Health Assistant is planning on launching a new app and website which offers end users (patients) a search function for medical and related services in their area.

The App will also offer professionals (Subscribers) the ability to take online bookings, payments, manage their accounts, customer communications and marketing via the APP.

My Health Assistant has identified that the app will process health data as is necessary for the app and website to provide its functionality. Therefore, this DPIA is conducted in order to assess the data protection implications and manage any associated risk before launching the new product.

In particular, this DPIA will assess and mitigate risks to the rights and freedoms of consumers who are likely to access the app.

Section Two: Screening Questions

The following questions will assist in determining the processing that is likely to pose more of a risk. If you answer ‘yes’ to any of these questions a DPIA is required and you should continue to Section 3.

QuestionYes / No

Is the processing on a large scale (looking at the number of individuals, the volume of data, the duration or permanence of the processing activity, the geographical extent of the processing)?

No

Will the processing compel individuals to provide information about them – do they have a choice whether they provide their information?

YES - they will need to provide contact details and details of their health enquiry

Will the processing of the data prevent an individual from exercising their rights under the DPA or GDPR, or prevent them using a service?

No

Is the data of a more sensitive nature – does it fall within the sensitive data classification (DPA) or special category of data (GDPR)? For example, health records, criminal records, or other information that people would consider to be particularly private.

Yes – information relating to health.

Does the data concern vulnerable data subjects?

No

Will the processing result in you making decisions or taking action against individuals in ways which can have a significant impact on them?

No

Is any decision-making about the individual an automated process?

No
Is the processing an evaluation or scoring process including profiling?

No

Is the data collected being data-matched or combined with other data?

No

Will information about individuals be shared or disclosed to organisations or people who have not previously had routine access to the information?

Yes to the professional / subscriber they contact

Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used?

No

Will the processing involve you using new technology or cameras which might be perceived as being privacy intrusive?

No

Will the processing require the innovative use of new technology or organisational solutions?

Yes

Section Three: The Purpose

Purposes / Objectives – Why is it being undertaken?

My Health Assistant is planning on launching a new app and website, whereby patients can search for medical and related services in their location, to pay privately for medical and health services at home instead of waiting for the NHS or using a BUPA Insurance. Patients will be able to search, select a professional, send an enquiry or book an initial consultation and future appointments via the app.  They will be able to follow professionals to find tips and advice on certain health issues and phone our call centre for advice on which service they require. Some of the services My health Assistant will offer include the following services:

  • Care workers for rest bite at home care
  • Physiotherapists and chiropractors
  • Children’s social care workers, speech language therapists or occupational health for assessments
  • Counsellors and mental health nurses
  • Occupational Health for workplaces
  • Nurses such as Oncology for end of life care or accident care in the home for care or visits for wound care etc
  • Personal trainers and nutritionists
  • Doctors for online video calls/ home visits to diagnose
  • Hairdressers and Beauticians for housebound patients
  • Podiatrists
  • Dentists
  • Teachers for tuition / lessons (1to1) in the home setting
  • Nanny, Babysitting and childminders.

The purpose of the app is to support patients, connecting them with options and reducing any anxiety to enable them to improve or fix their health whilst offering healthcare professionals an additional income and the support to facilitate them to work part time or full time for themselves to increase income and remove the back office burden so they have more time to focus on patients.

Is the processing required to comply with any legal obligation or statutory code of

practice/code of conduct?

The processing is subject to the Data Protection Act 2018 and the UK GDPR. In preparing this DPIA, we have also taken into the account the European Data Protection Board’s draft Code of Conduct on Privacy for Mobile Health Applications. Whilst the UK is no longer a member of the EU and therefore guidance of the EDPB is no longer directly applicable, the ICO has confirmed that the guidance still demonstrates good practice.

Section Four: The Personal Data Processed

What personal data is being collected, shared or used?YesNoJustifications – is all data required or could some be removed without comprising the project?

Personal details (i.e. name, address, DOB)

ü Yes – required for the app to provide its functionality.

Contact details (i.e. email address, postal address, telephone number)

ü Yes – required for the app to provide its functionality.

Information relating to the individual’s physical or mental health or condition, consultations booked and enquiries made.

ü Yes – required for an initial consultation appointment the app to provide its functionality.
Information relating to an individual’s locationü Yes – required for the app to provide its functionality.

Section Five: The Processing

Describe the processing (including collection, use and deletion) of personal data.

Personal data from users will initially be collected during the user registration process and is subsequently collected throughout the duration of the user’s interaction with the app. Personal data will be collected directly from the user themselves.

The personal data of users will be used in the following ways:

  • To register as a user;
  • To book a professional’s services and identify relevant professionals close to the user’s location;
  • To book consultations and answer enquiries;
  • Data of users will be held within My Health Assistant’s database whilst their account remains active;
  • Manage user accounts and’ interaction with the product; and
  • To add, delete and modify user accounts whilst the accounts remain active.

Personal data will be stored in My Health Assistant’s database until accounts are deleted or there has been a period of inactivity for 10 years. Once an account is closed, users are deleted and their details are anonymised.

Anonymised data may also be used for medical research and/or statistical purposes.

Section Six: Consultation

Explain the consultation process – Which stakeholders have you consulted with and what testing has been conducted?

Professional have to register detailing their qualifications and experience which is checked via the professional body they are qualified in as part of the onboarding process. Clients who use the professional will be asked to review the professional and this feedback will be available on the APP.

Section Seven: Necessity and Proportionality

Explain why the processing is necessary – what are the benefits to the organisation and individuals?

The app/website has been developed to assist those who are seeking private medical care to access private health care, instead of waiting for the NHS or using Bupa insurance. The app/website will allow individuals to search their desired health professionals within their locality. Not only this they will also have access to professionals over the phone who can provide them with healthcare tips etc.

Professionals can subscribe to do work outside/ in addition to the NHS earning more money and achieving a better work life balance. My Health Assistant also offers a back office support for professionals to enable them to spend more time with patients.

Section Eight: Technical Security Measures

Provide specific details of your technological security measures in place to ensure the security of personal data.

The app is hosted and served by AWS

Connections to the platform are encrypted in transit using TLS1.2

Personal data in the database is encrypted at field level.

Section Nine: Identify the Data Protection Risks

Use this section to identify the key data protection risks and associated compliance and organisational risk.

No.Data Protection RiskRisk to individualCompliance riskOrganisational risk
1.External malicious attack to appAccess to the app’s user data could be compromised by malicious third partiesNon-compliance with data protection principles – integrity & confidentiality

1. Reputational damage

2. Regulatory action / sanction from ICO

2Unauthorised access to app user data by data processorsAccess to app user data could be compromised by malicious third partiesNon-compliance with data protection principles – integrity & confidentiality

1. Reputational damage

2. Regulatory action / sanction from ICO

3.Unauthorised access to app user data by My Health Assistant employees or contractors

Access to app user data could be gained by unauthorised My Health Assistant employees or contractors

Non-compliance with data protection principles – integrity & confidentiality

1. Reputational damage

2. Regulatory action / sanction from ICO

4.Data is stored outside of the UKTransfers of data to/from My Health Assistant cloud-based system could be illegalNon-compliance with data protection principles – fair, lawful & transparent processing

1. Reputational damage

2. Regulatory action / sanction from ICO

5.

Physical or technical problems occur impacting the availability of the systemAccess to app user data cannot be gained due to the app being unavailable or information being destroyed.Non-compliance with data protection principles – integrity & confidentiality

1. Reputational damage

2. Regulatory action / sanction from ICO

Section Ten: Identify Solutions to Manage Risks

No.RiskSolutions(s)Result: is the risk eliminated, reduced or accepted?Evaluation: is the final impact compliant and proportionate to the aims of the project after the solutions(s) is implemented?
1.External malicious attack to the app

Due diligence has been carried out and AWS has various technical and organisational security measures in place to ensure external malicious attacks are prevented. Hosted by AWS cloud with failover and third party penetration testing.

In addition, contractual terms are in place which guarantee that [Our Third party IT providers] have appropriate technical and organisational measures in place to safeguard personal data as required by the UK GDPR.

See attached Annex 1 for further information.

Risk reduced to an acceptable level

Yes

2.

Unauthorised access to the app user data by AWS personnel

Due diligence has been carried out and AWS has various technical and organisational security measures in place to ensure only authorised personnel with a legitimate business reason can access user data.

In addition, contractual terms are in place which guarantee that our third party IT providers have appropriate technical and organisational measures in place to safeguard personal data as required by the UK GDPR.

See attached Annex 1 for further information.

Risk reduced to an acceptable level

Yes

3.

Unauthorised access to user data by My Health Assistant employees or contractors

Access to user data will be limited to a small number of senior members of staff. Access will be granted on a need to know basis and permission levels will be set so that senior staff can only access user data.

Risk reduced to an acceptable level

Yes

4.

Data is stored outside the UK

Data from the app is currently stored within AWS. In any event, AWS has confirmed that it already has SCCs in Its data processing addendum. Therefore, in the event no adequacy decision is revoked, data can continue to be transferred lawfully between the UK and the EU.

In addition, contractual terms are in place to ensure the legitimate transfers of personal data to/from the EU in accordance with the UK GDPR.

Risk reduced to an acceptable level

Yes

5.

Physical or technical problems occurs impacting the availability of the system

AWS has a number of technical and organisational security measures in place to ensure the availability of user data in the event its system is compromised.

Full details are set out in Annex 1.

Risk reduced to an acceptable levelYes

Section Eleven: Link the DPIA to the Data Protection Principles

What are the lawful basis’ for processing personal data?

The lawful basis’ for processing user personal data will be set out in the My Health Assistant app’s privacy notice and include the following:

  • Explicit consent
  • Necessary for the performance of a contract;
  • Necessary for the protection of a user’s vital interests; and
  • Necessary for the purposes of the legitimate interests of My Health Assistant.

How will the processing of personal data be transparent?

Users will be notified within the My Health Assistant app’s privacy policy and the user Terms and Conditions of how their personal data will be processed. In addition, explicit consent will be obtained for users to sign up to app and process their health data.

How will you ensure the personal data is accurate and kept up to date?
Each user can manage their own account, keeping their details accurate and up to date. This includes being able to amend user names, email addresses and passwords. Given the nature of the nature processed, it is unlikely to change on a regular basis thereby making the risk of processing inaccurate data low.

What are the retention periods for the personal information and how will this be implemented?

Personal data will be stored in the My Health Assistant database until accounts are deleted or there has been a period of inactivity 10 years. Once an account is closed, user accounts are deleted and their details are anonymised.

Data will usually be held for a period of 10 years of inactivity (see above), however it may be held for longer if there are any legal, accounting, reporting or regulatory requirements that mean that personal data must be held for a longer period of time.

Anonymised data may also be used for medical research or statistical purposes. Whilst the data will be anonymised and therefore no longer be ‘personal data’ as defined by the UK GDPR, users will be notified of this potential use of their data in the app’s privacy policy.

Will you be able to easily action requests from individuals to exercise their data protection rights?

Yes – in the event a data subject wishes to exercise their rights under data protection legislation, details of how to make such a request is set out in the My Health Assistant’s privacy policy.

What training and instructions are necessary to ensure that employees know how to operate a new system securely?
Instructions will be provided to employees and contractors using the app. Access to data within the app and use of user’s personal data will be governed by our Data Protection Policy and any contractual obligations the employee/contractor is subject to.

Does the system involve the transfer of personal data outside the UK or EEA?

The app’s database is hosted by AWS. AWS uses servers located in the UK and EEA. Therefore, currently any data transfers are covered by an European Commission adequacy decision.

In the event an adequacy decision is revoked, additional safeguards will need to be put in place to ensure that the transfers of data to/from the EU are lawful under the UK GDPR. AWS has confirmed that it already has SCCs in place. Therefore in the event no adequacy decision is revoked, data can continue to be transferred lawfully between the UK and the EU.

Default Settings – What specific measures have you taken to ensure privacy by default?

The ICO guidance for app developers states that settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the users).

To demonstrate privacy by default, the default settings in the app will be set so that the app does not automatically share information with the selected professionals. Users must positively indicate their agreement to permitting the app to share information with selected professionals.

Data Sharing – What specific measures have you taken to ensure compliance?

No personal data is shared without consent unless it is to data processors conducting a service on behalf of My Health Assistant (e.g. hosting the app, maintaining a database). Any data processors undergo due diligence and are subject to contractual obligations requiring them to only use the data for the purpose of fulfilling contractual obligations and not to disclose data without the consent of My Health Assistant.

App users can choose to share their data with selected professionals. Users must provide their explicit consent before this data is shared.

Section Twelve: Integrating the DPIA Outcomes into the Project Plan

Actions to be taken?
  • Privacy Policy to be drafted and finalised.
  • Explicit consent to process health data to be obtained at the point the app is installed.