Data Protection Impact Assessment 1) Basic Information ... · Date DPIA Form Completed 5/6/2019 Question Response Comment 2.1 Will the system / process / change (now referred to as

Data Protection Impact Assessment Form V5.6 Released: 19/08/2019

Page 1 of 16

Data Protection Impact Assessment

1) Basic Information about New / Change of System / Project

Completed by – Title(s): Sara Moss - HR Hub Manager Graham Swindon - Director of Giltbyte Jade Goodwin – Information Governance Officer Kathy Collins – Information Governance Officer Tina Hewson – Elfs

Description of subject of assessment:

Giltbyte Easy Expenses is a replacement expenses management system. For travel expenses the system collates the mileage between work base or home postcode and the alternative place of work. The employee signs on using their assignment number, password and memorable word, the system will then match the assignment number to the employee and retrieve the employee’s home postcode and current base details from ESR to calculate the mileage that has been used and expenses claimed. In addition to this it will also allow the employee to upload their driving licence, vehicle MOT certificate or V5 form and insurance certificate.

Asset / System Name: Giltbyte Easy Expenses

Executive Sponsor – Title: Lisa Ward – Interim Director of OD

Project Manager – Title:

Sarah Moss – HR Hub Manager


Page 2 of 16

2) Key Questions

Information Asset Owner – Title: Vicky Camfield, Head of HR – Corporate Services

Information Asset Administrator - Title:

ELFS Payroll Services

Due Diligence: Z2585430

Date DPIA Form Completed 5/6/2019

Question Response Comment

2.1 Will the system / process / change (now referred to as ‘asset’) involve the use of personal identifiable data or confidential data?

Yes Employee name within ESR This can be seen in document NHS0105, 6.5: PERSON RECORD Only person records with a status of “Employee” or “Applicant” will be selected. A Person record is uniquely identified by the combination of Person ID, Effective Start Date and Effective End Date. The records will be presented as date-tracked records in ascending order of Person ID, Effective Start Date and Effective End Date.

2.2 State the purpose for the processing of the data.

Processing travel and subsidence claims for payments to employees and uploading driving licence, MOT cert or V5 and Insurance certificate

2.3 Does the asset involve new privacy invasive technology (including but

No

App downloaded and the user registers, then they have to verify through the desktop version.


Page 3 of 16

not limited to biometrics, facial recognition decision making algorithms)?

The user is permanently logged on through the app once they have verified on the desktop version.

2.4 Does the asset involve collecting new personal data not previously collected?

Yes If Yes – give details

Driving licence, MOT cert or V5 and Insurance certificate

2.5 Does the asset involve contacting individuals in ways they may feel are unnecessarily intrusive?

No

The User can opt out of notifications

2.6 Does the asset involve using existing information in a different way?

Yes If Yes – give details

Uploading of driving licence, Insurance certificate, MOT or V5 now offers duty of care as an employer as part of agenda to change under the Corporate Manslaughter act

2.7 Please select personal data items

that will be collected:

☒ Personal details (e.g. name,

address, contact details, age, gender, race, physical description, NHS no., NI no.)

Name, address, postcode, ESR assignment number, DOB, driving licence number, National Insurance number

☐ Family circumstances (i.e.

marital status, housing, travel, leisure activities, membership of charities)

☐ Education and training

details (i.e. qualifications, skills database, training records)

☒ Employment details (i.e.

career history, recruitment and termination details, attendance records, appraisals, health and safety records, security records)

Leavers date

☒ Financial details (i.e. income,

salary, investments)

P11D value of the vehicle & Co2 emissions cost for the purposes of supply to the HMRC regulation 5

☐ Goods or services provided


Page 4 of 16

(i.e. details of services provided, licences issued, contracts, agreements)

☐ Racial or ethnic origin

☐ Political opinions

☐ Religious & other beliefs

☐ Trade Union member

☐ Physical or mental health

condition

☐ Sexual life

☐ Offences (including alleged)

☐ Criminal proceedings

2.8 What steps have been taken to ensure that the collection of confidential and / or sensitive data is relevant and necessary?

Please provide details in comment section.

Giltbyte EASY Expenses system is available as part of the national ESR contract, and all aspects of the system interface with ESR has been managed by the NHS Central Team in partnership with IBM and the supplier. Only the relevant minimum data is required for the fair and accurate processing of travel claims is interfaced between ESR and Giltbyte EASY Expenses system.

2.8a Will this processing actually help to achieve the stated purpose?

Yes Please provide details in comment section.

The system will enable accurate payment of appropriate travel expenses incurred by staff and ensure duty of care.

2.8b Is the processing proportionate to that purpose?


The system interfaces with staff records and only transfers the required data to enable accurate travel expenses to be paid

2.8c Can the same purpose be achieved without the processing?


Yes. However, this would be a paper based process and incurs inherent greater risks for data protection

2.8d Can the same purpose be achieved by processing less data, or by

No Please provide details in

Only minimum data is used to achieve accurate travel payments


Page 5 of 16

processing the data in another more obvious or less intrusive way?

comment section.

2.9 Will the information collected be passed onto other parties who have not previously received it?

Yes – give details Yes as Gilibyte is a new supplier to NWAS

2.10 Are new or changed data collection policies involved that may be intrusive or unclear?

No If Yes – give details

Uploading of Driving licence, MOT and V5 to the system.

2.11 Is the asset supplied by a 3rd party?

If Yes, are they registered with the Information Commissioner?

Yes Yes If Yes – give their DPA Notification Number:

Z2585430

2.11a

Does the 3rd party contract contain the required Information Governance clauses including Data Protection and Freedom of Information?

Yes If Yes – give details in comments section:

This is a National contract with relevant data protection clauses in place. IG Toolkit Assessment - Giltbyte Limited 8J002 Standards Met 30/03/2019

2.12 Does the asset comply with Privacy and Electronic Regulations 2003?

Yes This is not applicable to the system .

2.13 Who provides information for the asset?

Give details in comments section:

Via the ESR Interface with NWAS VPD 242 managed by IBM

2.14 What is the legal basis for processing of personal or sensitive data? (Data protection legislation)

Give details in comments section: Where consent is the legal basis give details of how the consent will be obtained and recorded.

Article 6(1)(a) consent using the employment contract for new starters and for existing staff on set up on expenses. Article 9(2)(a) consent


Page 6 of 16

2.15 Have individuals given consent to data processing and disclosures, where required? (Common Law Duty of Confidentiality)

☒ Yes (explicit) Give details of

how the consent has been obtained and recorded.

☒ Yes (implicit) Give details of

how this processing meets the “reasonable expectations” of a data subject

☐ No

If No – give details in comments section of those specifically withdrawn:

Both explicit and implicit, as below: ESR 2 New Appointment [Employee] Form Employees expect, and have an employment right, to be paid accurately in accordance with their terms and conditions of employment, including for expenses incurred in relation to official duties associated with their employment contract

2.16 If data is to be processed without consent, where is this recorded?

☐ Information Asset Register

☐ Data Flow

☐ Caldicott Approval

☐ Other – give details

ESR 2 form obtains employee authorisation

2.17 How will the accuracy and completeness of information in the asset be maintained?


MIAA audit requirements and manager responsibility to ensure accurate information is approved for payment of travel claims and all driver documents are up to date within the system.

Employees are able to update their personal information directly using MYESR

Data entry of expiration dates of MOT, driving Licence and insurance documentation and notifications sent from the system.


Page 7 of 16

2.18 Who will have access to information in the asset, and what security measures will be I place?

Give details in comments section. Include details of audit trail facilities to be included:

The User Organisation’s System Administrator Access profiles can be found in; EASY System Information Governance Questions: 6.2 Access Profiles which includes; user, management and HR/Payroll functionality. & 10.3.3 Access Controls, which gives details on Accounts Review and Audit Accounts, are reviewed every 90 days, explicit re- approval is required or access to the resource is automatically revoked. Access is automatically revoked when an employee’s record is terminated in Human Resources.

2.19 Can the data subject request access to their data

Yes If Yes – give details on this process in the comments section:

Claimants have their own account in EASY and MyESR

The user can also access their data by submitting a Subject Access Request by following NWAS policies and Procedures.

2.20 Can the data subject request that their data is rectified or forgotten?

Yes If Yes – give details on the process to be followed, and how it is to be communicated, in the comments section :

By email request to ELFs helpline – EASY system administrator , this would be processed via the Trust Individual Rights Administrator

This will be in line with the General Data Protection Regulation (2016/679 EU) (GDPR) and Employment Rights Act 1997

2.21 Does the asset involve changing No Not applicable. Information is not available


Page 8 of 16

the medium that publicly available information is distributed?

If Yes – give details in the comments section.

publically

2.22 Where will information in the asset be stored?

Give details in the comments section:

All information is imported into the Easy database. Data Centres are located in London, Dublin is a secondary location for resilience.

2.23 How will the information in the asset be accessed?


EASY System information governance Question 6, System Access, the user will access the system by a secure password which includes Mixed case alphabetic Numeric Special characters The system is set up to XXX attempts of entering before it is locked out. Users are also requires to create a security word that is used as an electronic signature when staff submit claims for reimbursement or to authorise payment. The user and organisations systems will access the system securely. Administrative profiles will be set up.

2.24 What is the data retention period for data in the asset?


NHS Record Management Code of Practice 2016

2.25 How will data in the asset be destroyed at the end of the retention period?


The data will be supplied to NWAS and then purged in the system. All data will be held until NWAS has confirmed the files provided can be accessed and are verified as being correct.


Page 9 of 16

Database servers automatically back up, this allows for a point in time to restore the database as any point within 35 days. All backups are to be supplied to NWAS and this is the only way the data can be restored. No data will then be held within EASY

2.26 Does the asset involve sending information off site?

Yes If Yes – give details of where it is being sent in the comments section: If Yes – give details of the method of transport to be used: If Yes – will any personal or sensitive data be transferred outside the European Economic Area? Give details of what data will be sent, and where:

Amazon Web Services (AWS) Server. EASY System information governance Questions; Network Servers 10.2 and Physical 10.3.1 Resilience server location in Dublin. After Brexit data will be sent to the EU rather than remain in the UK.

2.27 Is the intention for the data controller to seek the views of data subjects (or their representatives) related to the purpose and means of the processing operation?

No If Yes – give details in the comments section on the method of gathering these views. Give details of the views received back from the data subject. Give details of the final decision to go ahead with the proposed change, or not, based upon the views received from the data subjects. If No – give reasons in the


Page 10 of 16

3) Cloud Service Considerations

This section requires completing if a ‘Cloud’ based solution is involved.

comments section of the justification for not seeking the views of the data subjects.

Question Response Comment

3.1 Why is a cloud based solution being considered over an in-house solution?


EASY expenses is offered at no cost to the trust as part of the national ESR contract

3.2 What type of data will be hosted in the cloud?


Personal Information, Special Categories data

3.3 Will the cloud service be hosted on the N3 network?


Yes, AWS is used

3.4 What measures have been put in place in the event of the service provider ceasing to operate?


EASY System information governance Questions; 8. System Protection 8.1 business continuity plans in place to ensure continuity of customer services, including the hosted platforms and business services. The service desk is managed from more than one location, so there is an automatic switch over should there be any communications problems in a location. In the event of a problem with the hosted platform, we can switch over to a new server in another data centre within a matter of hours. The business continuity plans are exercised at least annually

8.2 Disaster recovery arrangements are in place to recover all components of the hosted service, including switch over to a backup data centre. In the event of a server failure, our recover procedures mean that a new server with all relevant files restored can be back on line within 4 hours. The disaster recovery plan is


Page 11 of 16

exercised at least bi-annually. Advised there was no back up plan through service provider ceasing to operate as this is a national system funded through ESR, NHSD.

3.5 Has an assessment of the cloud service providers financial position and solvency been performed?


Not by NWAS. This is part of the national ESR contract overseen by the NHS Central Team

3.6 What measures have been put in place to repatriate data from the asset in the cloud service back to the Trust, at the end of the service contract?

Give details in comments section, including any additional infrastructure requirements and associated costs to the Trust:

The data will be purged in the system and supplied to NWAS. All data will be held until NWAS has confirmed the files provided can be accessed and are verified as being correct. Database servers automatically back up, this allows for a point in time to restore the database as any point within 35 days. All backups are to be supplied to NWAS and this is the only way the data can be restored. No data will then be held within EASY

3.7 Has the legal team been consulted regarding the legal ownership of any data that is uploaded to the asset in the cloud service?


Not by NWAS. This is part of the national ESR contract overseen by the NHS Central Team

3.8 What security measures are in place for the asset in the cloud service, including protection from cyber security attacks, control of


AWS data centre security is used and preferred by the NHS. EASY System information governance Questions; 10.3 Security

AWS data centre security is state of the art and has been approved and audited by many major and respected bodies. Of particular note are:

UK government G-Cloud framework


Page 12 of 16

user access to the data, secure transfer of data between the cloud service provider and the Trust?

https://www.digitalmarketplace.service.gov.uk/g-cloud/framework https://blogs.aws.amazon.com/security/post/Tx31CWNXWOP2J09/Using-AWS-in-the-Context-of-CESG-UK-s-Cloud-Security-Principles

EU Data Protection Directive https://aws.amazon.com/compliance/eu-data-protection/

ISO 27017 certification https://aws.amazon.com/compliance/iso-27017-faqs/

ISO 27018 certification https://aws.amazon.com/compliance/iso-27018-faqs/

Detailed information about security procedures at AWS can be found in their security white paper: http://d0.awsstatic.com/whitepapers/Security/AWS%20Security%20Whitepaper.pdf

https://www.digitalmarketplace.service.gov.uk/g-cloud/framework

https://blogs.aws.amazon.com/security/post/Tx31CWNXWOP2J09/Using-AWS-in-the-Context-of-CESG-UK-s-Cloud-Security-Principles

https://blogs.aws.amazon.com/security/post/Tx31CWNXWOP2J09/Using-AWS-in-the-Context-of-CESG-UK-s-Cloud-Security-Principles

https://aws.amazon.com/compliance/eu-data-protection/

https://aws.amazon.com/compliance/eu-data-protection/

https://aws.amazon.com/compliance/iso-27017-faqs/




http://d0.awsstatic.com/whitepapers/Security/AWS%20Security%20Whitepaper.pdf


Page 13 of 16

Data Flow This section describes the data owners and processors, and the flow of data between them.

Please refer to the attached document; EASY System information governance Questions, Pg 6, section 4.4

WebserverDB Server

ESR

EASYVirtual Private Cloud

Manager

HR/Payroll

System Admin

Employee

TLS

HTTPS

SFTPBridge

SFTP

SFTP


Page 14 of 16

4) Risk Management An essential element of the DPIA process is the assessment of risks, and identification of actions that will mitigate the risk from occurring, or make the situation acceptable if the risk materialised. Record any new risks identified from performing the DPIA here.

Datix ID Description

Consequence on the data

subject of the risk occurring

(1-5)

Likelihood of the risk occurring

(1-5)

Score

Is the risk Accepted or

Mitigated – give details

Consequence following mitigation

(1-5)

Likelihood following mitigation

(1-5)

Score

**Example** There is a risk to the privacy of staff if they are not informed of the capability and capacity in which monitoring of system access will be used.

Mitigation – inform staff of types of monitoring and uses of monitoring information. Document this in a SLSP and update staff facing privacy notice if required.

Confidentiality risk

Integrity risk

Availability risk 1. There is a risk of being

unable to access any

1 1 2 This is hosted by a National NHS contract therefore the risk is low if


Page 15 of 16

information if the company goes into insolvency

the company went into insolvency this would affect a lot of NHS organisations

2. There is a risk that after Brexit the resilience Data Centre is held in Ireland transferring data outside of the UK

1 5 5 The data centre is a resilience data centre this will only be used as a back up

5) References List any policies, procedures, guidance or legislation referred to within the DPIA here. NHS0105, 6.5 EASY System Information Governance Questions General Data Protection Regulation (2016/679 EU) (GDPR) Employment Act


Page 16 of 16

6) Record of Approval

Document Status:

DPIA Status: Approved

Comments:

Information Governance Approval:

Name: Joanne Moran

Title: IG Manager

Signature: Joanne Moran

Date: 19/08/19

Documents

Data Protection Impact Assessment 1) Basic Information ... · Date DPIA Form Completed 5/6/2019 Question Response Comment 2.1 Will the system / process / change (now referred to as