1. Introduction
BrisDoc Healthcare Services will in respect of all personal information implement appropriate technical and organisational measures which are designed to ensure data protection and safeguard an individual’s rights.
With a new plan or project, we will ensure we implement these measures at the outset and these will form an integral part of any Data Protection Impact Assessment (DPIA). We will ensure that only personal data which is necessary for each specific purpose is processed.
Both at the time of the first occasion of processing any personal data and on all future occasions of processing all members of staff must give consideration to the following questions:
- Is it necessary to collect all the personal data or can the purpose be achieved without certain personal data?
- Can the purpose be achieved in another way which means that personal data is not required or there is a reduction in the amount of personal data collected?
- Are we ensuring that the data is being collected for the original purpose only?
- Are we able to anonymise or ensure pseudonymisation of personal data?
- Do we continue to require the personal data held or can some or all of the personal data be deleted? Note – When deleting personal data, it is essential to comply with our Retention and Deletion Policy.
- Is the sharing of personal data with other members of the organisation necessary to enable them to undertake their role and would they be unable to do so without processing the personal data?
- Is the sharing of personal data with other organisations or individuals who are not members of staff of BrisDoc Healthcare Services necessary and:
- There is information in our privacy policy detailing this sharing.
- Where appropriate we have entered into a data sharing agreement with the external organisation or individual, or
- Where appropriate we have entered into a data processor agreement.
Information and information systems are important corporate assets and it is essential to take all the necessary steps to ensure that they are at all times protected, available and accurate to support the operation and continued success of BrisDoc.
An essential requirement for any change management control system is the establishment of an accurate and up to date Information Asset Register which lists all of the information systems, current data depositories and data bases used in the delivery of the service. It is vitally important that all such assets have identified Information Asset Owners (IAO) who are responsible for maintaining appropriate standards of confidentiality, integrity, and accessibility and ensuring that data quality is not adversely affected by any changes. IAOs are responsible for any inward and outward flows, managing risks and ensuring that any new systems or changes to systems are assessed for privacy compliance prior to implementation. In order to adhere to good practice for the management of information assets this document establishes a formal mechanism for the approval of new assets and potential changes to existing assets and processes. This will ensure that any security, confidentiality, data protection and data quality issues have been considered for any new or re-configured asset, system or procedure.
By completing the Change Notification Form (Appendix A) and completing the Information Governance (IG) Checklist (Appendix B) an initial compliance assessment of privacy risks and liabilities will then have been conducted. The need for a more detailed Privacy Impact Assessment (PIA) can then be made.