| Date | Organisation | Programme | Programme Lead Last Name | Parties | Programme Notes | DPO Comments | Status |
|---|---|---|---|---|---|---|---|
| 10/10/2024 | Health Innovation KSS | DHSC Women and AI booklet | Devine | DHSC HIKSS AI Fellow Participants (data subjects acting on behalf of their companies - although some may be researchers) | The HIN have been engaged by DHSC to help produce a booklet on developments utilising AI to support Women's Health. To achieve this DHSC will conduct a data collection process, through a survey, which will then be passed to HIKSS to reviews responses and put together the booklet. The DHSC DPO office has been engaged and provided some guidance regarding consent steps, HIKSS are considering asking for some slight changes to enable further contact where the HIN feels it can support the innovators. The review process will include a panel, including an AI fellow, who works as a GP. We are asking whether a formal agreement is needed before providing access to any data. There is also no formal contract that I am aware of, subject are aware of data being passed to HIKSS in the consent step, but there's nothing to cover the exchange of results between DHSC and KSS. | I would advise against totally relying on a DPO being happy (even me!). Of course if you are acting as a processor you need a contract/DP Agreement and the consent needs to reach the standard of informed consent. Tick boxes alone could be inadequate i.e. they may need supplementing with a detailed explanation, guidance and perhaps a means of asking questions for clarification. | Assessed |
| 30/07/2024 | Unity Insights | Real Birth Company - SBRI | Williams | Epsom and St Helier Uni Hospitals Trust Real Birth Company | Real world evaluation of implementation of maternity information and training system at Epsom and St Helier. Pseudonymised patient-level data including age band, ethnicity and post code sector, plus clinician surveys / interviews. | 1. As a processor for RBC I agree that you will need a DPA or suitable contract with them. 2. The Trust would need informed consent from its patients to share any identifiable or re-identifiable personal (outcome) data. 3. If there is any such data sharing, the DSA, baed on the patient consent, should be between the Trust and RBC and not with UI (regardless of the supply route) as UI would only be processing it whilst acting as a processor for RBC and not in its own right. | Assessed |
| 02/07/2024 | Unity Insights | Lifebox | Quentin | Sherwood forest hospitals NHS foundation trust (Kings Mill and Newark hospitals) Definition Health (LifeBox provider) | Definition LifeBox is a digital pre-operative assessment tool which supports patient assessment, hospital decision-making and personalised patient care. We are undertaking a quant and health economic evaluation covering its use in Royal Sherwood hospitals. Commissioned by Definition Health, who own/provide LifeBox). | The fact that you are processing pseudonymous data means that you are processing personal data even though you can't identify whose data it is. This is not however a problem assuming that you have contracts/DPAs with the controllers and represents a good minimisation and data security approach. Assuming you have satisfactory contracts and DPAs with the processors this appears to be a standard UI processing operation. | Assessed |
| 18/06/2024 | Unity Insights | Anya | Round | Anya (LatchAid Ltd) Manchester Community Health Team Wigan Community Health Team | Anya is a breastfeeding support app designed to provide support for new parents, we are undertaking an evaluation following its introduction through a couple of community health teams (CHTs) in the North West. Anonymous and aggregated data is expected primarily, including some demographic data. A few interviews will be held with the community team leads. | Seems routine and straightforward. | Assessed |
| 22/04/2024 | Unity Insights | O2matic | Sutton | O2matic Medway Community Healthcare CIC HIKSS (work is being done as part of our service contract with them) | O2matic produce an automated system to adjust the oxygen flow, being trialled for COPD and respiratory patients, based on oximetry readings and other clinical markers, reducing time and reliance upon clinical staff to recognise and react to changes in patient condition and enhancing the support for patients undertaking Pulmonary Rehab. We are providing quant analysis in support of the trial/pilot (not a full clinical trial) into the product's deployment. | Assessed | |
| 05/04/2024 | Unity Insights | Powerful Medical (PMCardio) | Briant | Powerful Medical Pilot Sites (primary care - GPs across multiple PCNs within a single ICB, exact number/who TBC, 40 interested). NHS Northamptonshire ICB Eastern HIN - providing project management support (funded by Arden and GEM CSU) | The project is a result of a funding award from NIHR I4I FAST, applied for by UI as the sole applicant. Collaboration agreement in place with PM covering delivery of the project. This project will explore the feasibility of the wider adoption of PMCardio by the NHS by conducting a real-world validation study evaluating the implementation of the PMCardio in a primary care setting. The aim of the evaluation is to measure and compare the outcomes and benefits of implementing the technology within select sites. A mixed methods approach is recommended to analyse quantitative, qualitative, and health economic outcomes to generate evidence against the key evaluation questions. | Assessed | |
| 26/11/2021 | Unity Insights | Health Inequality - Reducing Restrictive Practice (SABP) | Briant | Surrey and Borders Partnership NHS Foundation Trust (SABP), KSS AHSN & UI, Mental Health Units within SABP area | Data gathering to support the build of a dashboard and eventual evaluation report into the Patient Safety Collaborative's Reducing Restrictive Practice care package in Mental Health settings, with a particular view on how it affects health inequalities across this sector. Data collection will be regional, while the care package (and efforts to reduce restrictive practice) is part of a national mandate. | See notes re Public Task vs Legitimate Interest. I think the DPIA also recognises this on Page 19 - Applications of Data Rights. A (voluntary) DPIA was undertaken by SABP as controller. Latest version is 2.1, 10/2019. This stated that the records would be anonymised, but there seems some doubt whether it would be just pseudonymised. They also state correctly that a DPA could be required if the data turns out to be personal (inc. pseudonymised). We would then need to be clear if that DPA would be with KSS AHSN, UI or both (This is the Other Action ticked, but depends on resolution of the anonymisation vs pseudonymisation issue which the meeting of 18/02/2022 may have resolved). | Assessed |
| 20/09/2023 | Unity Insights | Vinehealth | Quentin | VineHealth Ltd University of Surrey KSS AHSN - co-funding the work Sites deployed at: Hywel Dda Royal Surrey County Hospital Barking, Havering & Redbridge Yeovil District Hospital Clatterbridge Cancer Centre Royal United Hospitals Bath Maidstone & Tunbridge Wells Wrightington, Wigan & Leigh East Suffolk and North Essex | Vinehealth (VH) is a mobile platform that encourages people living with cancer to self-manage by allowing them to monitor their symptoms, manage their medication and understand their care plan and progress along with their care team and loved ones. The app has been deployed across nine NHS sites to inform an RCT, being conducted by University of Surrey (UoS). Alongside the RCT, Unity have been commissioned to provide health economic analyses of the platform, in the form of a budget impact model and cost-utility analysis. | This appears to be a fairly standard processing activity covered by UI's contract with VH that I assume has or will be vetted. If and when data sharing agreements appear please pass them to me for an assessment, remembering that by entering into them you may be agreeing that you are a (joint) controller of personal data. It isn't clear to me at this stage that this would be the case. Just because a data feed comes from UoS doesn't necessarily mean that it couldn't be covered by their agreement with VH and the your processing contract with them. 23/02/2024 Following discussion re a potential DPA with UoS, UoS were asked to clarify their role and replied with a 'Joint Controller' Agreement between themselves and Vinehealth. | Assessed |
| 12/10/2023 | Unity Insights | Florence | Long | Foundry Healthcare Lewes PCN - Geraldine Hoban (Project director) West Hove PCN Sussex Health and Care Partnership - Mark Watson, Lisa Douglas Generated Health - innovator HIKSS (KSS AHSN) - funding the work, Athina Lockyer is the PM. | Florence is an AI-driven support application for patients with hypertension, designed to manage symptoms and support condition self-management. It is being implemented at two KSS PCNs for the evaluation, with two other PCNs planned. The evaluation is covering qual, quant and health economic analyses and will utilise pseudonymous patient data for the latter two, and the qual currently consists of an anonymous staff survey, but could extend to interviews (with consent) if time allows. | This looks like straightforward data processing. You don't mention a contract, but I assume there will be a suitable one. | Assessed |
| 12/10/2023 | Unity Insights | BSW Integrated Care Record | Quentin | BSW ICB Graphnet - provider of the platform The other programme partners include: BSW GP practices Royal United Hospital Bath Great Western Hospital Swindon Salisbury FT Hospital HCRG BaNES Community Services Wiltshire Health and Care Community Services Swindon Community Services Medvivo Wiltshire Local Authority Swindon Local Authority B&NES Local Authority BSW Hospice partners | Quant and qual analysis to develop a statement of planned benefits for the deployment of ICRs in the region, defining potential impacts and benefits streams, but not to the point of a formal health econ analysis. The ICR programme is an online data sharing platform for clinicians and healthcare professionals to submit patient notes and medical information, so other health and care organisations can access the information securely, through a single point of access, supporting data transfer between organisations. "The ICR uses the Graphnet Carecentric platform to share and contribute information from partners across the BSW system. The Carecentric ecosystem includes features for; direct care, population health management, care plans and person held records. All of these are in use within BSW to a greater and lesser degree." | Assessed | |
| 14/11/2023 | Unity Insights | MyCOPD SBRI : Propel Study | Aldridge | BNSSG ICB Cornwall ICB My M Health North Bristol Trust University Hospital Bristol and Weston Trust Cornwall Partnership NHS Foundation Trust West of England Academic Health Science Network - project support University of Southampton - undertaking qualitative evaluation | See also the protocol, uploaded. A long-term study into the benefits and impact of MyCOPD across two settings, within the acute setting in Bristol, and the Community (rehab delivery) within Cornwall. We are looking to gather data through the project itself (consented, the company is doing this and we will receive pseudonymous outputs), along with extracts from the healthcare organisations involved. | The very through DPIA seems to cover the situation well. | Assessed |
| 16/11/2023 | Unity Insights | Phyllis Tuckwell MND CNS Role Evaluation | Shaw | Phyllis Tuckwell memorial hospice Ltd - Charity delivering the service to the Sub-ICB (ex CCG, now part of Surrey Heartlands ICS). | Implementation of a clinical nurse specialist role focusing on Motor Neurone Disease support within Guildford and Waverley area to provide central coordination for patient care, facilitate pathway development , provide a link between local services and specialist care centres. Mixed methods evaluation work including some quant, but mainly qualitative info, including testimonials from staff. | As a processor there is no legal issue in receiving names (personal data) as described. However it is best to adopt the minimisation of personal data processing as planned as this is best practice and ob=ne of the guiding principles of the GDPR. | Assessed |
| 29/11/2023 | Health Innovation KSS | KSS InHIP Programme | Myers | Kent ICS Sussex HCP Surrey HCP KSS AHSN - have commissioned Unity Insights for the evaluation Alliance for Better Care - GP Provider in Surrey Other local GPs and service providers | NHS England’s Innovation for Healthcare Inequalities Programme (InHIP) is a unique collaboration between the Accelerated Access Collaborative (AAC), NHS England’s National Healthcare Inequalities Improvement Programme and the Academic Health Science Network (AHSN Network), and delivered in partnership with Integrated Care Systems (ICSs). InHIP projects aim to address local healthcare inequalities experienced by deprived and other under-served populations, by working with local communities to improve access to the latest health technologies and medicines. All three ICS have proposals funded to reach out to communities at risk of high cholesterol to improve lipid management treatment rates in areas where services typically struggle to engage. | Noted that UI is a processor and along with pseudonymisation the project bears little risk. | Assessed |
| 14/12/2023 | Unity Insights | Stay Alive | Bannister | Unity Insights, Grassroots Suicide Prevention and possibly others. | From an initial email sent by Annie Miller: Annie Miller, Sage Bannister, and Marie-Anne Demestihas are currently working on a project called Stay Alive, which aims to investigate the effectiveness of a suicide prevention app. To analyse this, they have created a fully anonymous survey to understand app users’ opinions. They would like to include the following: Demographic information including, age (in 10-year age brackets), gender identity, if their gender identity matches their assigned sex at birth, and county of residence. All the demographic questions have a “prefer not to say” answer option. A number for a suicide helpline, as the survey content may be distressing. Wondering if this is appropriate to use as it is an external resource, and if there are any legal implications from including this? We were wondering if you could help us with the data protection aspects of this; is it okay to ask these demographic questions and include contact information for a suicide helpline? I have attached the evaluation framework with the survey questions, the evaluation plan, and the link to the survey if needed for context. Stay Alive 2023 Survey (surveymonkey.com) | My initial thoughts are based on limited knowledge e.g I do not have a list of the parties involved. From reading the proposed survey questions however it appears that participants could not be directly identified from the responses and therefore the survey responses do not constitute personal data. Care would need to be taken in relation to the technical aspects of the survey to prevent linkage to the user via data held by Grassroots although on the face of it this should be impossible unless perhaps a sparce distribution of app users by county could pinpoint an individual. I am not yet clear what data sharing agreements are envisaged and why they would be required. This may need clarification, but only if actual personal data is involved. Notwithstanding the fact that there appears to be no personal data involved and assuming that UI is to be a 'processor'of the data, it would be prudent to ensure that the agreement between UI and Grassroots (or any other relevant party involved) included the standard processor clauses. | Assessed |
| 18/01/2024 | Unity Insights | Rapid Health | Maddock | Rapid Health GP - The Groves Medical Centre, New Malden | Quantitative and Qualitative evaluation of Rapid Health's GP booking solution, providing GP's and patients with digital appointment booking and management tools. | If the linking concern was raised in relation to data coming from both the GP and the supplier: 1. There should be no issue where personal data from the supplier is data it holds as a processor on behalf of the GP practice as you will have a DPA. 2. If/where the supplier is acting as a controller, you would need to act as a processor for the supplier wand raise another DPA. This assumes that you have no need to act as a controller of that data yourselves, in which case it would instead be a form of data sharing. | Assessed |
| 29/01/2024 | Unity Insights | Surrey Primary Care Immunisation Strategy Phase 2 | Moran | Surrey Heartlands ICB Alliance for Better Care (GP alliance) | Building on from Surrey Immunisation Phase 1. Primarily qualitative evaluation of the deployment strategy. Survey responses provided anonymous in support of evaluation. Age, gender, ethnicity, location and surgery location provided. | This seems a relatively seems straightforward programme given the nature of the data. There is very little danger of re-identification by UI from the dataset it will receive. With GP knowledge of their patients and appointment details, some respondents might be re-identifiable by them. A small thing, but the form asks for postcode data down to 'sector' level (the outward part plus the first digit of the incoming code) and 'asks' the completer not to enter a full postcode. However, does it actually prevent that as a respondent might ignore the request? Postcode formats are a bit tricky to validate. Full validation can be done using RegEx expressions if the form software allows them, but a simple way would be to split the data collection into two separate parts 1. The variable length (2 - 4 characters) outward part e.g. SW1A, BN12, TA2, N1 and 2. The first digit of the inward code. Just a thought. | Assessed |
| 28/01/2025 | Unity Insights | Clera Evaluation | Quentin | Health Innovation West of England (HI WoE, or the "HIN") North Bristol NHS Trust (NBT, the hospital) Serra Health (Clera Healthcare) | Evaluation delivery to HI West of England of Clera healthcare This project will pilot an online communication platform (Clera) in the infectious disease unit in NBT to improve communication with patients and families. Specifically, Clera will enable SMS communication with both patients and multiple family members via an accessible online platform. Patients and families will be updated with details of their care plan for the duration of their stay. The evaluation is going to be mixed-methods evaluation, no health econ. Data use is expected to be: Quantitative - Clera usage data, data from the site on number of contacts per patient/day. All anonymised data. Qualitative - survey with patients and families, focus group (potentially), staff questionnaire. All anonymised data. Although this all relates to expected anonymisation, this is only due to the data flow ensuring that data is anonymised on site before being sent to us. Due to risks in this process we are undertaking the full DPIA threshold test to make sure the DPO is informed. | Assessed | |
| 28/01/2025 | Unity Insights | Luscii SBRI | Long | Maidstone and Tunbridge Wells NHS Trust Luscii HIKSS | This is an SBRI-funded project evaluating the benefits of the Luscii Virtual Ward solution upon a patients across a range of clinical pathways within Maidstone and Tunbridge Wells NHS Trust. There will be qual and quant dimensions, feeding into a health economic analysis. | This looks fairly standard and I see no particular issues. It may be a useful example for checking pseudonymisation as discussed. There is no need for UI to have access to consent details. | Assessed |
| 22/04/2025 | Unity Insights | DemDX | Briant | DemDX Thanet Health CIC Deployment sites: One Urgent Treatment Centre (Run by the CIC) Home Visiting Service (CIC service) Two GP sites (The Minster, The Grange) | DemDx’s intelligent Clinical Assessment Platform (iCAP) is an AI-enabled clinical reasoning platform that supports staff in their clinical assessment to assess and triage patients. The platform can also be used to order tests and make onward management decisions for the patient. iCAP can be used in UTCs, GP practices, and during home visits and is available as a stand-alone platform or can be integrated into existing workflows, such as with EMIS. iCAP is designed to optimise GP practices by empowering nurses and AHPs to take on greater clinical responsibility, freeing up GP time for more complex cases and improving patient access to care. The platform enhances the efficiency of multi-disciplinary teams across various settings, allowing AHPs to manage a broader range of conditions independently. By integrating local protocols and referral pathways, iCAP ensures consistent, high-quality clinical assessments, reducing inappropriate referrals and hospital admissions. Mixed methods evaluation including health econ, quant, qual and environmental analyses. | This looks straightforward, with a limited data set and standard agreement. Happy to revisit if the data set changes to include personal data or if a DPIA is required. | Assessed |
| 22/04/2025 | Unity Insights | Cardiology Group Service Evaluation - HIWE | Briant | Health Innovation West of England (HIWE: ex-AHSN) North Bristol Hospital Trust (NBT) University Hospitals Bristol and Weston Trust (UHBW) NBT BI team (listed as separate entity as they are the pseudonymisation "key holder") | In preparation for the merger of NBT and UHBW in 2026, a pilot pathway merger has been undertaken across the two trust's cardio pathways, observing the impact upon patient experience, outcomes and service efficiency, to inform the trusts of potential risks for management of the wider merger to come. HIWE are supporting this and undertaking an evaluation of the process, they are delivering a qualitative evaluation, while we have been asked to undertake the quantitative element of the evaluation (impact analysis). Project is expected to run for 12-18 months with a few phases of observation as various pathways are merged within the cardiology department, culminating in a combined analysis at the end. Although all data we receive is expected to be effectively anonymised, due to the number of organisations, and a few issues defining the HI datasets, we wanted to flag the project. | Comments notes. This appears to be a very low risk with no further actions proposed assuming that UI has the appropriate contracts in place. | Assessed |
| 19/12/2025 | Health Innovation KSS | Kent Sexual Health Review | Hooper | Kent County Council NHS Kent and Medway Integrated Care Board VCSE partners supporting participant recruitment | The project is an evaluation of Sexual Health services in Kent, commissioned by Kent County Council. The only anticipated use of personal data is to facilitate focus groups and interviews for qualitative data collection. | 1. Am I missing something here? To me, KSS AHSN don't seem to be acting as a Controller If Kent CC has commissioned them to provide client opinions/feedback. Aren't they sending over the contact details so that KSS AHSN can invite the participants? That doesn't look like sharing the data so that KSS AHSN can use it for a legitimate purpose of their own. So KSS AHSN looks more like a processor needing a contract with Kent CC containing the usual clauses. 2. You say the survey data will be collected anonymously. The responses might have associated IP addresses, that to be fair couldn't be linked back to individuals, but of course the data still needs to be collected securely. Remember that anonymising personal data is a form of processing. Let me know if you think I am misinterpreting this. | Assessed |
| 20/01/2026 | Unity Insights | Healthtech1 Patient Registration | Myers | Surrey Heartlands ICB Constituent practices UI HIKSS (this has come through our service contract) | Evaluation of use of HealthTech-1 automatic patient registration technology within the Surrey Heartland ICB region. The evaluation aims to assess the replicability of these results within Surrey Heartlands ICB, through quantitative, health economic, and health inequality analyses based on data collected by GP practices in the region. The results of this evaluation will support Surrey Heartlands in improving service provision and iterating on its implementation of HealthTech-1. The processing to be undertaken by Unity Insights may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means) etc. | The ICB seem to have done a thorough analysis of the project via their DPIA. UI are correctly categorised as a Processor and the contract seems suitable. | Assessed |
| 21/01/2026 | Health Innovation KSS | Team Premium Adoption | Senter | HI KSS External partners that may be included in calls. | Following a trial period HI KSS have adopted the use of Teams Premium to expand the capabilities to manage and deliver online services such as webinars, focus groups and other online events, while also supporting internal efficiencies such as action tracking and meeting summaries supported by Copilot 365. The core features of the system are summarised here: https://www.microsoft.com/en-us/microsoft-teams/premium Early usage has highlighted a need for users to manage the needs of the call to avoid automatic notifications and transcripts to be incorrectly shared with individuals not present in a particular call. Technical controls are being reviewed to include the limitation of chat and recordings to in-meeting only, restricting access outside of a call itself. Other controls such as the use of individual bookings for confidential calls are being tested to mitigate the risk of recurring meeting chats including participants from previous calls, while staff will also need to consider the potential risks and settings for each call to properly protect recordings and manage access to outputs. Further note, the organisation has to use the HI KSS dedicated emails for Teams Premium licences, rather than nhs.net. Which has increased the organisation's use of these emails (and may need an adjustment when we come to resubmit the DSPT. | Good to see this timely follow up to the recent incident, but as previously mentioned, a DPTA or other risk assessment should ideally have been undertaken before implementing the upgrade, possibly alongside a trial run. As you are aware, the changes required all depend on the capabilities and controls of the software and you will be: 1. Fully assessing those new capabilities and controls 2. Deciding on your approach to using the software in compliance with data protection principles and legislation 3. Implementing appropriate controls 4. Updating SOPs and user instructions 5. Providing awareness materials and communications for staff and possibly training as well | Assessed |
| 30/01/2026 | Health Innovation KSS | HIN KSS - Working with People and Communities (WWP&C) | Clark | Primarily self-directed activity to serve the core commission for the HINs. In some cases there may be partners, I have highlighted that there is a distinction between the projects where partners are just interested in outputs, and where they play an active role in recruitment for surveys etc. In such cases, this might just be a matter of placing survey links in key locations or signposting activity. In others, they may directly send survey links or invites to relevant patients. This latter case should be considered out of scope of this DPIA threshold and be covered under a separate assessment in my view, as we will likely need to consider the activity as including a third party Data Controller. | As part of its planned activities, Health Innovation Kent Surrey Sussex plans to undertake public data collection to provide insights into the state of local healthcare services and the needs of the local public. This requires an increase in the level of direct data collection, with some of the data potentially including personal information, either to facilitate further discussion (i.e., interviews or focus groups) or to establish the clinical needs of individuals. | - Thanks for the comprehensive explanation and discussing this over the phone. - It lays out a solid basis and ground rules for extending the range of processing activities beyond acting as a processor for various organisations. - As discussed if HIN policy still states that it does not intend to process personal data as a controller (dealing only with anonymous data) in its own right, that should be reviewed. - Projects based on this model should be accompanied by their own DPTAs to ensure that risk is managed and the principles outlined here are followed. | Assessed |
| 12/03/2026 | Unity Insights | SWAG Cancer Case Finding Evaluation | Myers-Joslin | SWAG Cancer Alliance Health Innovation West of England (HIWE) 7x PCNs/GPs (data controllers) | Early identification of cancer symptoms and prompt referral are associated with better treatment outcomes, including reduced mortality. Consequently, one of the core aims of the Somerset, Wiltshire, Avon and Gloucestershire (SWAG) Cancer Alliance is to increase the number of people diagnosed with cancer early. An approach which could support with this aim is case finding, which involves searching for suspected cases within known high-risk groups or during routine clinical appointments. Primary Care Networks (PCNs) and GP practices are well placed to undertake this work, yet often lack the funds required to pilot innovative approaches such as case finding. The SWAG Cancer Alliance has therefore developed this programme to support activities across the region. Four pilot projects have been funded and will be subject to process and impact evaluations (provided by UI) | 1. In North Bristol NHS Trust's contract with UI, it says, Further clarification of responsibilities on the projects is provided in the document “Evaluation roles and responsibilities”, but I haven’t found that document. Clarity as to roles is important with these various organisations involve. 2. As usual, my advice is that UI needs to concentrate on its role and ensuring that it is covered contractually etc. Other organisations need to look after their own positions as if they get those wrong they have to bear the consequences. 3. My view (and that of the Medical Research Council) is that the sponsor of research is a data controller. Beyond that top level, things may be more complicated as other parties could be both processors and controllers for different purposes. In this case (and without the document mentioned above) it looks like: - SWAG - A data controller for all the data used in the research they have sponsored - North Bristol NHST (added to Parties on the form) As they ‘host' SWAG they are a proxy Controller for SWAG - PCNs and GPs - Controllers of patient data for patient care, but sharing some of that data with North Bristol NHST/SWAG for the purposes of the research - HIWE - A Processor for North Bristol NHST/SWAG - UI - A Processor for North Bristol NHST/SWAG (as per the contract already in place) So I don’t agree that any data is being ’shared’ with UI by the PCNs/GPs. As I see it, the PCNs/GPs are sharing that data with North Bristol NHST/SWAG (as above) and UI is processing it for North Bristol NHST/SWAG. Any actual data flows are irrelevant here. If you want to discuss this please let me know. | Assessed |
| 23/03/2026 | Health Innovation KSS | Go Vocal | Clark | HI KSS NHS Sussex Go Vocal | NHS Sussex operates a public engagement site provided by Go Vocal/ CitizenLab. This agreement is to cover NHS Sussex allocating dedicated pages within that site for use by HI KSS for its own public engagement purposes. HI KSS will be provided with control over and back-end access to a number of pages on NHS Sussex’s Go Vocal/Citizen Lab website. HI KSS will be able to launch and display its own engagement projects – surveys, videos, interactive conversations etc – on its assigned pages and, in this way, be able to collect personal data directly from service users, members of the public, health and care staff etc. | I think there is still some confusion and over-complication in these documents 1. I cannot detect any data sharing going on so please remove reference to it unless you can explain where it takes place 2. HIKSS are effectively a Processor for HIKSS if all they are doing is managing access to part of their account with Go Vocal and not using any data HIKSS collects via the surveys for their own purposes i.e. They are NOT sharing it. 3. In that respect we could regard Go Vocal as a sort of sub Processor for HIKSS rather than a direct processor (that would require a contract) 4. The front page of the DATA SHARING AND PROCESSING AGREEMENT is confusing and at the very least should (as above) not refer to sharing 5. Section 1 specifies Controller to Controller sharing, which this is not. It is Processing where HIKSS provide data storage and form processing that HIKSS use to collect their data. 5. What does section 4 mean? 6. Section 11 specifies Public Task as a lawful basis. Unless HIKSS can specifically point to one and are taking explicit consent, they should drop this basis. I will stop here (nearly) following our phone call. Pete, you are drawing up a draft DPA as that and/or a contract is all that seems to be needed. It needs to ensure that NHS Sussex to act solely on HIKSS's instructions in regard to the facility they are 'sub-contracting' i.e. they do very little and don't re-use the data or link it to their own data even if the HIKSS survey is for them (although a specific project could allow this with appropriate data subject consent). In addition HIKSS need DPTAs for each survey project as controllers. You said you would will talk to Isabel on Tuesday. | Assessed |
| 15/04/2026 | Health Innovation KSS | SID User Research | Scola | Sussex and Surrey ICB (Owner/Sponsor of the SID) - data controller for user details HI KSS Unity Insights | We are about to start a new project with 'Sussex Integrated Data (SID)', and among other tasks and deliverables, one of our associates (contractor) will be doing the user research elements for this project. Therefore, interviewing people. | Looks fine. | Assessed |
