T-052-001 DPIA for DA-005 PR API and DA-006 PR Web app
- Governed by procedure
GP-052 Data Privacy Impact Assessment (DPIA)
Summary
Description of the processing activity
The activity consists of processing medical data, which can be collected via API integration or via web app, by the organisations that use our service. This activity corresponds to the codes DA-005 PR API and DA-006 PR Web app of our Record of Processing activities (ROPA).
Although we have differentiated DA-005 PR API and DA-006 PR Web app as two different processing activities, they are very similar except in their implementation method. While DA-005 PR API refers to the API implementation, the DA-006 PR Web app refers to a use through a web application. The purposes for processing and the data processed are the same.
Summary of the project
Legit.Health (hereinafter, us and we) is a technology provider empowering care providers and capacitating general practitioners, specialists, nurses and other healthcare practitioners (hereinafter, HCP) team to provide more reliable and quicker patient care. Our services are used by hundreds of HCPs, to care for thousands of patients.
Technically speaking, the project consist in providing the Client with access to our artificial intelligence. This means that the Client will access our technology to send images of skin lesions, and get back an array or data.
The benefits of the project are, among others:
- Continuous improvement (training) for HCP: since the artificial intelligence provides immediate clinical data, HCPs get instant information about the identity of the conditions of the patient, as well as the degree of afectation (severity). This may serve to improve overtime the knowledge of the non-specialist HCP.
- Better patient experience: speeds up the care pathway, avoids unnecessary patient visits to the medical center, reductions in follow-up visits to GP Practices.
- Better general practitioner experience: more patient episodes conclude with no follow-up work, case-based learning, reconnecting with consultants - more efficient and fully IG-compliant way of taking photo images and transferring to patient records.
- Better specialist experience: reduction in inappropriate referrals, reduction in the number of written requests for advice that require responses, reconnecting with GPs.
- Better hospital manager experience: enables value-based healthcare management. Greater 'whole system' efficiency, with savings available to support.
- Increased clinical endpoints: useful when conducting clinical trials, the system may extract clinical endpoints realiably and decreasing the workload of the HCP.
1. Determining whether the Privacy Impact Assessment (PIA) is necessary
The first step is to determine if the activity needs an full Processing Impact Assessment (PIA).
Checklist
These questions are intended to help decide whether a full DPIA is necessary. Answering “yes” to any of the screening questions below (except those questions which have caveats) represents a potential IG risk factor that will have to be further analysed to ensure those risks are identified, assessed and fully mitigated.
| # | Category | Screening Question | Applicable |
|---|---|---|---|
| 1 | Individual | Will the process or system include the processing of personal or sensitive data? | |
| 2 | Individual | Will the process or system involve the collection of new information about individuals? For example, additional information collected which was not initially captured in the process or system. | |
| 3 | Individual | Will the process or system compel individuals to provide information about themselves? | |
| 4 | Stakeholder | Will information about individuals be released/shared with organisations or people (i.e. internally with ICB/HB departments or externally with individuals/departments) who have not previously had routine access to the information? Caveat: this will only qualify as a “yes” if “yes” has been answered for Q1, Q2 or Q3 | |
| 5 | Information | Will the information be used for a different purpose than originally agreed? For example, an additional purpose, which was not initially captured in the process or system. Caveat: this will only qualify as a “yes” if “yes” has been answered for Q1, Q2 or Q3 and/or a previous PIA or agreement has been completed. | |
| 6 | Information | Does the process or system involve the use of new technology that might be perceived as being privacy-invasive? For example: biometrics, cookies, finger print identification, IP Addresses etc. | |
| 7 | Information | Will the project result in you making decisions or taking action against individuals in ways, which could have a significant impact on them? | |
| 8 | Information | Is the information about individuals likely to raise privacy concerns or expectations? For example: health records, criminal records, staff records, or other information that individuals are likely to consider as private. | |
| 9 | Information | Will the process or system require you to contact individuals in ways, which they may find intrusive? | |
| 10 | Approval | Has this process or system already started as a pilot without a DPIA being undertaken? |
Outcome
2 of the 10 screening items are deemed applicable, then:
- a full Privacy Impact Assessment (PIA) is required.
- a full PIA is not required.
2. Privacy Impact Assessment
Since the previous step concluded that the full PIA is necessary, in this section we will lay out an assessment on the risks and the mitigations related to data processing.
To this effect, this document follows two gudelines:
- The Data Privacy Impact Assessment Code of Practice developed by the Information Commissioners Office (ICO) to help organisations complete privacy impact assessments.
- The guidelines of the European Commission, and specially relating to Article 35 of the General Data Protection Regulation (GDPR)
Project summary
Summary of data being held as part of the project
The service is a software tool where HCPs or patients can upload images of their skin lesions, and receive clinical information. To that effect, the user will have access to an interface wherein they will have the ability to upload a photo and receive a report containing information regarding the intensity of the clinical signs or distribution of possible disease. Thus, the data processed consists mainly on images of lesions of skin abnormalities. These images are centered in the lesions and do not contain identifying information, although there is a chance of the image containing birthmarks or tattoos.
Summary of the processing roles
| Party | Role |
|---|---|
| The Client | Data Controller |
| Us | Data Processor |
Privacy by design measures
When possible, the tool is configured in such a way that the Data Processor does not store the photograph nor the report, and there is no way to associate the photo processed with the user who uploaded it, which provides a high degree of privacy by design that prevents identification.
In cases where it is necessary for the Client to retrieve the image or the report in the future, the users will access through a 'closed system', as defined in 21 CFR 11, which also provides a high degree of privacy by design.
Project Lead:
- Name: Taig Mac Carthy
- Job Title: COO
- Email: taig@legit.health
- Phone: 619085580
Project detail
The service is a software tool where HCPs or patients can upload images of their skin lesions, and receive clinical information. To that effect, the user will have access to an interface wherein they will have the ability to upload a photo and receive a report containing information regarding the intensity of the clinical signs or distribution of possible disease. Thus, the data processed consists mainly on images of lesions of skin abnormalities. These images are centered in the lesions and do not contain identifying information, although there is a chance of the image containing birthmarks or tattoos.
Identification of parties
Supplier
| Property | Value |
|---|---|
| Company name | AI Labs Group, S.L. |
| Trademark | Legit.Health ® |
| ID Number | (ES)B95988127 |
| Activity | Provision of clinical intelligence and communication software for HCP. |
| Address | Gran Via, BAT Tower, 48001, Bilbao, Spain |
| Telephone | +34 653 08 83 37 |
| hello@legit.health | |
| Website | https://legit.health |
| Legal representative | Ms. Aguilar Robles |
Supplier's Data Protection Officer
| Identifying information | |
|---|---|
| Company name | Audens Legal, S.L.P. |
| Address | Calle del Marqués de Cubas 12, 5ºC, 28014 Madrid |
| ID Number | (ES)B85808954 |
| Address | Gran Via, BAT Tower, 48001, Bilbao, Spain |
| Telephone | +34 910 099 875 |
| rgpd@audens.es | |
| Website | https://audens.es |
Sub-contractors
No, there are no sub-contractors providing bespoke solutions.
Vendors or sub-processors
Yes, the service is cloud based and uses Secure Virtual Private clouds provided by Amazon Web Services (AWS).
The AWS cloud is used to host all client data for operational purposes including Personal Identifiable Data (PID) which is held in more than one data centre as a natural backup.
Contract and accreditations
Contract in place
| Contract | Signed date |
|---|---|
License for use | N/A |
Checklist of relevant clauses
The contract between us and the Client includes (or will include) clauses related to:
- Data sharing with the between the supplier and the Client
- Data security and protection
- Data confidentiality
- Breach reporting
- Data subject access and erasure requests
- Compliance with all relevant legislation and regulation, particularly UK GDPR
Other clients
We have contracts with dozens of healthcare providers and managing organisations, including European goverment-run health services and hospital groups.
Compliance with standards
We actively follow and comply with the standards checked in the following list.
- ISO 13485 (Medical Devices)
- ISO 9001 (Quality Management System)
- ISO 27001 (Information Security)
- ISO 27018 (Information Technology)
- DSPT (Data Security Protection Toolkit)
Certification with standards
We have been certified by third party auditors regarding the standards checked in the following list.
- ISO 13485 (Medical Devices) certification
- ISO 9001 (Quality Management System) certification
- ISO 27001 (Information Security) certification
- ISO 27018 (Information Technology) certification
- Cyber Essentials Plus
- Data Security Protection Toolkit (DSPT)
Penetration testing
We conduct independent external network penetration testing monthly, which include Open Web Application Security Project (OWASP) Top 10 vulnerabilities.
Information asset register
Information Asset Register
Yes, this system/data has been added to the relevant Information Asset Register
All organisations own and use information assets that support their local business needs. A subset of these assets will be personal data in some form and/or the equipment within which personal data is held. The majority of these information assets will underpin service user / patient care processes, human resource processes, activity management or clinical audit, research, or service evaluation but there may be a wide range of other business activities supported by such assets. Whilst all information assets should be protected, the importance of ensuring that this particular subset is held securely is paramount.
Is a simple way to help you understand and manage your organisation's information assets and the risks to them. It is important to know and fully understand what information you hold in order to protect it and be able to exploit its potential.
What is the Information Asset Register risk rating level (this is the score of the highest risk on the Risk Register)?
Please provide a copy of the Risk Register
Data processing
In relation to information or data, means obtaining, recording or holding the information or data, carrying out any operation or a set of operations on the information or data, including - (a) organisation, adaptation or alteration of the information or data, (b) retrieval, consultation or use of the information or data, (c) disclosure of the information or data by transmission, dissemination or otherwise making available, or (d) alignment, combination, blocking, erasure or destruction of the information or data.
Data subjects
The information processed regards the following types of entities:
- Employees
- Patients
- Student
- Partner businesses or organisations
- Other
Data Categories
The information processed as part of the implementation or change pertains to the following classes or categories:
- Personal Data (Personal details such as name, address, postcode, date of birth, NHS number, IP address)
- Special Category Data (sensitive)
- Physical or mental health conditions
- Sexual health
- Family, lifestyle and social circumstances (marital status, housing, travel, leisure activities, membership of charities - please delete as appropriate)
- Education and training details (qualifications or certifications, training records - please delete as appropriate)
- Employment details (career history, recruitment and termination details, attendance details, appraisals, other - please delete as appropriate)
- Financial details (income, salary, assets, investments, payments, other - please delete as appropriate)
- Criminal proceedings, outcomes and sentences
- Goods or services (contracts, licenses, agreements etc.)
- Racial or ethnic origins
- Religious or other beliefs of a similar nature
- Political opinions
- Offences including alleged offences
- Trade Union membership
- Other
Data-flow Mapping
The data flow will depend on the implementation carried out by the Client, and may be subject to change on the Client's side without signifying any meaningful change in regard to how we process data.
Most commonly, when implementing the system via API, the data flow will be:
However, it is also possible that the Client develops an interface for users to upload data. This interface can implement privacy by design measures, as explained above, to avoid providing identifying information. In such cases, here's the data flow:
As you can see, regardless of the interface, the essence is always the same: the image is sent by the Cliente to our server. In the server, the API processes the image and returns data to the Client.
New data
This system will not include data which has not previously been collected as part of the system or process or policy.
If yes, have we or the Client amended the existing privacy notice?
Checks for adequacy, relevance and necessity of data
Only the minimum data is held.
In some cases, photo images are retained for medico-legal purposes and technically comprise part of the patient's primary care record. As such, the data needs to be patient-identifiable via reference to an ID number such as the patient ID.
Transfers outside the EEA
There is no transferring of any personal, sensitive or business data to a country outside the European Economic Area (EEA).
Find out more at https://www.gov.uk/eu-eea
Systems and technology
Systems that are involved in delivering the service
We use AWS secure virtual private clouds as repositories for all PID.
Systems Architecture Diagram
Here is a Logical Connection Architecture (Systems Architecture Diagram)
Intrusive technology
The system does not include new technology that might be perceived as intrusive (i.e. the use of biometrics or facial recognition etc.)
Storage of data
Deployment of servers
In what type of servers is the data stored?
- Only cloud servers
- Only local servers
- Both cloud and local servers
Means storing and accessing data and programs over the Internet instead of your computer's hard drive.
If local servers are used:
- Name and location of the servers:
- Physical access controls for data:
If cloud servers are used:
- Name of the cloud provider(s): Amazon Web Services (AWS)
- Data centre location: Paris, France
- Standards met by suppliers: AWS is on the Gov.UK Digital Marketplace.
Formats of data
- Electronic
- Paper
- Verbal
- Other
Data security
Security measures
The AWS Secure Virtual Private Cloud has high levels of physical security and is ISO 27001, 27018 and 9001 certified.
Digital security is such that access to PID is only via secure web-portal and is controlled via a long random password/username combination with Advanced Encryption Standard (AES) encryption:
- Data-in-transit is controlled via username and password combinations (with ~238 bits of entropy) with all data transfer between servers employing strong cryptography (TLS 1.2 with
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256). - Data-at-rest is encrypted with AES-256, with each file using a unique key and keys stored encrypted (also using AES-256) via a master key. The master keys are regularly rotated.
Business continuity plans
We have a Business Continuity and Disaster Recovery Policy. Should there be any data loss then this would be recoverable via the cloud based real-time backups.
Data quality
Who provides the information for the asset?
The HCP provides all of this information directly into the system.
Who inputs the data into the system or process?
The HCP inputs this information into the system. In the case of the report generated by the system, it is automatically generated by the system.
How will the information be kept up-to-date and checked for accuracy and completeness?
Data comprises the fully encrypted images and as such contain information about the subjects, typically containing skin lesions. As such, there is no requirement to check data quality or keep it up to date other than regular checking that recordings are being made and stored successfully.
Can an individual (or a court) request a copy, amendments or deletion of data from the system?
Yes.
Data transfer
How will the data be received by the system?
Data in the form of images will be generated by user (HCPs) communicated via web app. The data is saved directly to the AWS Secure Virtual Private Cloud.
Is data transferred onwards to 3rd parties?
3rd parties are entities outside of the scope of the primary service provision. For instance, the data controller or the disclosed sub-processors are not considered 3rd parties. Likewise, authorities who need to access data for regulatory reasons are not considered 3rd parties.
- No, data is not transferred to 3rd parties
- Yes, data is transferred onwards to other entities
If yes, identify to whom data is transferred
Is the data encrypted at rest and in transit?
Yes, using the following Advanced Encryption Standard (AES):
- Data-in-transit is controlled via username and password combinations (with ~238 bits of entropy) with all data transfer between servers employing strong cryptography (TLS 1.2 with
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256). - Data-at-rest is encrypted with AES-256, with each file using a unique key and keys stored encrypted (also using AES-256) via a master key. The master keys are regularly rotated.
Is any personal, sensitive or business data being transferred to a country outside the European Economic Area (EEA)?
Find out more at https://www.gov.uk/eu-eea
- No, data is not transferred to a country outside the European Economic Area (EEA)
- Yes, data is transferred onwards to other entities
If yes, provide the name of the country(ies)
Data sharing
Will the data be shared with any other organisation(s)?
- No, PID will not be available to other organisations.
- Yes, data is shared with any other organisation(s)
If yes, please list the names of the organisation.
Yes - PID will be available to (and therefore shared by) the relevant GP practice and hospital specialist team and is therefore shared by them.
How will the data be shared?
The relevant GP practice and hospital specialist team can access relevant PID only via the secure web portal which is subject to individual login and password combination.
What Information Sharing Agreements or Protocols are in place to support the sharing of data? Please provide a copy
HCPs already share PID with Trusts/Hospitals (e.g. telephone discussions with consultants via switchboard; written referrals via letter or eRS) so there is already an acceptance of/agreement to sharing relating to advice and guidance questions between GP practices and Trusts/Hospitals. As such, pre-existing data sharing agreements are considered sufficient.
No PID is accessible to or shared with our staff.
Access to the data
Which organisations will access data within the system?
Depending on how the Client may implement the solution, there are two possibilities:
- No organisations will access the data within the system. The data will only be available to the person who uploads an image.
- Only duly authorised users can access information via the web-portal, by using an individual login and password combination.
In all cases, data is contained in a 'closed system', as defined in 21 CFR 11.
Which people within organisations will use the system?
Only authorised users within relevant organisations will be able to access data.
Do users have unique login and password combinations?
This topic, like many other aspects of this assessment, depends on how the Client may implement the solution. Most commonly, there are two possibilities:
- Due to privacy by design, no login information is required, so as to decrease the identification risk. In this case, please note that data cannot be retrieved once is processed and displayed once, so there is no need for identification.
- Only duly authorised users can access information via the web-portal, by using an individual login and password combination, making it a 'closed system', as defined in 21 CFR 11. For this to work, identification will be needed, as it is the only way to enable signing in.
Are there role-based access controls in place
This topic, like many other aspects of this assessment, depends on how the Client may implement the solution. Most commonly, there are two possibilities:
- No, because there is no need. This is the case when there is no login and no information being kept or be retrieved.
- Yes, There are role-based access controls.
The basic user roles are:
- User: a user has access only to communications that they themselves have initiated
- Admin: a user has statistical access only for their organisation
- PID: a user has access to all communications for their organisation
Allocation of roles, other than the basic user roles above, is subject to appropriate written authorisation (e.g. Project Lead or Caldicott Guardian) from the relevant organisation.
What information governance training have users had?
Users with access to PID are already well-used to dealing with PID and receive regular IG training from their organisations both on a personal and group level.
Can users amend data?
Users cannot amend data.
Is there an audit trail in place for the information asset?
Yes, a detailed and anonymized audit trail exists that tracks which users have accessed records and what changes they have made if any.
How often will the system or policy be audited?
Ad hoc audits will be undertaken should there be any reason for concern regarding data security and confidentiality.
Data breaches
How will any system breaches be identified?
Systems are maintained and monitored to avoid system breaches. However, should one arise there are clear procedures requiring immediate notification to the Data Protection Officer and Information Asset Owner.
How and when will any system breaches be reported to Clients?
We, as providers of the system, are required to notify of any such events via the contract and in accordance with the Data Protection Act 2018 and UK General Data Protection Regulations (UK GDPR) and Regulation (EU) 2016/679 (General Data Protection Regulation). In practice this means within 2 working days.
Legal basis for data collection, retention and processing
What is the Common Law basis for holding and processing the data?
Sharing information for direct care is on the basis of implied consent, which may cover administrative purposes where the patient has been informed or it is otherwise within their reasonable expectation. This approach is valid for confidentiality purposes (common law duty of confidence), provided the patient is appropriately informed, or the proposed activity is obvious or can be reasonably expected.
What is the UK GDPR basis for holding and processing the data? – Article 6 (Lawfulness of Processing)
Public Task - Necessary for performance of a task carried out in public interest or in exercise of official authority
What is the UK GDPR basis for holding and processing the data? – Article 9 (Processing of Special Categories of Personal Data)
Necessary for provision of health and/or social care, including preventative or occupational medicine. Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or by way of contract with a health professional.
Data subject rights
Can the data subject opt-out of their data being processed?
Yes; the Data Subject (e.g. a patient) can request that the User (e.g. a GP) should not seek advice via the service.
If an opt-out option is available, how will this be managed?
If the Data Subject opts-out, then the User (e.g. a GP) will discuss alternatives, including other sources of clinical decision support, with the patient.
How will you tell the data subjects about the use of their data?
As they already do, a GP will explain that their data is stored only for medico-legal reasons and is not shared with any organisation other than the organisations who were party to the clinical advice discussion (e.g. GP practice and hospital team).
Have you assessed the likelihood of the use of the data causing unwarranted distress, harm or damage to data subjects concerned?
Yes; the data is held safely and securely and is only accessible to approved individuals within the organisations who were party to the clinical advice discussion. The data is not shared with any other organisations.
Have you assessed the likelihood of the loss or damage of the data causing unwarranted distress, harm or damage to data subjects concerned?
Yes; relevant risk assessments have been undertaken with appropriate mitigating actions taken.
Could the project result in making decisions and / or taking action against the data subjects in ways that can have a significant impact on them?
No.
Do data subjects have a right to access their data?
Yes; patients will typically forward requests via the Data Controller (e.g. a GP practice) and we will ensure that the Data Controller can access the relevant data in accordance with GDPR.
Do data subjects have a right to erase their data?
Yes; in the cases where that is viable, patients have access to a delete function within the service; they can also forward requests to customer service teams who will arrange for them to be processed according to GDPR.
On-going use of data
Will the system or process interfere with the privacy rights of the data subject under article 8 of the Human Rights Act 1998?
No.
Will the data be used to send direct marketing messages?
No.
If direct marketing messages will be sent, are consent and opt-out procedures in place?
Does not apply because no marketing messages will be sent.
Does the system or process / policy involve changing the standard disclosure of publicly available information in such a way that the data becomes more readily available than before?
No.
What is the data retention period for this data?
Please consult the detailed retention schedule (appendix 3)
The default retention period is 10 years subject to approval from the Data Controller.
Furthermore, data is retained in accordance with NHSx Records Management Code of Practice and Information Commissioners Office guidelines.
How will the data be securely destroyed when it is no longer required?
PID will be permanently destroyed or deidentified upon receipt of written authorisation. Once any data transfer arrangements have been concluded, removal of the mapping from the public name to the object starts immediately, and this would generally be processed across the distributed system within several seconds. Once the mapping is removed, there is no external access to the data object. The PID is then permanently deleted/deidentified from/within the system.
Details of the individual completing this form?
The name, role and email of the individual completing this form:
| Details | |
|---|---|
| Name | Taig Mac Carthy |
| Role | COO |
| taig@legit.health |
IT security review
| Details | |
|---|---|
| Name | Gerardo Fernandez |
| Role | CTO |
| gerardo@legit.health |
DPIA outcome
- Approved
- Rejected
Applicable Governance Regimes
Always applicable legislation / guidance
- Regulation (EU) 2016/679 (General Data Protection Regulation)
- Data Protection Act 2018
- General Data Protection Regulations (UK GDPR)
- Freedom of Information Act 2000
- Environmental Information Regulations 2004
- Records Management Code of Practice for Health and Social Care 2016
- Computer Misuse Act 1990
Possible applicable legislation / guidance
- Human Rights Act 1998
- Code of practice on confidential information
- Regulation of Investigatory Powers Act 2000
- ISO 27001 Information Security Management
- Privacy and Electronic Communications Regulations 2016
- Children's Act 2006
Record signature meaning
- Author: JD-003 Author name
- Approval: JD-001 Approver name
Template signature meaning
Delete this section when you create a new record from this template.
- Author: JD-003 Taig Mac Carthy
- Approval: JD-001 Ms. Andy Aguilar