Data Protection Impact Assessment

1.     Background

GPintheCloud is a clinical remote desktop, designed to support Primary Care, developed by a joint venture partnership between Delt Shared Services Ltd and Integy Ltd.

GPintheCloud makes use of standard cloud computing components and connectivity to the HSCN to allow suitably authorised users connectivity to and use of primary care clinical systems and supporting applications.

It is important to note that access to clinical systems enabled by GPintheCloud uses existing access control lists (via an NHS smartcard) to manage rights to clinical data and these remain under the control of existing data controllers.

2.     Data flow diagram

3.     Purpose of the processing

This is a solution to provide a secure remote clinical desktop, accessible from any suitable internet connected device, to suitably authorised users.

GPintheCloud has been built for the needs of Primary Care and provides access to both SystmOne and EMIS Web clinical systems along with other supporting applications. Onward connectivity to other HSCN services including HSCN hosted pathology systems is provided, though access to individual services may be subject to additional security controls.

GPintheCloud was initially designed for use by remote locums, supporting general practice but there are a number of other suitable use cases:

  • Practice business continuity, including support staff

  • Provision of primary care system access to authorised pharmacy users

  • Provision of primary care system access to authorised medical examiners

4.     Nature and scope of the processing

GPintheCloud provides access to both SystmOne and EMIS Web clinical systems along with other supporting applications. Onward connectivity to other HSCN services including hosted pathology systems is provided. Whilst the service allows access to patient records it does not control access to patient records and clinical systems themselves, this remains under the control of the applicable data owner.  

GPintheCloud is available to CCGs/ICSs. It is not presently available to other organisations.

5.     Data Processed

5.1    To provision access to the GPintheCloud service

Delt Shared Services Ltd and Integy Ltd are joint controllers for this data processing

  • Users name

  • Users GPintheCloud Account ID or N365 ID

  • Users password hash

  • Users email address

  • Users phone number

  • Users authorisation status* (active/inactive)

5.2    To manage the GPintheCloud service

This data is used for accounting and security monitoring.

Delt Shared Services Ltd and Integy Ltd are joint controllers for this data processing

  • Users GPintheCloud Account ID or N365 ID

  • Times of Access and services consumed

  • Source IP Address

  • Geo-Location data sourced from IP address

Of this data the last 90 days of:

  • GPintheCloud Account ID or N365 ID and

  • Times of Access and services consumed

May be shared with CCGs/ICSs who authorised the clinician as a user of GPintheCloud.

5.3    To support access to the GPintheCloud service

Delt Shared Services Ltd and Integy Ltd are joint controllers for this data processing

  • User’s account information as listed above

  • Contact made by GPintheCloud service users, made by email, instant message or phone.

  • Support calls may be stored as an audio recording

Delt Shared Services Ltd and Integy Limited will use Microsoft as a data processor for provision of the virtual desktops and management information related to the service.

Delt Shared Services Ltd will use ServiceNow as a data processor for incident management, and Avaya for support desk telephony.

Integy Ltd will use ConnectWise as a data processor for incident management.

This data will be managed in line with the respective organisations’ existing IT support processes.

5.4    With respect to patient data

For the purposes of data protection law terminology, Delt Shared Services Ltd will be the data processor and Integy Ltd will be the data sub-processor.

This includes:

  • The ‘window’ into clinical systems to which the user has been authorised by the employer or Practice who are the data controller

  • Any temporary files created by the clinician whilst using the VM for the duration of it’s lifespan (not more than 30 days). It is therefore not recommended that this functionality is used by clinicians to create content outside of the clinical systems, the customer organisation is however responsible for directing their clinicians in use of the service.

This therefore comprises any and all personal data types which the clinical systems enable access to, both patient and clinical system users (for example information recorded by the clinical system when a patient record is updated), and those special category personal data types this includes.

This access remains under the control and gift of the data controller of the clinical system data (for example, the Practice the user is providing services to).

6. Lawful basis

Provision of a service to enable individuals identified by CCGs/ICSs as requiring access to the clinical desktop in order to perform work for which they are, or will be contracted.

Data which is part of the clinical system remains part of the applicable data controller’s existing data arrangements, and is for them to determine the appropriate lawful basis

The lawful basis for processing data in relation to the GPintheCloud service is Legitimate Interest.  A Legitimate Interest Test has been completed to validate this conclusion

7. Demonstrate the fairness of the processing

For authorised users to access GpintheCloud, a CCG/ICS will have requested they are specifically set up as a user.  

The user will also be aware they are accessing a system as they will be logging in. Users would expect usage to be captured at a system level (such as capacity management), and at a local level (such as for support issues).

Data which is part of the clinical system remains part of the data controller’s existing data arrangements, however, patients would expect that clinicians can access their patient record.

8. What steps have you taken to ensure individuals are informed about the ways in which their personal data is being used?

A transparency notice is provided on the GPintheCloud support website, which is referenced in all communication with end users, including initial setup documentation. This notice explains what data is processed and why, and also informs data subjects of their rights and methods for resolving any issues.  The location of the transparency notice will also be signposted to users in the GPintheCloud log on message.

Data which is part of the clinical system remains part of the data controller’s existing data arrangements. There is no change to usage of patient data or clinical employee data, just an additional way for an authorised user to access existing applications.

9. Is it necessary to collect and process all data items?

Data identifying GPintheCloud users will be limited to that which is required to manage their account. 

This list describes the purpose of data processed relating to the users of the GPintheCloud system.  Data which is part of the clinical system remains part of the data controller’s existing data arrangements.

Personal Data

Data Processed

Purpose

Users name

Communicating with the authorised user

Users GpintheCloud Account ID or N365 ID

Managing access to GpintheCloud

Users password hash

Managing access to GPintheCloud

Users email address

Communicating with the authorised user

Users phone number

Communicating with the authorised user

Users authorisation status* (active/inactive)

Managing access to GPintheCloud

Details of any support contacts

Managing resolution of incidents and to ensure contact quality

Times of Access and services consumed

Managing billing for service consumption. Access management

Source IP Address

Access management. Cyber security monitoring

Geo-Location data

Access management (inferred from IP address so may be inaccurate)

Special Category Data

None

10. How will you ensure data is not used for other purposes?

As documented in the Joint Venture Agreement, neither Delt Shared Services Ltd nor Integy Ltd will use data processed as part of the GPintheCloud service for any other purpose.

Data which is part of the clinical system remains part of the applicable data controller’s existing data arrangements.

11. How will you ensure the accuracy of the data?

The personal data collected will either:

  • be supplied by a CCG/ICS in order to enable authorised user access and if incorrect will be evident to the user within their account credentials, which they can contact GPintheCloud support to correct; or

  • in the case of usage data, be captured automatically by proven, industry standard logging tools.

Data which is part of the clinical system remains part of the applicable data controller’s existing data arrangements.

12. How long will the personal data be kept for?

Data identifying GPintheCloud users (5.1) will be automatically deleted 90 days after the account is deauthorised by an administrator.

User access data (logs) will be maintained for 90 days, after which they will be deleted.

User data (user name, access credentials, contact details) is maintained for the period of authorisation.  The commissioning body (CCG/ICS) will be asked to validate this list at least once every 24 months.

Any data cached by the applications delivered via GPintheCloud is deleted when the virtual machine session is terminated, which is no more than 30 days.

Information may be included as part of records relating to support activities such as fault finding and resolution.  In this case it will be kept for the lifecycle of the support products..

Data which is part of the clinical system remains part of the applicable data controller’s existing data arrangements and is not affected by this solution.

13. What technical and organisational controls for information security have been put in place?

13.1    GPintheCloud

  • Multifactor authentication is used to secure access to GPintheCloud

  • Virtual machine machines storage is encrypted at rest.

  • Traffic between the user and GPintheCloud is encrypted.

  • A Systems Level Security Policy (SLSP) is in place.

  • GPintheCloud has been subject to a third-party penetration test with all recommendations applied. NB: This is pending completion of the build, but will be completed prior to launch.

  • Virtual machines are built from a standard image, so can easily be destroyed and recreated and data persist only for the life of the machine (no more than 30 days).

  • Virtual machines will be replaced every 30 days, ensuring

  • Internet access filtering is in place to ensure that outbound web browser access cannot access undesirable classifications of websites.

  • GPintheCloud will timeout after 10 minutes of inactivity after which a user will be required to reauthenticate – there will be no loss of data in this scenario.

  • A session with no activity for 60 minutes automatically logs out – in this scenario any unsaved data would be lost.

  • A reminder of the conditions for using GPintheCloud is presented on each logon, including the condition that photographs of screen displays may not be taken.

  • A Joint Controller agreement details respective responsibilities of Delt Shared Services Ltd and Integy Ltd, which includes a sub-processing agreement.

  • Screen Scrape Protection

  • Microsoft Baseline Security Policies

  • NCSC Approved UK Official / NHS Azure Policies

  • Written training material is provided to all GPitC users, with the option of telephone support

  • Both Delt and Integy staff are subject to pre-employment checks including DBS checks where appropriate

  • Both Delt and Integy staff are provided with formal Data Protection and cyber security training

  • Both Delt and Integy staff responsible for the management of the GPitC platform will receive training appropriate to their role

  • Changes to the service are managed under a formal change control process as part of the System Security Policy. This document is available for customers to review under an appropriate NDA.

  • In the unlikely event of a data loss incident, Delt will manage the process against its standard procedure.

13.2    Clinical systems data

It is the CCG/ICS’s responsibility to request a GPintheCloud account is deauthorised.  However without access granted by the data controller of the clinical system (e.g. the Practice) GPintheCloud will not, on its own, enable access to clinical data.

Data which is part of the clinical system remains part of the data controller’s existing data arrangements, and existing smartcard functionality is required to access clinical applications themselves.

The Joint Controller agreement referenced above (13.1) also includes processor to sub-processor requirements where Delt Shared Services Ltd and Integy Ltd in the processing of clinical systems data

14. Describe if the personal data is to be shared with other organisations and the arrangements you have in place

User and usage data will be shared with Microsoft Ltd, a technology provider to GPintheCloud.

Usage reports will be available to CCGs/ICSs for their own authorised users only.

Patient data will not be shared as a consequence of GPintheCloud usage. Data which is part of the clinical system remains part of the applicable data controller’s existing data arrangements.

15. Describe if personal datasets are to be matched, combined or linked with other datasets (internally or for external customers)

Neither user nor patient data will be matched, combined or linked with other datasets as a consequence of GPintheCloud usage.

IP address data and login information may be matched with other datasets in the interests of ensuring cyber security.

16. Describe how data subjects will be able to exercise rights granted by data protection legislation

GPintheCloud data subject may contact Delt’s DPO as a point of contact.  Contact information will be included in the Transparency Notice published on the GPintheCloud website.

Any requests for correction/objection will be processed through the Delt Service Desk, or the organisation who receives them.

Any requests for access will be managed and monitored using Delt’s Subject Access Request process

Clinical system data subjects will remain covered by the applicable data controller’s existing arrangements.

17. In which country/territory will personal data be stored or processed?

All clinical data will remain within the UK.

User and usage data for GPintheCloud may be stored in the UK and US (the later has Standard Contractual Clauses in place).

 

This website is using Google Analytics. Please click here if you want to opt-out. Click here to opt-out.