Data Privacy Impact Assessment

Dunmail -

Black Pear recognises the importance of ensuring that personal information is dealt with legally, securely, efficiently and effectively, in order to allow users of our services to deliver the best possible care and to meet the Company’s legal and good practice responsibilities.

Black Pear provides software services processing personal data. These data include sensitive data or data of a highly personal nature and data concerning vulnerable data subjects. These services have been in production use since 2014; this DPIA is a review of pre-GDPR processing.

Governance

An Information Governance Board convened by the executive is responsible for management of information governance within the organisation. This board oversees a compliance strategy including annual Information Governance training for all staff, Information Governance restrictions in staff and client contracts and regular monitoring of technical and organisational measures designed to maintain integrity and confidentiality of data. Black Pear is registered with the ICO (ZA215442), NHS Information Governance Toolkit Level 2 compliant (8HV05) and will be NHS Data Security and Protection Toolkit compliant by 31st March 2019. In addition, Black Pear NHS Services are independently assessed via Cyber Essentials (IASME-A-05646) and subject to penetration testing and vulnerability assessment at least once a year. The Information Governance Board can be contacted via security@blackpear.com.

Black Pear process data for the purpose of sharing information used by health and social care providers to provide direct patient care. Black Pear process data only on the instruction of the data controller or with appropriate legal authority as defined in the Black Pear Information Security Policy.

eSP
Purpose

The eSP product is used by Health & Social Care Organisations to record sensitive personal data about data subjects including demographic data, medical history and care preferences.

Data flow

Organisations use eSP to record and view sensitive personal data about data subjects. Where eSP is used in conjunction with an EHR (Electronic Health Record), eSP may also be use to view and record sensitive personal data within the EHR. Organisations using eSP may configure sharing of sensitive personal data with third parties by providing written instruction including a subscription request (e.g. for email, rest-hook) or an additional data processing instruction within the data.

eSP_Client_Data_flows.png

Data controls

Black Pear processes eSP data within the UK only. 

All contracts under which the eSP service operates have been reviewed to ensure that obligations under GDPR are met. Where necessary, clients will be moved to an updated contract by 31st March 2019.

The eSP service is designed to be secure and robust, meeting NHS guidelines and best practices. Further documentation is available to describe:

 

Data retention
eSP data are retained in accordance with [NHS Records Management Code of Practice for Health and Social Care 2016](https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016)

eRA
Purpose

The eRA product is used by Health & Social Care Organisations providing patient appointments on behalf of third party organisations. For example, an ambulance service may book a patient into an appointment at an urgent care centre.

Health & Social Care Organisations use eRA in the role of Hub to offer patient appointments for booking by third party organisations.

Health & Social Care Organisations use eRA in the role of Client to book patient appointments with third party organisations.

Data flow

eRA Hub

Organisations using eRA in the role of Hub receive sensitive personal data about data subjects from third parties and may share sensitive personal data with third parties who have booked appointments for the data subject.

eRA_Hub_Data_flows.png

 

eRA Client

Organisations using eRA in the role of Clinet share sensitive personal data about data subjects with third parties and may receive sensitive personal data from third parties providing appointments for the data subject.

eRA_Client_Data_flows.png

Data controls

Black Pear processes eRA data within the UK only. 

All contracts under which the eRA product operates have been reviewed to ensure that obligations under GDPR are met. Where necessary, clients will be moved to an updated contract by 31st March 2019.

The eRA product is designed to be secure and robust, meeting NHS guidelines and best practices as described above for eSP.

 

Data retention
eRA data are only retained in the eRA cache for as long as necessary for the transaction to be completed, being deleted within 48 hours of the appointment being completed and (where configured) outcomes returned to the booker.

pyrusConnect
Purpose

The pyrusConnect product is used by Health & Social Care Organisations to share patient data with third party organisations.

 

Data flow

Organisations using pyrusConnect share sensitive personal data about data subjects with third parties and may receive sensitive personal data from third parties providing direct care for the data subject.

pyrusConnect_Data_flows.png

Data controls

Black Pear processes pyrusConnect data within the UK only. 

All contracts under which the pyrusConnect product operates have been reviewed to ensure that obligations under GDPR are met. Where necessary, clients will be moved to an updated contract by 31st March 2019.

The pyrusConnect product is designed to be secure and robust, meeting NHS guidelines and best practices as described above for eSP.

Data retention
No data are retained in pyrusConnect.

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk