Data Protection Threshold Assessment

Item 1

You must be logged in to submit the form.

Item 2

Background

The privacy of our clients and partners, especially those in the health and care sectors, along with their patients, clients and employees, is critical to us and their organisations as is the security of data. Processing personal data legally and securely prevents regulatory violations, avoids negative publicity, and shows respect for data subjects.

The UK’s Data Protection Act, 2018 (DPA) came into force on 25 May 2018, implementing the EU General Data Protection Regulation (GDPR) as the main legislation governing the processing of personal data in the UK. BREXIT changed the legal basis, with all data protection legislation becoming simply part of UK law.

The EU-based legislation was absorbed, fundamentally unchanged, into that framework and apart from technical changes such as referring to the GDPR as the UK GDPR rather than the ‘EU GDPR’, little has changed following the UK’s departure from the EU. If the law is significantly amended, we will update our procedures to comply with it and assist our clients in doing the same.

Most recently, the Data (Use and Access) Act, 2025 has amended the DPA/GDPR in some respects and its provisions will be considered when assessing DPTAs.

Data Protection Impact Assessments
The Legislation states that “where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, the controller must, prior to the processing, carry out a Data Protection Impact Assessment (DPIA). Furthermore, if the assessment reveals processing involving high risks that cannot be mitigated, the ICO must be consulted before starting the processing.

Data Protection Threshold Assessments
Amongst other uses, this tool is employed to screen programmes and decide whether full DPIAs or other actions are required.

Item 3

Guide

Accessing the Form

The Data Protection Threshold Assessment form works well on most devices, but it may not be easy to use on small displays such as smartphones, which should be avoided.

Using the Form

Use the Form tab to raise a new assessment form
Some fields may already be completed as defaults or based on your profile – most of these can still be altered
There are 9 pages – take your time, working through them in order, returning to [Previous] pages as necessary
You can navigate between pages (as long as all mandatory fields have been completed) either:
sequentially using the [Next] and [Previous] buttons at the bottom of each page, or by ‘jumping’ via the numbered progress bar at the top
Most fields are always visible and some contain guidance notes
Some input fields and guidance notess are revealed or hidden depending on your responses
Fields marked with an asterisk * must be completed to submit the form
Pages and the form as a whole are saved whenever you click a [Next] button to move to a new page
Clicking the [Submit] button on the final page saves the form and shares it with the DPO
See the Follow-up tab to find out what happens next, after you submit a DPTA form

Item 4

Follow-up

On receipt of your Data Protection Threshold Assessment form, the DPO will:

Send you an acknowledgement email with a pdf copy of your submission
Check your submission
Add comments or questions in the DPO Notes field
Contact you for further details and clarification if required
Post a copy of the initial assessment in the table on the Initial Assessments tab
Update the submission status from Draft to Assessed
Usually email an updated copy of your form
Post a copy of the DPTA in the table on the Submissions tab

The Submissions tab record can be subsequently updated by you or the DPO and you can also export records from the table in csv format for use with Excel and other application

Further follow-up could include:

Proposing actions as needed
Providing assistance with tasks such as completing a full DPIA and checking or preparing documents

Item 5

Initial Assessments

Date	Organisation	Programme	Lead	Programme Lead Last Name	Submission Notes	Programme Notes	DPO Comments	Status
10/10/2024	Health Innovation KSS	DHSC Women and AI booklet	Lisa	Devine	Melissa Ream is also working with Lisa to co-ordinate this. This relates to Kelly's email on the 4th.	The HIN have been engaged by DHSC to help produce a booklet on developments utilising AI to support Women's Health. To achieve this DHSC will conduct a data collection process, through a survey, which will then be passed to HIKSS to reviews responses and put together the booklet. The DHSC DPO office has been engaged and provided some guidance regarding consent steps, HIKSS are considering asking for some slight changes to enable further contact where the HIN feels it can support the innovators. The review process will include a panel, including an AI fellow, who works as a GP. We are asking whether a formal agreement is needed before providing access to any data. There is also no formal contract that I am aware of, subject are aware of data being passed to HIKSS in the consent step, but there's nothing to cover the exchange of results between DHSC and KSS.	I would advise against totally relying on a DPO being happy (even me!). Of course if you are acting as a processor you need a contract/DP Agreement and the consent needs to reach the standard of informed consent. Tick boxes alone could be inadequate i.e. they may need supplementing with a detailed explanation, guidance and perhaps a means of asking questions for clarification.	Assessed
30/07/2024	Unity Insights	Real Birth Company - SBRI	Ben	Williams		Real world evaluation of implementation of maternity information and training system at Epsom and St Helier. Pseudonymised patient-level data including age band, ethnicity and post code sector, plus clinician surveys / interviews.	1. As a processor for RBC I agree that you will need a DPA or suitable contract with them. 2. The Trust would need informed consent from its patients to share any identifiable or re-identifiable personal (outcome) data. 3. If there is any such data sharing, the DSA, baed on the patient consent, should be between the Trust and RBC and not with UI (regardless of the supply route) as UI would only be processing it whilst acting as a processor for RBC and not in its own right.	Assessed
02/07/2024	Unity Insights	Lifebox	Léa	Quentin	Dana Daderko is also working on this with Léa.	Definition LifeBox is a digital pre-operative assessment tool which supports patient assessment, hospital decision-making and personalised patient care. We are undertaking a quant and health economic evaluation covering its use in Royal Sherwood hospitals. Commissioned by Definition Health, who own/provide LifeBox).	The fact that you are processing pseudonymous data means that you are processing personal data even though you can't identify whose data it is. This is not however a problem assuming that you have contracts/DPAs with the controllers and represents a good minimisation and data security approach. Assuming you have satisfactory contracts and DPAs with the processors this appears to be a standard UI processing operation.	Assessed
18/06/2024	Unity Insights	Anya	Alex	Round		Anya is a breastfeeding support app designed to provide support for new parents, we are undertaking an evaluation following its introduction through a couple of community health teams (CHTs) in the North West. Anonymous and aggregated data is expected primarily, including some demographic data. A few interviews will be held with the community team leads.	Seems routine and straightforward.	Assessed
22/04/2024	Unity Insights	O2matic	Sam	Sutton		O2matic produce an automated system to adjust the oxygen flow, being trialled for COPD and respiratory patients, based on oximetry readings and other clinical markers, reducing time and reliance upon clinical staff to recognise and react to changes in patient condition and enhancing the support for patients undertaking Pulmonary Rehab. We are providing quant analysis in support of the trial/pilot (not a full clinical trial) into the product's deployment.		Assessed
05/04/2024	Unity Insights	Powerful Medical (PMCardio)	Conor	Briant	Question re. PM's third country status and whether we have a responsibility to ensure sites are aware of the data being transferred to EU (and that they've done the right checks)	The project is a result of a funding award from NIHR I4I FAST, applied for by UI as the sole applicant. Collaboration agreement in place with PM covering delivery of the project. This project will explore the feasibility of the wider adoption of PMCardio by the NHS by conducting a real-world validation study evaluating the implementation of the PMCardio in a primary care setting. The aim of the evaluation is to measure and compare the outcomes and benefits of implementing the technology within select sites. A mixed methods approach is recommended to analyse quantitative, qualitative, and health economic outcomes to generate evidence against the key evaluation questions.		Assessed
26/11/2021	Unity Insights	Health Inequality - Reducing Restrictive Practice (SABP)	Conor	Briant	See also: FREED.	Data gathering to support the build of a dashboard and eventual evaluation report into the Patient Safety Collaborative's Reducing Restrictive Practice care package in Mental Health settings, with a particular view on how it affects health inequalities across this sector. Data collection will be regional, while the care package (and efforts to reduce restrictive practice) is part of a national mandate.	See notes re Public Task vs Legitimate Interest. I think the DPIA also recognises this on Page 19 - Applications of Data Rights. A (voluntary) DPIA was undertaken by SABP as controller. Latest version is 2.1, 10/2019. This stated that the records would be anonymised, but there seems some doubt whether it would be just pseudonymised. They also state correctly that a DPA could be required if the data turns out to be personal (inc. pseudonymised). We would then need to be clear if that DPA would be with KSS AHSN, UI or both (This is the Other Action ticked, but depends on resolution of the anonymisation vs pseudonymisation issue which the meeting of 18/02/2022 may have resolved).	Assessed
20/09/2023	Unity Insights	Vinehealth	Lea	Quentin		Vinehealth (VH) is a mobile platform that encourages people living with cancer to self-manage by allowing them to monitor their symptoms, manage their medication and understand their care plan and progress along with their care team and loved ones. The app has been deployed across nine NHS sites to inform an RCT, being conducted by University of Surrey (UoS). Alongside the RCT, Unity have been commissioned to provide health economic analyses of the platform, in the form of a budget impact model and cost-utility analysis.	This appears to be a fairly standard processing activity covered by UI's contract with VH that I assume has or will be vetted. If and when data sharing agreements appear please pass them to me for an assessment, remembering that by entering into them you may be agreeing that you are a (joint) controller of personal data. It isn't clear to me at this stage that this would be the case. Just because a data feed comes from UoS doesn't necessarily mean that it couldn't be covered by their agreement with VH and the your processing contract with them. 23/02/2024 Following discussion re a potential DPA with UoS, UoS were asked to clarify their role and replied with a 'Joint Controller' Agreement between themselves and Vinehealth.	Assessed
12/10/2023	Unity Insights	Florence	Mike	Long	Further contact for project: Cameron Murray (Analyst)	Florence is an AI-driven support application for patients with hypertension, designed to manage symptoms and support condition self-management. It is being implemented at two KSS PCNs for the evaluation, with two other PCNs planned. The evaluation is covering qual, quant and health economic analyses and will utilise pseudonymous patient data for the latter two, and the qual currently consists of an anonymous staff survey, but could extend to interviews (with consent) if time allows.	This looks like straightforward data processing. You don't mention a contract, but I assume there will be a suitable one.	Assessed
12/10/2023	Unity Insights	BSW Integrated Care Record	Lea	Quentin	Analyst: Pierce Coveney	Quant and qual analysis to develop a statement of planned benefits for the deployment of ICRs in the region, defining potential impacts and benefits streams, but not to the point of a formal health econ analysis. The ICR programme is an online data sharing platform for clinicians and healthcare professionals to submit patient notes and medical information, so other health and care organisations can access the information securely, through a single point of access, supporting data transfer between organisations. "The ICR uses the Graphnet Carecentric platform to share and contribute information from partners across the BSW system. The Carecentric ecosystem includes features for; direct care, population health management, care plans and person held records. All of these are in use within BSW to a greater and lesser degree."		Assessed
14/11/2023	Unity Insights	MyCOPD SBRI : Propel Study	Peter	Aldridge		See also the protocol, uploaded. A long-term study into the benefits and impact of MyCOPD across two settings, within the acute setting in Bristol, and the Community (rehab delivery) within Cornwall. We are looking to gather data through the project itself (consented, the company is doing this and we will receive pseudonymous outputs), along with extracts from the healthcare organisations involved.	The very through DPIA seems to cover the situation well.	Assessed
16/11/2023	Unity Insights	Phyllis Tuckwell MND CNS Role Evaluation	Laura	Shaw		Implementation of a clinical nurse specialist role focusing on Motor Neurone Disease support within Guildford and Waverley area to provide central coordination for patient care, facilitate pathway development , provide a link between local services and specialist care centres. Mixed methods evaluation work including some quant, but mainly qualitative info, including testimonials from staff.	As a processor there is no legal issue in receiving names (personal data) as described. However it is best to adopt the minimisation of personal data processing as planned as this is best practice and ob=ne of the guiding principles of the GDPR.	Assessed
29/11/2023	Health Innovation KSS	KSS InHIP Programme	Tom	Myers	This covers three different InHIP projects, one for each ICS within KSS. The parties and proposals vary somewhat, but as we are working to avoid any personal information I thought I would submit one to give you context in case of further questions.	NHS England’s Innovation for Healthcare Inequalities Programme (InHIP) is a unique collaboration between the Accelerated Access Collaborative (AAC), NHS England’s National Healthcare Inequalities Improvement Programme and the Academic Health Science Network (AHSN Network), and delivered in partnership with Integrated Care Systems (ICSs). InHIP projects aim to address local healthcare inequalities experienced by deprived and other under-served populations, by working with local communities to improve access to the latest health technologies and medicines. All three ICS have proposals funded to reach out to communities at risk of high cholesterol to improve lipid management treatment rates in areas where services typically struggle to engage.	Noted that UI is a processor and along with pseudonymisation the project bears little risk.	Assessed
14/12/2023	Unity Insights	Stay Alive	Sage	Bannister	Submitted by Annie Miller via email on 14/12/2023 asking for a response by 15/12/2023.	From an initial email sent by Annie Miller: Annie Miller, Sage Bannister, and Marie-Anne Demestihas are currently working on a project called Stay Alive, which aims to investigate the effectiveness of a suicide prevention app. To analyse this, they have created a fully anonymous survey to understand app users’ opinions. They would like to include the following: Demographic information including, age (in 10-year age brackets), gender identity, if their gender identity matches their assigned sex at birth, and county of residence. All the demographic questions have a “prefer not to say” answer option. A number for a suicide helpline, as the survey content may be distressing. Wondering if this is appropriate to use as it is an external resource, and if there are any legal implications from including this? We were wondering if you could help us with the data protection aspects of this; is it okay to ask these demographic questions and include contact information for a suicide helpline? I have attached the evaluation framework with the survey questions, the evaluation plan, and the link to the survey if needed for context. Stay Alive 2023 Survey (surveymonkey.com)	My initial thoughts are based on limited knowledge e.g I do not have a list of the parties involved. From reading the proposed survey questions however it appears that participants could not be directly identified from the responses and therefore the survey responses do not constitute personal data. Care would need to be taken in relation to the technical aspects of the survey to prevent linkage to the user via data held by Grassroots although on the face of it this should be impossible unless perhaps a sparce distribution of app users by county could pinpoint an individual. I am not yet clear what data sharing agreements are envisaged and why they would be required. This may need clarification, but only if actual personal data is involved. Notwithstanding the fact that there appears to be no personal data involved and assuming that UI is to be a 'processor'of the data, it would be prudent to ensure that the agreement between UI and Grassroots (or any other relevant party involved) included the standard processor clauses.	Assessed
18/01/2024	Unity Insights	Rapid Health	Fay	Maddock		Quantitative and Qualitative evaluation of Rapid Health's GP booking solution, providing GP's and patients with digital appointment booking and management tools.	If the linking concern was raised in relation to data coming from both the GP and the supplier: 1. There should be no issue where personal data from the supplier is data it holds as a processor on behalf of the GP practice as you will have a DPA. 2. If/where the supplier is acting as a controller, you would need to act as a processor for the supplier wand raise another DPA. This assumes that you have no need to act as a controller of that data yourselves, in which case it would instead be a form of data sharing.	Assessed
29/01/2024	Unity Insights	Surrey Primary Care Immunisation Strategy Phase 2	Tara	Moran		Building on from Surrey Immunisation Phase 1. Primarily qualitative evaluation of the deployment strategy. Survey responses provided anonymous in support of evaluation. Age, gender, ethnicity, location and surgery location provided.	This seems a relatively seems straightforward programme given the nature of the data. There is very little danger of re-identification by UI from the dataset it will receive. With GP knowledge of their patients and appointment details, some respondents might be re-identifiable by them. A small thing, but the form asks for postcode data down to 'sector' level (the outward part plus the first digit of the incoming code) and 'asks' the completer not to enter a full postcode. However, does it actually prevent that as a respondent might ignore the request? Postcode formats are a bit tricky to validate. Full validation can be done using RegEx expressions if the form software allows them, but a simple way would be to split the data collection into two separate parts 1. The variable length (2 - 4 characters) outward part e.g. SW1A, BN12, TA2, N1 and 2. The first digit of the inward code. Just a thought.	Assessed
28/01/2025	Unity Insights	Clera Evaluation	Léa	Quentin	lea.quentin@unityinsights.co.uk	Evaluation delivery to HI West of England of Clera healthcare This project will pilot an online communication platform (Clera) in the infectious disease unit in NBT to improve communication with patients and families. Specifically, Clera will enable SMS communication with both patients and multiple family members via an accessible online platform. Patients and families will be updated with details of their care plan for the duration of their stay. The evaluation is going to be mixed-methods evaluation, no health econ. Data use is expected to be: Quantitative - Clera usage data, data from the site on number of contacts per patient/day. All anonymised data. Qualitative - survey with patients and families, focus group (potentially), staff questionnaire. All anonymised data. Although this all relates to expected anonymisation, this is only due to the data flow ensuring that data is anonymised on site before being sent to us. Due to risks in this process we are undertaking the full DPIA threshold test to make sure the DPO is informed.		Assessed
28/01/2025	Unity Insights	Luscii SBRI	Mike	Long		This is an SBRI-funded project evaluating the benefits of the Luscii Virtual Ward solution upon a patients across a range of clinical pathways within Maidstone and Tunbridge Wells NHS Trust. There will be qual and quant dimensions, feeding into a health economic analysis.	This looks fairly standard and I see no particular issues. It may be a useful example for checking pseudonymisation as discussed. There is no need for UI to have access to consent details.	Assessed
22/04/2025	Unity Insights	DemDX	Conor	Briant		DemDx’s intelligent Clinical Assessment Platform (iCAP) is an AI-enabled clinical reasoning platform that supports staff in their clinical assessment to assess and triage patients. The platform can also be used to order tests and make onward management decisions for the patient. iCAP can be used in UTCs, GP practices, and during home visits and is available as a stand-alone platform or can be integrated into existing workflows, such as with EMIS. iCAP is designed to optimise GP practices by empowering nurses and AHPs to take on greater clinical responsibility, freeing up GP time for more complex cases and improving patient access to care. The platform enhances the efficiency of multi-disciplinary teams across various settings, allowing AHPs to manage a broader range of conditions independently. By integrating local protocols and referral pathways, iCAP ensures consistent, high-quality clinical assessments, reducing inappropriate referrals and hospital admissions. Mixed methods evaluation including health econ, quant, qual and environmental analyses.	This looks straightforward, with a limited data set and standard agreement. Happy to revisit if the data set changes to include personal data or if a DPIA is required.	Assessed
22/04/2025	Unity Insights	Cardiology Group Service Evaluation - HIWE	Conor	Briant	This delivery is through a service contract we have in place with West of England, we are acting as a subcontractor to them in agreements with Trusts etc. The first phase of this project will monitor outcomes, along with a final analysis that will require more detail to support statistical testing of these outcomes and will likely require a separate DPIA with the trusts.	In preparation for the merger of NBT and UHBW in 2026, a pilot pathway merger has been undertaken across the two trust's cardio pathways, observing the impact upon patient experience, outcomes and service efficiency, to inform the trusts of potential risks for management of the wider merger to come. HIWE are supporting this and undertaking an evaluation of the process, they are delivering a qualitative evaluation, while we have been asked to undertake the quantitative element of the evaluation (impact analysis). Project is expected to run for 12-18 months with a few phases of observation as various pathways are merged within the cardiology department, culminating in a combined analysis at the end. Although all data we receive is expected to be effectively anonymised, due to the number of organisations, and a few issues defining the HI datasets, we wanted to flag the project.	Comments notes. This appears to be a very low risk with no further actions proposed assuming that UI has the appropriate contracts in place.	Assessed
19/12/2025	Health Innovation KSS	Kent Sexual Health Review	Lucie	Hooper		The project is an evaluation of Sexual Health services in Kent, commissioned by Kent County Council. The only anticipated use of personal data is to facilitate focus groups and interviews for qualitative data collection.	1. Am I missing something here? To me, KSS AHSN don't seem to be acting as a Controller If Kent CC has commissioned them to provide client opinions/feedback. Aren't they sending over the contact details so that KSS AHSN can invite the participants? That doesn't look like sharing the data so that KSS AHSN can use it for a legitimate purpose of their own. So KSS AHSN looks more like a processor needing a contract with Kent CC containing the usual clauses. 2. You say the survey data will be collected anonymously. The responses might have associated IP addresses, that to be fair couldn't be linked back to individuals, but of course the data still needs to be collected securely. Remember that anonymising personal data is a form of processing. Let me know if you think I am misinterpreting this.	Assessed
20/01/2026	Unity Insights	Healthtech1 Patient Registration	Tom	Myers		Evaluation of use of HealthTech-1 automatic patient registration technology within the Surrey Heartland ICB region. The evaluation aims to assess the replicability of these results within Surrey Heartlands ICB, through quantitative, health economic, and health inequality analyses based on data collected by GP practices in the region. The results of this evaluation will support Surrey Heartlands in improving service provision and iterating on its implementation of HealthTech-1. The processing to be undertaken by Unity Insights may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means) etc.	The ICB seem to have done a thorough analysis of the project via their DPIA. UI are correctly categorised as a Processor and the contract seems suitable.	Assessed
21/01/2026	Health Innovation KSS	Team Premium Adoption	Kelly	Senter		Following a trial period HI KSS have adopted the use of Teams Premium to expand the capabilities to manage and deliver online services such as webinars, focus groups and other online events, while also supporting internal efficiencies such as action tracking and meeting summaries supported by Copilot 365. The core features of the system are summarised here: https://www.microsoft.com/en-us/microsoft-teams/premium Early usage has highlighted a need for users to manage the needs of the call to avoid automatic notifications and transcripts to be incorrectly shared with individuals not present in a particular call. Technical controls are being reviewed to include the limitation of chat and recordings to in-meeting only, restricting access outside of a call itself. Other controls such as the use of individual bookings for confidential calls are being tested to mitigate the risk of recurring meeting chats including participants from previous calls, while staff will also need to consider the potential risks and settings for each call to properly protect recordings and manage access to outputs. Further note, the organisation has to use the HI KSS dedicated emails for Teams Premium licences, rather than nhs.net. Which has increased the organisation's use of these emails (and may need an adjustment when we come to resubmit the DSPT.	Good to see this timely follow up to the recent incident, but as previously mentioned, a DPTA or other risk assessment should ideally have been undertaken before implementing the upgrade, possibly alongside a trial run. As you are aware, the changes required all depend on the capabilities and controls of the software and you will be: 1. Fully assessing those new capabilities and controls 2. Deciding on your approach to using the software in compliance with data protection principles and legislation 3. Implementing appropriate controls 4. Updating SOPs and user instructions 5. Providing awareness materials and communications for staff and possibly training as well	Assessed
30/01/2026	Health Innovation KSS	HIN KSS - Working with People and Communities (WWP&C)	Isabel	Clark	As discussed, this relates to an area of activity across the HIN's WWP&C function that includes primary data collection with members of the public.	As part of its planned activities, Health Innovation Kent Surrey Sussex plans to undertake public data collection to provide insights into the state of local healthcare services and the needs of the local public. This requires an increase in the level of direct data collection, with some of the data potentially including personal information, either to facilitate further discussion (i.e., interviews or focus groups) or to establish the clinical needs of individuals.	- Thanks for the comprehensive explanation and discussing this over the phone. - It lays out a solid basis and ground rules for extending the range of processing activities beyond acting as a processor for various organisations. - As discussed if HIN policy still states that it does not intend to process personal data as a controller (dealing only with anonymous data) in its own right, that should be reviewed. - Projects based on this model should be accompanied by their own DPTAs to ensure that risk is managed and the principles outlined here are followed.	Assessed
12/03/2026	Unity Insights	SWAG Cancer Case Finding Evaluation	Tom	Myers-Joslin	This is at a fairly early stage and exact data requirements are still TBC (there will be some qualitative element, but otherwise we are assuming this will all be anonymous). The project seeks to get DSAs with the project sites to enable data collection as there will be no direct contractual relationship, so I wanted to share the outline of the project now.	Early identification of cancer symptoms and prompt referral are associated with better treatment outcomes, including reduced mortality. Consequently, one of the core aims of the Somerset, Wiltshire, Avon and Gloucestershire (SWAG) Cancer Alliance is to increase the number of people diagnosed with cancer early. An approach which could support with this aim is case finding, which involves searching for suspected cases within known high-risk groups or during routine clinical appointments. Primary Care Networks (PCNs) and GP practices are well placed to undertake this work, yet often lack the funds required to pilot innovative approaches such as case finding. The SWAG Cancer Alliance has therefore developed this programme to support activities across the region. Four pilot projects have been funded and will be subject to process and impact evaluations (provided by UI)	1. In North Bristol NHS Trust's contract with UI, it says, Further clarification of responsibilities on the projects is provided in the document “Evaluation roles and responsibilities”, but I haven’t found that document. Clarity as to roles is important with these various organisations involve. 2. As usual, my advice is that UI needs to concentrate on its role and ensuring that it is covered contractually etc. Other organisations need to look after their own positions as if they get those wrong they have to bear the consequences. 3. My view (and that of the Medical Research Council) is that the sponsor of research is a data controller. Beyond that top level, things may be more complicated as other parties could be both processors and controllers for different purposes. In this case (and without the document mentioned above) it looks like: - SWAG - A data controller for all the data used in the research they have sponsored - North Bristol NHST (added to Parties on the form) As they ‘host' SWAG they are a proxy Controller for SWAG - PCNs and GPs - Controllers of patient data for patient care, but sharing some of that data with North Bristol NHST/SWAG for the purposes of the research - HIWE - A Processor for North Bristol NHST/SWAG - UI - A Processor for North Bristol NHST/SWAG (as per the contract already in place) So I don’t agree that any data is being ’shared’ with UI by the PCNs/GPs. As I see it, the PCNs/GPs are sharing that data with North Bristol NHST/SWAG (as above) and UI is processing it for North Bristol NHST/SWAG. Any actual data flows are irrelevant here. If you want to discuss this please let me know.	Assessed
23/03/2026	Health Innovation KSS	Go Vocal	Isabel	Clark	This relates to the adoption of Go Vocal for Survey services, hosted by NHS Sussex ICB	NHS Sussex operates a public engagement site provided by Go Vocal/ CitizenLab. This agreement is to cover NHS Sussex allocating dedicated pages within that site for use by HI KSS for its own public engagement purposes. HI KSS will be provided with control over and back-end access to a number of pages on NHS Sussex’s Go Vocal/Citizen Lab website. HI KSS will be able to launch and display its own engagement projects – surveys, videos, interactive conversations etc – on its assigned pages and, in this way, be able to collect personal data directly from service users, members of the public, health and care staff etc.	I think there is still some confusion and over-complication in these documents 1. I cannot detect any data sharing going on so please remove reference to it unless you can explain where it takes place 2. HIKSS are effectively a Processor for HIKSS if all they are doing is managing access to part of their account with Go Vocal and not using any data HIKSS collects via the surveys for their own purposes i.e. They are NOT sharing it. 3. In that respect we could regard Go Vocal as a sort of sub Processor for HIKSS rather than a direct processor (that would require a contract) 4. The front page of the DATA SHARING AND PROCESSING AGREEMENT is confusing and at the very least should (as above) not refer to sharing 5. Section 1 specifies Controller to Controller sharing, which this is not. It is Processing where HIKSS provide data storage and form processing that HIKSS use to collect their data. 5. What does section 4 mean? 6. Section 11 specifies Public Task as a lawful basis. Unless HIKSS can specifically point to one and are taking explicit consent, they should drop this basis. I will stop here (nearly) following our phone call. Pete, you are drawing up a draft DPA as that and/or a contract is all that seems to be needed. It needs to ensure that NHS Sussex to act solely on HIKSS's instructions in regard to the facility they are 'sub-contracting' i.e. they do very little and don't re-use the data or link it to their own data even if the HIKSS survey is for them (although a specific project could allow this with appropriate data subject consent). In addition HIKSS need DPTAs for each survey project as controllers. You said you would will talk to Isabel on Tuesday.	Assessed
15/04/2026	Health Innovation KSS	SID User Research	Alessandra	Scola		We are about to start a new project with 'Sussex Integrated Data (SID)', and among other tasks and deliverables, one of our associates (contractor) will be doing the user research elements for this project. Therefore, interviewing people.	Looks fine.	Assessed

Item 5

Submissions

Programme	Organisation	Date	Exigia Reference	Programme Lead First Name	Programme Lead Last Name	Submitter First Name	Submitter Last Name	Submitter Email	Submission Notes	Programme Notes	Parties	Personal Data	Personal Data Notes	Role Factors	Organisational Role Notes	Consent	Consent Notes	Contractual Necessity	Contractual Necessity Notes	Legal Obligation	Vital Interest	Public Task	Public Task Notes	Legitimate Interest	Lawful Basis Notes	Racial or Ethnic Origin	Political Opinions	Religious or Philosophical Beliefs	Trade Union Membership	Genetic Data	Biometric Data	Health Data	Sex Life	Sexual Orientation	Criminal Activity Data	Special and Criminal Activity Data Notes	Innovative Technology	Denial of Service	Large Scale Profiling	Biometrics	Genetics	Data Matching	Invisible Processing	Tracking	Targeting Vulnerable Subjects	Risk of Physical Harm	High Risk Factor Notes	Link 1	Link 2	Link 3	Link 4	Link 5	Link Notes	File Uploads	File Notes	Additional Notes	DPO Comments	Updates	copy-one	User ID	Form Version	Status	entry_id	entry_status	created_at
SID User Research	Health Innovation KSS	15/04/2026	DPTA 29 - Task 4264	Alessandra	Scola	Peter	Aldridge	pete.aldridge@unityinsights.co.uk		We are about to start a new project with 'Sussex Integrated Data (SID)', and among other tasks and deliverables, one of our associates (contractor) will be doing the user research elements for this project. Therefore, interviewing people.	Sussex and Surrey ICB (Owner/Sponsor of the SID) - data controller for user details HI KSS Unity Insights	Yes, possibly, or not sure	User list with name/email address to be shared (covered by user agreement) to support the contractor in agreeing times and dates for the user interviews.		HI KSS as Data Processor, ICB is the Data Controller for the Users	Yes, possibly, or not sure	User agreement and consent to interview invite/recording use	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not		Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not		Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not		https://www.sussex.ics.nhs.uk/our-work/our-priorities/digital/sussex-integrated-dataset/						https://exigia.com/wp-content/uploads/fluentform/ff-3698d6318be9c73d9cf5c2a4d8daae4e-ff-SID-trusted-user-agreement-SID-Insights-Proactive-Care-Platform-CB-signed.docx	Copy user agreement including the sharing of experience data. I am sharing some draft wording for the interview invites to make sure privacy policy etc are shared effectively (along with clarification of the parties involved).		Looks fine.			4	13.5	Assessed	52	read	2026-04-15 13:32:59
Go Vocal	Health Innovation KSS	23/03/2026	DPTA 28 - Task 4255	Isabel	Clark	Peter	Aldridge	pete.aldridge@unityinsights.co.uk	This relates to the adoption of Go Vocal for Survey services, hosted by NHS Sussex ICB	NHS Sussex operates a public engagement site provided by Go Vocal/ CitizenLab. This agreement is to cover NHS Sussex allocating dedicated pages within that site for use by HI KSS for its own public engagement purposes. HI KSS will be provided with control over and back-end access to a number of pages on NHS Sussex’s Go Vocal/Citizen Lab website. HI KSS will be able to launch and display its own engagement projects – surveys, videos, interactive conversations etc – on its assigned pages and, in this way, be able to collect personal data directly from service users, members of the public, health and care staff etc.	HI KSS NHS Sussex Go Vocal	Yes, possibly, or not sure	Data items in the DSA are in respect of setting up individual accounts, and not necessarily related to individual survey activity, which will be subject to future DPTAs depending on the content to the survey. Survey respondents will not have to set up accounts, just HI KSS staff.	(a) We decide to collect the personal data in the first place, (k) We are processing the personal data for the same purpose as another controller, (c) We decide which individuals to collect data about, (d) We decide the purpose(s) the personal data are to be used for, (f) We decide whether and to whom the personal data is disclosed	I believe HI KSS are a data controller, with Go Vocal as processor. NHS Sussex are also a data controller as administrating the platform, but processor in respect of the data we provide.	Yes, possibly, or not sure	User sign up process	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not	I guess there may be a question of genuine consent, since people will be signing up for their work, but it's no different to other tools.	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not		Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not		https://www.govocal.com/en-uk/privacy-policy					Belgium based company, EEA based data storage, assume this has been worked out with NHS Sussex as they appear to be hosting the data, so they may hold on UK-based services.	https://exigia.com/wp-content/uploads/fluentform/ff-334b70ddacad5bef22053a82d0484c20-ff-GO-VOCAL-Data-Sharing-Agreement-V1.2.docx	This is quite urgent as Isabel would like to have this signed early this week.		I think there is still some confusion and over-complication in these documents 1. I cannot detect any data sharing going on so please remove reference to it unless you can explain where it takes place 2. HIKSS are effectively a Processor for HIKSS if all they are doing is managing access to part of their account with Go Vocal and not using any data HIKSS collects via the surveys for their own purposes i.e. They are NOT sharing it. 3. In that respect we could regard Go Vocal as a sort of sub Processor for HIKSS rather than a direct processor (that would require a contract) 4. The front page of the DATA SHARING AND PROCESSING AGREEMENT is confusing and at the very least should (as above) not refer to sharing 5. Section 1 specifies Controller to Controller sharing, which this is not. It is Processing where HIKSS provide data storage and form processing that HIKSS use to collect their data. 5. What does section 4 mean? 6. Section 11 specifies Public Task as a lawful basis. Unless HIKSS can specifically point to one and are taking explicit consent, they should drop this basis. I will stop here (nearly) following our phone call. Pete, you are drawing up a draft DPA as that and/or a contract is all that seems to be needed. It needs to ensure that NHS Sussex to act solely on HIKSS's instructions in regard to the facility they are 'sub-contracting' i.e. they do very little and don't re-use the data or link it to their own data even if the HIKSS survey is for them (although a specific project could allow this with appropriate data subject consent). In addition HIKSS need DPTAs for each survey project as controllers. You said you would will talk to Isabel on Tuesday.			4	13.5	Assessed	50	read	2026-03-23 09:19:47
SWAG Cancer Case Finding Evaluation	Unity Insights	12/03/2026	DPTA #27 Task 4254	Tom	Myers-Joslin	Peter	Aldridge	pete.aldridge@unityinsights.co.uk	This is at a fairly early stage and exact data requirements are still TBC (there will be some qualitative element, but otherwise we are assuming this will all be anonymous). The project seeks to get DSAs with the project sites to enable data collection as there will be no direct contractual relationship, so I wanted to share the outline of the project now.	Early identification of cancer symptoms and prompt referral are associated with better treatment outcomes, including reduced mortality. Consequently, one of the core aims of the Somerset, Wiltshire, Avon and Gloucestershire (SWAG) Cancer Alliance is to increase the number of people diagnosed with cancer early. An approach which could support with this aim is case finding, which involves searching for suspected cases within known high-risk groups or during routine clinical appointments. Primary Care Networks (PCNs) and GP practices are well placed to undertake this work, yet often lack the funds required to pilot innovative approaches such as case finding. The SWAG Cancer Alliance has therefore developed this programme to support activities across the region. Four pilot projects have been funded and will be subject to process and impact evaluations (provided by UI)	SWAG Cancer Alliance Health Innovation West of England (HIWE) 7x PCNs/GPs (data controllers)	Yes, possibly, or not sure	Individual patient-level data will be gathered, which will be effectively minimised to mitigate reidentification risks. The only party that should be able to reidentify would be the source controller (GP practice), with provided outputs anonymised prior to sharing. Qualitative data collection expected to be conducted by HIWE, with UI having no access to individual data.		UI as data processor GPs as data controller HIWE as data controller for qual data collection	Yes, possibly, or not sure	This will be noted as the basis for qual data collection in any DSA.	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not		Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not	Possibly health and equalities data will be asked in qual collection. This data will also be in the anonymous quant data, but it will not be possible to link the two sets of results.	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not								https://exigia.com/wp-content/uploads/fluentform/ff-0f263e62ef3d2f4ece0b7ede44ab53e7-ff-UI-0735-SWAG-CA-Evaluation-Apr-25-Final.pdf, https://exigia.com/wp-content/uploads/fluentform/ff-8a2841a04f8a103736e321550a9dfd8c-ff-202603_UI-Proactive-Case-Finding-Scoping-Plan-DRAFT-v1.0.docx, https://exigia.com/wp-content/uploads/fluentform/ff-ddea5e7e88e91a92ae34ab2dfe528483-ff-SWAG-cancer-case-finding-proposal-Jan-2026.docx, https://exigia.com/wp-content/uploads/fluentform/ff-f406ae8cf281a1c374153fa3421e8fcf-ff-DSA_UnityInsights_v1.docx	I have adapted the DPA outlined for use in the previous part of the project, for agreement with the various GP/PCNs. I'm not sure all the clauses will apply, but wanted to share as a potential starting point for the final DSA.		1. In North Bristol NHS Trust's contract with UI, it says, Further clarification of responsibilities on the projects is provided in the document “Evaluation roles and responsibilities”, but I haven’t found that document. Clarity as to roles is important with these various organisations involve. 2. As usual, my advice is that UI needs to concentrate on its role and ensuring that it is covered contractually etc. Other organisations need to look after their own positions as if they get those wrong they have to bear the consequences. 3. My view (and that of the Medical Research Council) is that the sponsor of research is a data controller. Beyond that top level, things may be more complicated as other parties could be both processors and controllers for different purposes. In this case (and without the document mentioned above) it looks like: - SWAG - A data controller for all the data used in the research they have sponsored - North Bristol NHST (added to Parties on the form) As they ‘host' SWAG they are a proxy Controller for SWAG - PCNs and GPs - Controllers of patient data for patient care, but sharing some of that data with North Bristol NHST/SWAG for the purposes of the research - HIWE - A Processor for North Bristol NHST/SWAG - UI - A Processor for North Bristol NHST/SWAG (as per the contract already in place) So I don’t agree that any data is being ’shared’ with UI by the PCNs/GPs. As I see it, the PCNs/GPs are sharing that data with North Bristol NHST/SWAG (as above) and UI is processing it for North Bristol NHST/SWAG. Any actual data flows are irrelevant here. If you want to discuss this please let me know.			4	13.5	Assessed	49	read	2026-03-12 15:55:07
HIN KSS - Working with People and Communities (WWP&C)	Health Innovation KSS	30/01/2026		Isabel	Clark	Peter	Aldridge	pete.aldridge@unityinsights.co.uk	As discussed, this relates to an area of activity across the HIN's WWP&C function that includes primary data collection with members of the public.	As part of its planned activities, Health Innovation Kent Surrey Sussex plans to undertake public data collection to provide insights into the state of local healthcare services and the needs of the local public. This requires an increase in the level of direct data collection, with some of the data potentially including personal information, either to facilitate further discussion (i.e., interviews or focus groups) or to establish the clinical needs of individuals.	Primarily self-directed activity to serve the core commission for the HINs. In some cases there may be partners, I have highlighted that there is a distinction between the projects where partners are just interested in outputs, and where they play an active role in recruitment for surveys etc. In such cases, this might just be a matter of placing survey links in key locations or signposting activity. In others, they may directly send survey links or invites to relevant patients. This latter case should be considered out of scope of this DPIA threshold and be covered under a separate assessment in my view, as we will likely need to consider the activity as including a third party Data Controller.	Yes, possibly, or not sure	Surveys should be anonymous in nature, with "anonymous responses" turned on if using SurveyMonkey. In some cases, participants may be invited to provide a contact email to engage in further data gathering (i.e., interviews/focus groups). In these cases it should be made clear that this question is optional, and data is provided with consent. A copy of the company privacy notice should be included, highlighting that Data Subjects can action their rights, including withdrawing consent. Subsequent interviews, if recorded, will require a similar process, informing participants of this prior to the call with links to the privacy notice provided.	(a) We decide to collect the personal data in the first place, (j) We jointly decide the means by which and by whom the personal data is processed, (b) We decide what types of personal data to collect, (l) We decide how to store the personal data, (d) We decide the purpose(s) the personal data are to be used for, (m) We decide what IT systems or methods are used to process the personal data, (e) We decide the lawful basis for collecting the personal data, (o) We decide the details of the security measures protecting the personal data, (p) We decide how to ensure the retention schedule is adhered to, (q) We decide how to retrieve personal data about particular individuals, (i) We decide how long to retain personal data, (r) We decide how to delete and/or dispose of the personal data	For activities within scope HIN KSS will be Data Controller.	Yes, possibly, or not sure	To be collected through surveys with enrolment to further collection. Or through the invite process for interviews/focus groups. May be best to consider use of eventbrite invites if in-person events are planned.	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not		Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Explicit consent	Explicit consent	Not processed	Definitely not		Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	I don't think this will apply. Other than Teams Premium usage.									General points (for processes) File management: All data should be stored upon the company Sharepoint in a clear and structured way, in a dedicated data folder for the respective programme. Personal data must NEVER be stored locally on an individual's system (mobile, or laptop), stick to SharePoint. This will help support the company to support the rights of data subjects, should we receive Subject Access Requests, or requests to otherwise rectify or delete an individual's information. This also will help ensure that Data Retention protocols can be effectively managed Password protection / Data segregation Risk Management Procedure: HIKSS operates a tiered risk management system for the processing of data, with the support of the DPO (Exigia) and Unity Insights First step is to establish the risk of an individual processing activity using the Data Usage Register: https://ahsnkss.sharepoint.com/:x:/r/sites/ITSupport/IT Support Files/Information Governance/DPIA/Data Usage Register (ROPA) v2.0.xlsx?d=wa2b9c2a42fcf474dbd0f17bddff28c28&csf=1&web=1&e=n4ktgM This will advise if a DPIA assessment is required. This step provides the DPO with context and enables a decision whether a full DPIA may be required. If needed the first step at the moment would be to contact Pete Aldridge (UI), although direct access can be provided, if needed. Pete can usually complete the assessment with just a few project details. A full DPIA may be needed if there is a processing activity that exceeds the company's usual risk appetite, and will establish clear processes and controls to manage this risk. This is usually an exceptional step for projects that have specific needs. Consideration needs to include how we plan to engage with patients/public. How are we being put in touch with them, if we are being provided with contact details directly or sending out links to be shared by third parties. These will affect whether we are processing data provided to us or not, which is activity the DPO should be aware of as there is a chance for dispute or engagement with the Data Controller. Project management: The clinical and regional areas associated for each piece of work should be recorded by the team responsible to understand the broad nature of the activity covered by this process External partnerships and potential use of partner data should be considered and recorded as a separate processing activity as we may have responsibilities to a third party controller. Any identifying data processing must be recorded and the DPO informed. Survey management: If the generic policy is to be followed all data must be anonymous. Surveys should use the below setting to prevent IP addresses from being recorded. Any collection of emails and contact details for future use will mean personal data is being collected and so the project should be recorded. Focus groups and Interviews: Consent should be recorded in relation to all interview activity. Best practice is to include a warning that the call (assuming virtual) will be recorded in the invite, along with a link to the privacy policy so individuals can action their subject rights, should they wish to do so. Privacy policy - Health Innovation Kent Surrey Sussex Acceptance of such an invite would provide consent, although a warning before pressing record or at the start of any call is also recommended to ensure the individual's attended are comfortable. If people choose to not share their webcams they should not be asked to. Publicly available data: The use of publicly available data (i.e., public health profiles) will be aggregate in nature and not raise the risk of identification. Any third party dataset (i.e., clinical reporting) must be considered in terms of potential re-identification, especially if linked to survey findings. The use of novel or new data collection and analysis approaches should also be considered as raising the risk of a project, such as the use of AI, or receiving data from new systems such as SDEs.	'- Thanks for the comprehensive explanation and discussing this over the phone. - It lays out a solid basis and ground rules for extending the range of processing activities beyond acting as a processor for various organisations. - As discussed if HIN policy still states that it does not intend to process personal data as a controller (dealing only with anonymous data) in its own right, that should be reviewed. - Projects based on this model should be accompanied by their own DPTAs to ensure that risk is managed and the principles outlined here are followed.			4	13.5	Assessed	48	read	2026-02-02 11:09:16
Team Premium Adoption	Health Innovation KSS	21/01/2026		Kelly	Senter	Peter	Aldridge	pete.aldridge@unityinsights.co.uk		Following a trial period HI KSS have adopted the use of Teams Premium to expand the capabilities to manage and deliver online services such as webinars, focus groups and other online events, while also supporting internal efficiencies such as action tracking and meeting summaries supported by Copilot 365. The core features of the system are summarised here: https://www.microsoft.com/en-us/microsoft-teams/premium Early usage has highlighted a need for users to manage the needs of the call to avoid automatic notifications and transcripts to be incorrectly shared with individuals not present in a particular call. Technical controls are being reviewed to include the limitation of chat and recordings to in-meeting only, restricting access outside of a call itself. Other controls such as the use of individual bookings for confidential calls are being tested to mitigate the risk of recurring meeting chats including participants from previous calls, while staff will also need to consider the potential risks and settings for each call to properly protect recordings and manage access to outputs. Further note, the organisation has to use the HI KSS dedicated emails for Teams Premium licences, rather than nhs.net. Which has increased the organisation's use of these emails (and may need an adjustment when we come to resubmit the DSPT.	HI KSS External partners that may be included in calls.	Yes, possibly, or not sure	Where calls require, recording may be used, with consent of those present. The system is also to be used for executive and board level calls where individuals may be discussed along with other business sensitive information. Not all of this applies to Data Protection, but similar controls will apply.	(a) We decide to collect the personal data in the first place, (j) We jointly decide the means by which and by whom the personal data is processed, (c) We decide which individuals to collect data about, (l) We decide how to store the personal data, (m) We decide what IT systems or methods are used to process the personal data, (h) We decide what to tell individuals about the processing, (i) We decide how long to retain personal data	Definitely controller, unless usage relates to a specific project, which would require a separate assessment. We may need to consider SOPs to manage data, capture the standard retention period for recordings and highlight user-end controls that can mitigate risk.	Yes, possibly, or not sure	Possibly, although for internal calls this will probably not apply.	Yes, possibly, or not sure	Internal calls to operate the business as per employment contract (or would this fall into legitimate interests?)	Definitely not	Definitely not	Definitely not		Definitely not		Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not	I have left these blank, although I'm sure if there was an indicator of illegal activity or something else that was relevant to business operations (long-term sickness or maternity, from a health perspective) it might be raised in recorded calls.	Yes, possibly, or not sure	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	The use of internally managed AI systems to summarise and compile notes at the end of calls.	https://www.microsoft.com/en-us/microsoft-teams/premium	https://learn.microsoft.com/en-us/microsoftteams/manage-meeting-recording-options	https://learn.microsoft.com/en-us/microsoftteams/manage-chat-sensitive-meetings			I have reiterated the core Teams Premium page, as well as a few of the technical control pages I have been discussing with Brian. Recording retention is typically 90 days.				Good to see this timely follow up to the recent incident, but as previously mentioned, a DPTA or other risk assessment should ideally have been undertaken before implementing the upgrade, possibly alongside a trial run. As you are aware, the changes required all depend on the capabilities and controls of the software and you will be: 1. Fully assessing those new capabilities and controls 2. Deciding on your approach to using the software in compliance with data protection principles and legislation 3. Implementing appropriate controls 4. Updating SOPs and user instructions 5. Providing awareness materials and communications for staff and possibly training as well		kelly.senter@healthinnovation-kss.com	4	13.5	Assessed	47	read	2026-01-21 12:15:22
Healthtech1 Patient Registration	Unity Insights	20/01/2026		Tom	Myers	Peter	Aldridge	pete.aldridge@unityinsights.co.uk		Evaluation of use of HealthTech-1 automatic patient registration technology within the Surrey Heartland ICB region. The evaluation aims to assess the replicability of these results within Surrey Heartlands ICB, through quantitative, health economic, and health inequality analyses based on data collected by GP practices in the region. The results of this evaluation will support Surrey Heartlands in improving service provision and iterating on its implementation of HealthTech-1. The processing to be undertaken by Unity Insights may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means) etc.	Surrey Heartlands ICB Constituent practices UI HIKSS (this has come through our service contract)	Yes, possibly, or not sure	Personal data will be collected by the ICB and pseudonymised before sharing with UI	(l) We decide how to store the personal data, (p) We decide how to ensure the retention schedule is adhered to, (r) We decide how to delete and/or dispose of the personal data	UI will be acting as a Data Processor	Definitely not		Definitely not		Definitely not	Definitely not	Yes, possibly, or not sure	To support the provision of NHS services (this is the purpose listed in the ICB DPIA I attach later)	Definitely not		Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not		Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not								https://exigia.com/wp-content/uploads/fluentform/ff-2d2af22726e18d8ba6e1315ba4d64698-ff-Data-Processing-Contract-HT1-Eval-0.1.docx, https://exigia.com/wp-content/uploads/fluentform/ff-d11893c21370e3f83d5deefa89f5f7fa-ff-HealthTech1_DPIA_v1.docx	Data processing contract suggested by Surrey Heartlands ICB to establish a direct connection between UI and the ICB for the purpose of this work, email text (we can forward if better): I note that HKISS is not a public sector organisation and the contract between HIKSS and UI does not clarify respective roles and responsibilities (see section 9) or confirm security requirements for data need to be NHS standard (e.g. DSPT). Therefore, to ensure Practice data is protected, I would recommend that the ICB take on the role of Data Controller and engage UI as data processor, using attached agreement. This is in line with response provided at questions 28 and 29 of the DPIA I have been provided with. The Data Processing Contract requires approval by ICB Caldicott (e-signature added) on behalf of ICB as Controller and UI as processor at page 5. Practices, data controller for the patient data they collect, should then be asked to provide written approval for identifiable data relating to their Practice to be shared with the ICB so this can be used for the research (this use includes pseudonymisation by ICB and further processing of this by its processor UI) – no data sharing agreement is required by law, however it is best practice for this to be in place. The ICB will be sole data controller once the data has been received by them, if Practices cannot extract / disclose themselves then they can engage ICB as processor (data processor agreements for this should be in place). As long as Type 1 and National opt-outs are respected and data for these patients not included in extracts run by ICB, there will be no issues with this. Please can you confirm ICB and UI are happy with this approach / attached document and I will finalise the DPO Advice Note? Thanks Dan		The ICB seem to have done a thorough analysis of the project via their DPIA. UI are correctly categorised as a Processor and the contract seems suitable.		tom.myers-joslin@unityinsights.co.uk	4	13.5	Assessed	46	read	2026-01-20 09:16:13
Kent Sexual Health Review	Health Innovation KSS	19/12/2025		Lucie	Hooper	Peter	Aldridge	pete.aldridge@unityinsights.co.uk		The project is an evaluation of Sexual Health services in Kent, commissioned by Kent County Council. The only anticipated use of personal data is to facilitate focus groups and interviews for qualitative data collection.	Kent County Council NHS Kent and Medway Integrated Care Board VCSE partners supporting participant recruitment	Yes, possibly, or not sure	Contact details of consenting participants of qualitative data gathering	(a) We decide to collect the personal data in the first place, (b) We decide what types of personal data to collect, (l) We decide how to store the personal data	I think KSS would be controller for the qualitative data collection as they are overseeing the process, and will need to ensure consent is recorded and rights communicated.	Yes, possibly, or not sure	Will need to be gathered and a copy/link of the KSS privacy policy provided. Survey responses will be anonymous, so may only really be a factor for focus groups, but would include the policy link in the survey as good practice.	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not		Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Explicit consent	Explicit consent	Explicit consent	Definitely not	Will need to clarify the survey/interview design to make sure that any potential special category data is gathered in a compliant manner. Would assume covering this in consent and optional fields in the survey would cover the requirements.	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not											1. Am I missing something here? To me, KSS AHSN don't seem to be acting as a Controller If Kent CC has commissioned them to provide client opinions/feedback. Aren't they sending over the contact details so that KSS AHSN can invite the participants? That doesn't look like sharing the data so that KSS AHSN can use it for a legitimate purpose of their own. So KSS AHSN looks more like a processor needing a contract with Kent CC containing the usual clauses. 2. You say the survey data will be collected anonymously. The responses might have associated IP addresses, that to be fair couldn't be linked back to individuals, but of course the data still needs to be collected securely. Remember that anonymising personal data is a form of processing. Let me know if you think I am misinterpreting this.		lucie.hooper@nhs.net	4	13.5	Assessed	45	read	2025-12-19 08:54:03
Cardiology Group Service Evaluation - HIWE	Unity Insights	22/04/2025		Conor	Briant	Peter	Aldridge	pete.aldridge@unityinsights.co.uk	This delivery is through a service contract we have in place with West of England, we are acting as a subcontractor to them in agreements with Trusts etc. The first phase of this project will monitor outcomes, along with a final analysis that will require more detail to support statistical testing of these outcomes and will likely require a separate DPIA with the trusts.	In preparation for the merger of NBT and UHBW in 2026, a pilot pathway merger has been undertaken across the two trust's cardio pathways, observing the impact upon patient experience, outcomes and service efficiency, to inform the trusts of potential risks for management of the wider merger to come. HIWE are supporting this and undertaking an evaluation of the process, they are delivering a qualitative evaluation, while we have been asked to undertake the quantitative element of the evaluation (impact analysis). Project is expected to run for 12-18 months with a few phases of observation as various pathways are merged within the cardiology department, culminating in a combined analysis at the end. Although all data we receive is expected to be effectively anonymised, due to the number of organisations, and a few issues defining the HI datasets, we wanted to flag the project.	Health Innovation West of England (HIWE: ex-AHSN) North Bristol Hospital Trust (NBT) University Hospitals Bristol and Weston Trust (UHBW) NBT BI team (listed as separate entity as they are the pseudonymisation "key holder")	Yes, possibly, or not sure	Data will be pseudonymised to include an arbitrary reference that can only be reidentified by the NBT BI team that holds the key (although their data extracts will already be subject to systemic data protection from the Trusts and so the data will already have one step of pseudonymisation and minimisation applied), making it effectively anonymous before sharing with UI/HIWE. There is a minor risk that survey responses collected by HIWE could be linked to the quantitative dataset, raising a slight risk of reidentification, but both datasets are expected to be anonymous when analysed.		Unity will be a Data Processor, acting under the service contract with HIWE as a sub-contractor.	Yes, possibly, or not sure	Not for the trust-side data, but applies to qualitative data collected by the HIWE team. Noted as we are working closely with them as a single evaluation team.	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not	HIWE to list Unity as a sub-processor in any privacy statements in surveys and other qualitative data collections.	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not	Demographic and admission data included, but intended to be minimised to ensure it stays anonymous.	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not		https://www.nbt.nhs.uk/about-us/news-media/latest-news/next-step-journey-bristol-nhs-group						https://exigia.com/wp-content/uploads/fluentform/ff-ab5f1dab68899eab52592bd8ccaab21e-ff-Bristol-Cardiology-GCS-impact-evaluation-scope-v3.docx	Draft scope	There may be DPIAs and DSA/DPAs to provide if needed as we go through the Trusts' IG processes.	Comments notes. This appears to be a very low risk with no further actions proposed assuming that UI has the appropriate contracts in place.	These comments follow the 13/01/2026 update provided by PA based on input from CB: - As a (sub) processor, UI can contribute to a DPIA, but it is always the Controller's document and responsibility. - Equally LIAs (and all other matters pertaining to lawful processing) are the responsibility of Controllers, although again UI can assist in their completion. - UI only needs to enter into a contract with its principal i.e HIWE. It is bound to follow its contract all the (legal) instructions of its principal stemming from the contract. - Keeping an eye on contracts/agreements between the other parties may be a responsible thing to do, but there is no onus on UI so to do.	conor.briant@unityinsights.co.uk	4	13.5	Assessed	44	read	2025-10-22 09:34:51
DemDX	Unity Insights	22/04/2025		Conor	Briant	Peter	Aldridge	pete.aldridge@unityinsights.co.uk		DemDx’s intelligent Clinical Assessment Platform (iCAP) is an AI-enabled clinical reasoning platform that supports staff in their clinical assessment to assess and triage patients. The platform can also be used to order tests and make onward management decisions for the patient. iCAP can be used in UTCs, GP practices, and during home visits and is available as a stand-alone platform or can be integrated into existing workflows, such as with EMIS. iCAP is designed to optimise GP practices by empowering nurses and AHPs to take on greater clinical responsibility, freeing up GP time for more complex cases and improving patient access to care. The platform enhances the efficiency of multi-disciplinary teams across various settings, allowing AHPs to manage a broader range of conditions independently. By integrating local protocols and referral pathways, iCAP ensures consistent, high-quality clinical assessments, reducing inappropriate referrals and hospital admissions. Mixed methods evaluation including health econ, quant, qual and environmental analyses.	DemDX Thanet Health CIC Deployment sites: One Urgent Treatment Centre (Run by the CIC) Home Visiting Service (CIC service) Two GP sites (The Minster, The Grange)	Yes, possibly, or not sure	Pseudonymised patient data based on primary care consultations. Includes patient demographics (SPECIAL CATEGORY data: Ethnicity), consultation referral source, wait time, consultation outcome (follow-up, onward referral destination), presenting complaint. Data will be pseudonymised, possibly using EMIS' internal pseudo refs.		Unity Insights will be Data Processor, the two GP Practices, Thanet Health CIC (Patient and some staff data) and DemDX (platform and user data) all to hold control over some of the data.	Yes, possibly, or not sure	Surveys will include informed consent, both patient and staff.	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not	Usage and outcome data will not have specific consent, we are still in the process of confirming this will not include personal data (with lawful basis to be confirmed as part of that process, if required). May depend on final unique references used and risk of re-identification. Data is minimised to reduce risk of identification (i.e., age bands, sex, ethnicity groups, health outcomes)	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not	Intention to ensure that this data is not identifiable, but there is a risk that we need to revisit depending on the final dataset and method for pseudonymisation/anonymisation. Ethnicity to be captured, NHS high level categories.	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	There are a couple of borderline points here, one is matching DemDX data with the consultation data to check whether DemDX was used (this will be done based on location and time, not personal data, so left as 'no'), Focus Groups will also be held as part of the qual workstream and Copilot might be used to support transcription and analysis.	https://www.demdx.com/	https://sbrihealthcare.co.uk/news/funding-awarded-to-innovations-that-support-the-delivery-of-urgent-emergency-care					https://exigia.com/wp-content/uploads/fluentform/ff-351cd7a638d88c4ba5f530fe499bef02-ff-202408_UI-DemDX-Scoping-plan-v1.1.docx, https://exigia.com/wp-content/uploads/fluentform/ff-07df3100fab35c38896655f69b614c9d-ff-Primary_SBRIH26P3036-DemDx.pdf, https://exigia.com/wp-content/uploads/fluentform/ff-3940cd56b3ab9a7c43c4e7a753a1c2db-ff-202503_UI-Data-capture-schemas-v1.xlsx, https://exigia.com/wp-content/uploads/fluentform/ff-bd049b5c45eb7d1895a656890962d0f5-ff-UI-0733-DemDx-Contract-re-evaluation-Apr-25-v1.docx	DemDX are in the process of signing an agreement with the sites, in addition to the attached SBRI collab agreement, we are hoping that the evaluation (and our part in it) can be included in that, with our separate agreement with DemDX providing sufficient contractual support for the project. We might need to touch base with you to confirm once DPIAs are complete, as (is controllers feel the data is personal) we might need further DSA/DPAs. Unsigned Unity: DemDX agreement currently with the client for review.	There is a little risk of this becoming complicated due to the number of small sites we're getting data from, but we feel it should be manageable to keep the data anonymous. A lot will depend on the capacity to effectively minimise, and use appropriate references to avoid duplicate entries confusing analysis.	This looks straightforward, with a limited data set and standard agreement. Happy to revisit if the data set changes to include personal data or if a DPIA is required.		conor.briant@unityinsights.co.uk	4	13.5	Assessed	38	read	2025-04-22 15:02:25
Luscii SBRI	Unity Insights	28/01/2025		Mike	Long	Peter	Aldridge	pete.aldridge@unityinsights.co.uk		This is an SBRI-funded project evaluating the benefits of the Luscii Virtual Ward solution upon a patients across a range of clinical pathways within Maidstone and Tunbridge Wells NHS Trust. There will be qual and quant dimensions, feeding into a health economic analysis.	Maidstone and Tunbridge Wells NHS Trust Luscii HIKSS	Yes, possibly, or not sure	We are looking to gather pseudonymised reports of patient data including demographic factors such as home post code and ethnicity. These will be minimised and categorised to manage identification risk, but consent to participate in the virtual ward project is being gathered.		Unity, HIKSS and Luscii are operating as Processors. MTW Trust are the Data Controller and all data flows are through them.	Yes, possibly, or not sure	This will be gathered by the data controller through the onboarding process, we will not have access to the records of consent.	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not		Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not	Ethnicity and health outcomes will be captured but data minimisation will ensure the data is not identifiable.	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not		https://luscii.co.uk/								Currently working through DPIA processes and finalising the service contract.	This looks fairly standard and I see no particular issues. It may be a useful example for checking pseudonymisation as discussed. There is no need for UI to have access to consent details.			4	13.5	Assessed	37	read	2025-03-27 14:19:42
Clera Evaluation	Unity Insights	28/01/2025		Léa	Quentin	Peter	Aldridge	pete.aldridge@unityinsights.co.uk	lea.quentin@unityinsights.co.uk	Evaluation delivery to HI West of England of Clera healthcare This project will pilot an online communication platform (Clera) in the infectious disease unit in NBT to improve communication with patients and families. Specifically, Clera will enable SMS communication with both patients and multiple family members via an accessible online platform. Patients and families will be updated with details of their care plan for the duration of their stay. The evaluation is going to be mixed-methods evaluation, no health econ. Data use is expected to be: Quantitative - Clera usage data, data from the site on number of contacts per patient/day. All anonymised data. Qualitative - survey with patients and families, focus group (potentially), staff questionnaire. All anonymised data. Although this all relates to expected anonymisation, this is only due to the data flow ensuring that data is anonymised on site before being sent to us. Due to risks in this process we are undertaking the full DPIA threshold test to make sure the DPO is informed.	Health Innovation West of England (HI WoE, or the "HIN") North Bristol NHS Trust (NBT, the hospital) Serra Health (Clera Healthcare)	Yes, possibly, or not sure	While the data is expected to be anonymous, part of the DPIA process will establish whether a risk of re-identification exists through the demographic data from the relatively small ward. The trust will define this risk in their DPIA. All surveys to be anonymous, some free text questions, but need for anonymity to be reinforced to participants.		Unity Insights should not receive any personal data, and so will only Data Processor for the project. The trust will be Data Controller, Serra Health may also be a data controller for platform users, but also a processor for the data controlled by the trust (the patient's data).	Yes, possibly, or not sure	Consent gathered through the pilot scheme for patients and family members signing up to use the platform. Should cover use for evaluation purposes, but may not specifically mention our role.	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not		Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not	Health data included in the use of the platform, but not in terms of personal data used for evaluation.	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not		https://www.getclera.co.uk/	https://www.healthinnowest.net/					https://exigia.com/wp-content/uploads/fluentform/ff-bbd46fb2683553bfc0571014171cbcc4-ff-202501_Clera-Scoping-Plan_v.03.docx, https://exigia.com/wp-content/uploads/fluentform/ff-33411fcd59d5f23bbf9b5717fa13d843-ff-2025_01_UI-Clera-Data-Collection-Template-v1.2.xlsx	Project scope and draft data collection template attached - data template due to be reviewed on 29/01.				lea.quentin@unityinsights.co.uk	4	13.5	Assessed	25	read	2025-01-28 16:36:49
Surrey Primary Care Immunisation Strategy Phase 2	Unity Insights	29/01/2024		Tara	Moran	Pete	Aldridge	pete.aldridge@unityinsights.co.uk		Building on from Surrey Immunisation Phase 1. Primarily qualitative evaluation of the deployment strategy. Survey responses provided anonymous in support of evaluation. Age, gender, ethnicity, location and surgery location provided.	Surrey Heartlands ICB Alliance for Better Care (GP alliance)	Definitely not		(l) We decide how to store the personal data, (n) We decide how to transfer the personal data from one organisation to another	Data Processor	Definitely not		Definitely not		Definitely not	Definitely not	Definitely not		Definitely not		Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not	Anonymous data collection covering a number of points - Age, gender, ethnicity, location and surgery location provided. These are categorised to try and avoid possible identification.	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not								https://exigia.com/wp-content/uploads/ff-a9c2f017ecd6253cf51823b983204d6a-ff-Surrey-Equity-Survey-with-prompts.pdf	Survey design	Wanted to share to allow oversight of the data being collected for this evaluation. I don't think there is any concern as the data is anonymous, but we wanted to provide as the information does include some demographic data and the potential for reidentification if excessive data collected.	This seems a relatively seems straightforward programme given the nature of the data. There is very little danger of re-identification by UI from the dataset it will receive. With GP knowledge of their patients and appointment details, some respondents might be re-identifiable by them. A small thing, but the form asks for postcode data down to 'sector' level (the outward part plus the first digit of the incoming code) and 'asks' the completer not to enter a full postcode. However, does it actually prevent that as a respondent might ignore the request? Postcode formats are a bit tricky to validate. Full validation can be done using RegEx expressions if the form software allows them, but a simple way would be to split the data collection into two separate parts 1. The variable length (2 - 4 characters) outward part e.g. SW1A, BN12, TA2, N1 and 2. The first digit of the inward code. Just a thought.			16	13.5	Assessed	20	read	2024-01-29 11:43:01
Rapid Health	Unity Insights	18/01/2024		Fay	Maddock	Pete	Aldridge	pete.aldridge@unityinsights.co.uk		Quantitative and Qualitative evaluation of Rapid Health's GP booking solution, providing GP's and patients with digital appointment booking and management tools.	Rapid Health GP - The Groves Medical Centre, New Malden	Yes, possibly, or not sure	The project will use pseudonymous extracts from both GP and provider systems, both will be linked to connect the patient details with outcomes (appts booked, attended, DNA, cancelled etc). Some extracts will be aggregated, so exact connections TBC. But health inequalities perspective will try to observe which cohorts are likely to engage. Data is expected to be treated as anonymous, and we will ensure data controllers are satisfied that the right level of protection is in place.	(n) We decide how to transfer the personal data from one organisation to another, (o) We decide the details of the security measures protecting the personal data	Unity Insights will be Data Processor GP will be Data Controller, Rapid Health may also operate as DC for some data.	Yes, possibly, or not sure	There is going to be a survey element, Unity will not be directly sending and results will be anonymous. Consent to be managed by the Data Controller when sending the survey out, if applicable.	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not		Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not	Ethnicity and disability status will be sought as part of the extract from the GP, or the survey, intended to be anonymous.	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not		https://www.rapidhealth.ai/smarter-primary-care						https://exigia.com/wp-content/uploads/ff-3061b639b4f35d093ae29007cf51f7f1-ff-Rapid-Health-Unity-Insights-0683-Evaluation-service-contract-Dec-2023-Final.pdf	Contract, schedule 4 covering data protection	Raised due to the linked data aspect, next steps for project are to define the process for pseudonymisation and ensure the data controller is comfortable with the data flow and provision of data to Unity.	If the linking concern was raised in relation to data coming from both the GP and the supplier: 1. There should be no issue where personal data from the supplier is data it holds as a processor on behalf of the GP practice as you will have a DPA. 2. If/where the supplier is acting as a controller, you would need to act as a processor for the supplier wand raise another DPA. This assumes that you have no need to act as a controller of that data yourselves, in which case it would instead be a form of data sharing.			16	13.5	Assessed	19	read	2024-01-18 13:01:02
Stay Alive	Unity Insights	14/12/2023		Sage	Bannister	Annie	Miller	annie.miller@unityinsights.co.uk	Submitted by Annie Miller via email on 14/12/2023 asking for a response by 15/12/2023.	From an initial email sent by Annie Miller: Annie Miller, Sage Bannister, and Marie-Anne Demestihas are currently working on a project called Stay Alive, which aims to investigate the effectiveness of a suicide prevention app. To analyse this, they have created a fully anonymous survey to understand app users’ opinions. They would like to include the following: Demographic information including, age (in 10-year age brackets), gender identity, if their gender identity matches their assigned sex at birth, and county of residence. All the demographic questions have a “prefer not to say” answer option. A number for a suicide helpline, as the survey content may be distressing. Wondering if this is appropriate to use as it is an external resource, and if there are any legal implications from including this? We were wondering if you could help us with the data protection aspects of this; is it okay to ask these demographic questions and include contact information for a suicide helpline? I have attached the evaluation framework with the survey questions, the evaluation plan, and the link to the survey if needed for context. Stay Alive 2023 Survey (surveymonkey.com)	Unity Insights, Grassroots Suicide Prevention and possibly others.	Yes, possibly, or not sure	Possibly demographic information including, age (in 10-year age brackets), gender identity, if their gender identity matches their assigned sex at birth, and county of residence. All the demographic questions woiuld have a “prefer not to say” answer option.		Details not yet supplied	Yes, possibly, or not sure	Details not yet supplied	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not	Details not yet supplied	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not	Details not yet supplied	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Details not yet supplied	https://www.surveymonkey.com/r/65N8YQX						https://exigia.com/wp-content/uploads/ff-4277ef64c7201b86e7b93fbb960e385a-ff-Stay-Alive-Evaluation-Plan-v0.5.docx, https://exigia.com/wp-content/uploads/ff-8d35710f0f394cb9f379a67ca14974a4-ff-Stay-Alive-Framework-v0.2.xlsx	Evaluation Plan and Evaluation Framework with survey questions		My initial thoughts are based on limited knowledge e.g I do not have a list of the parties involved. From reading the proposed survey questions however it appears that participants could not be directly identified from the responses and therefore the survey responses do not constitute personal data. Care would need to be taken in relation to the technical aspects of the survey to prevent linkage to the user via data held by Grassroots although on the face of it this should be impossible unless perhaps a sparce distribution of app users by county could pinpoint an individual. I am not yet clear what data sharing agreements are envisaged and why they would be required. This may need clarification, but only if actual personal data is involved. Notwithstanding the fact that there appears to be no personal data involved and assuming that UI is to be a 'processor'of the data, it would be prudent to ensure that the agreement between UI and Grassroots (or any other relevant party involved) included the standard processor clauses.			1	13.4	Assessed	18	read	2023-12-14 14:06:53
KSS InHIP Programme	Health Innovation KSS	29/11/2023		Tom	Myers	Pete	Aldridge	pete.aldridge@unityinsights.co.uk	This covers three different InHIP projects, one for each ICS within KSS. The parties and proposals vary somewhat, but as we are working to avoid any personal information I thought I would submit one to give you context in case of further questions.	NHS England’s Innovation for Healthcare Inequalities Programme (InHIP) is a unique collaboration between the Accelerated Access Collaborative (AAC), NHS England’s National Healthcare Inequalities Improvement Programme and the Academic Health Science Network (AHSN Network), and delivered in partnership with Integrated Care Systems (ICSs). InHIP projects aim to address local healthcare inequalities experienced by deprived and other under-served populations, by working with local communities to improve access to the latest health technologies and medicines. All three ICS have proposals funded to reach out to communities at risk of high cholesterol to improve lipid management treatment rates in areas where services typically struggle to engage.	Kent ICS Sussex HCP Surrey HCP KSS AHSN - have commissioned Unity Insights for the evaluation Alliance for Better Care - GP Provider in Surrey Other local GPs and service providers	Yes, possibly, or not sure	We are asking for data to be pseudonymised, and ensuring that local ICS DPO are fully briefed in the data requests and our efforts to minimise data.		Data Processors in all cases, data is already being collected as part of the main projects.	Definitely not		Definitely not		Definitely not	Definitely not	Definitely not		Definitely not		Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not		Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not								https://exigia.com/wp-content/uploads/ff-94f2fc7465bfff19ab40d6a4d29820b7-ff-Kent-and-Medway-InHIP-Evaluation-Proposal.docx, https://exigia.com/wp-content/uploads/ff-391960120edda06f86079eafffac0ff7-ff-Surrey-InHIP-Evaluation-Proposal-1.0.docx, https://exigia.com/wp-content/uploads/ff-05ab872594f00957bd4d4af9f2bdbbd1-ff-Sussex-InHIP-Evaluation-Proposal.docx	The three evaluation proposals	I am going to forward over a query separately relating to the data sharing process for Surrey.	Noted that UI is a processor and along with pseudonymisation the project bears little risk.	Subsequently reviewed a data file and found no identifiable or realistically re-identifiable data in it.		16	13.4	Assessed	17	read	2023-11-29 15:43:25
Phyllis Tuckwell MND CNS Role Evaluation	Unity Insights	16/11/2023		Laura	Shaw	Pete	Aldridge	pete.aldridge@unityinsights.co.uk		Implementation of a clinical nurse specialist role focusing on Motor Neurone Disease support within Guildford and Waverley area to provide central coordination for patient care, facilitate pathway development , provide a link between local services and specialist care centres. Mixed methods evaluation work including some quant, but mainly qualitative info, including testimonials from staff.	Phyllis Tuckwell memorial hospice Ltd - Charity delivering the service to the Sub-ICB (ex CCG, now part of Surrey Heartlands ICS).	Yes, possibly, or not sure	Some testimonials have been collected with staff information (names, roles), for which consent is not currently clear. Some references to patient forenames as well. Other data is either aggregated or anonymous (surveys and quant data).		We are acting as Data Processor	Yes, possibly, or not sure	Unsure of how this was managed through the charity in terms of collecting testimonials.	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not		Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not		Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not								https://exigia.com/wp-content/uploads/fluentform/ff-82cb215c77ce26377db9fd3d2514cb75-ff-Phyllis-Tuckwell-Unity-Insights-Analytic-Services-Contract-0676-Sep-23-Final.pdf, https://exigia.com/wp-content/uploads/fluentform/ff-0b171c5a69e42c4dda70099af2885f5b-ff-220224-MND-Specialist-BCF-Business-Case.docx, https://exigia.com/wp-content/uploads/fluentform/ff-e042e66a5ab6cf600eb96ac76a54567e-ff-GW-ICP-Transformation-One-Page-Pre-Business-Case-Proposal-Dec-2020._-003-004.docx		I think the main question is just making sure that we feed back to the charity appropriately to make sure they don't send us through anything we shouldn't have. A couple of testimonials talk about caseworkers from the charity and others are clearly from specific staff elsewhere that have been asked for input for sharing. They will be anonymous in the output but thought it was worth flagging as we will ask them to remove names going forward and may need to remove from any saved data.	As a processor there is no legal issue in receiving names (personal data) as described. However it is best to adopt the minimisation of personal data processing as planned as this is best practice and ob=ne of the guiding principles of the GDPR.			16	13.3	Assessed	16	read	2023-11-16 10:59:59
MyCOPD SBRI : Propel Study	Unity Insights	14/11/2023		Peter	Aldridge	Pete	Aldridge	pete.aldridge@unityinsights.co.uk		See also the protocol, uploaded. A long-term study into the benefits and impact of MyCOPD across two settings, within the acute setting in Bristol, and the Community (rehab delivery) within Cornwall. We are looking to gather data through the project itself (consented, the company is doing this and we will receive pseudonymous outputs), along with extracts from the healthcare organisations involved.	BNSSG ICB Cornwall ICB My M Health North Bristol Trust University Hospital Bristol and Weston Trust Cornwall Partnership NHS Foundation Trust West of England Academic Health Science Network - project support University of Southampton - undertaking qualitative evaluation	Yes, possibly, or not sure	Data will be pseudonymised and we intend to link the outcomes of the study calls (which include personal information, regarding demographics etc) with the hospital and app data.		We are a data processor, but we have helped design and build a data collection tool for My M Health	Yes, possibly, or not sure	All participants have consented to participate in the study.	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not		Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Explicit consent	Not processed	Not processed	Definitely not		Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not								https://exigia.com/wp-content/uploads/fluentform/ff-8ddfdc7c577dfc3ba141cce4513eaa2d-ff-IG23-448-Data-Protection-Impact-Assessment-SBRI-09MAR2023-edit.pdf, https://exigia.com/wp-content/uploads/fluentform/ff-a7fc107da2d2777fa4f7d5e5f2597ed6-ff-Data-Sharing-Agreement-SBRI-09MAR2023.docx, https://exigia.com/wp-content/uploads/fluentform/ff-57583109cb5d53b74098042408f57444-ff-PROPEL-myCOPD_Protocol_V3.0_31JUL2023-1.docx.pdf		As mentioned in my call a couple of weeks ago, there is a query relating to the update of a DPIA for UHBW which was requested to ensure that the data can be provided for an adequate amount of time, especially as the project has been pushed back.	The very through DPIA seems to cover the situation well.			16	13.3	Assessed	15	read	2023-11-14 11:56:20
BSW Integrated Care Record	Unity Insights	12/10/2023		Lea	Quentin	Pete	Aldridge	pete.aldridge@unityinsights.co.uk	Analyst: Pierce Coveney	Quant and qual analysis to develop a statement of planned benefits for the deployment of ICRs in the region, defining potential impacts and benefits streams, but not to the point of a formal health econ analysis. The ICR programme is an online data sharing platform for clinicians and healthcare professionals to submit patient notes and medical information, so other health and care organisations can access the information securely, through a single point of access, supporting data transfer between organisations. "The ICR uses the Graphnet Carecentric platform to share and contribute information from partners across the BSW system. The Carecentric ecosystem includes features for; direct care, population health management, care plans and person held records. All of these are in use within BSW to a greater and lesser degree."	BSW ICB Graphnet - provider of the platform The other programme partners include: BSW GP practices Royal United Hospital Bath Great Western Hospital Swindon Salisbury FT Hospital HCRG BaNES Community Services Wiltshire Health and Care Community Services Swindon Community Services Medvivo Wiltshire Local Authority Swindon Local Authority B&NES Local Authority BSW Hospice partners	Yes, possibly, or not sure	The qualitative aspect of the evaluation will include a survey where participants can opt to support an interview stage. This will include consent and the collection of contact data. Quant data will consist of anonymised primary, secondary and social care staff data for quant. Covering which orgs accessing, what part of the ICR they access and number of total user etc. Data is individual, but only includes a tag for the organisation logging in via SSO details.	(l) We decide how to store the personal data, (m) We decide what IT systems or methods are used to process the personal data, (p) We decide how to ensure the retention schedule is adhered to	Believe BSW ICB is the data controller and Unity will be Data Processor	Yes, possibly, or not sure	Initial consent/opt-in embedded into user survey (delivered via the ICR) provide details. Consent reiterated (and recorded) in interviews, some of these have already taken place. Will need to communicate our privacy policy to these to ensure they are fully informed of who to contact (although they would previously have the ability to to do so via the ICR team).	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not	Need to confirm whether we need to contact staff who have had an interview already to retrospectively provide contact details, rights and privacy policy info.	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not		Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not		https://bswtogether.org.uk/about-us/our-integrated-care-strategy/	https://www.graphnethealth.com/solutions/carecentric-shared-care/											16	13.3	Assessed	14	read	2023-10-12 14:05:26
Florence	Unity Insights	12/10/2023		Mike	Long	Pete	Aldridge	pete.aldridge@unityinsights.co.uk	Further contact for project: Cameron Murray (Analyst)	Florence is an AI-driven support application for patients with hypertension, designed to manage symptoms and support condition self-management. It is being implemented at two KSS PCNs for the evaluation, with two other PCNs planned. The evaluation is covering qual, quant and health economic analyses and will utilise pseudonymous patient data for the latter two, and the qual currently consists of an anonymous staff survey, but could extend to interviews (with consent) if time allows.	Foundry Healthcare Lewes PCN - Geraldine Hoban (Project director) West Hove PCN Sussex Health and Care Partnership - Mark Watson, Lisa Douglas Generated Health - innovator HIKSS (KSS AHSN) - funding the work, Athina Lockyer is the PM.	Yes, possibly, or not sure	Main data flow will rely on Florence to inform participating organisations with details of enrolled patients, for an extract from the electronic patient record to provide an insight into healthcare utilisation following the implementation of Florence, this will include blood pressure readings from the patients. This is planned to be pseudonymised before being shared back to Unity Insights. Actual data from the PCNs will be aggregated, only the data from Florence will be full, pseudonymous reports (so worth sending direct to us, rather than via the PCN/ICS unnecessarily?)	(l) We decide how to store the personal data, (m) We decide what IT systems or methods are used to process the personal data, (n) We decide how to transfer the personal data from one organisation to another	I think: Data Controllers Florence (GH) - data controller for users signed up to the platform (user agreement or similar will need to allow the use of data) ICS/PCNs - in respect of patient data held by NHS, and the patients signposted to Florence I think UI are a Data Processor, HIKSS should not need any sight of the received data and are just interest in the outcomes of analyses.	Yes, possibly, or not sure	Either via User Agreement, or for any staff interviews that are required	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not	May rely on the pseudo data being considered not personal data.	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not	If the data is considered personal data by the controller, the blood pressure readings may fall into health data.	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not		https://generatedhealth.com/flo						https://exigia.com/wp-content/uploads/fluentform/ff-4bcfb96feed0e986b080755156fc2b15-ff-Option-A.pptx, https://exigia.com/wp-content/uploads/fluentform/ff-928aa1737c4cf2aa166409754ba752d8-ff-Florence-Evaluation-Option-B-Quantitative-Data-Template.xlsx	Details of the proposed data flow There is an alternative approach proposed where Florence do send us data direct (pseudo), proposed template attached.	I think we need to ensure Florence are comfortable with the data flow and that the ICS have capacity to extract the required data, which may also require a DPIA, but as agg. data should be a formality.	This looks like straightforward data processing. You don't mention a contract, but I assume there will be a suitable one.			16	13.3	Assessed	13	read	2023-10-12 13:02:57
Vinehealth	Unity Insights	20/09/2023		Lea	Quentin	Pete	Aldridge	pete.aldridge@unityinsights.co.uk		Vinehealth (VH) is a mobile platform that encourages people living with cancer to self-manage by allowing them to monitor their symptoms, manage their medication and understand their care plan and progress along with their care team and loved ones. The app has been deployed across nine NHS sites to inform an RCT, being conducted by University of Surrey (UoS). Alongside the RCT, Unity have been commissioned to provide health economic analyses of the platform, in the form of a budget impact model and cost-utility analysis.	VineHealth Ltd University of Surrey KSS AHSN - co-funding the work Sites deployed at: Hywel Dda Royal Surrey County Hospital Barking, Havering & Redbridge Yeovil District Hospital Clatterbridge Cancer Centre Royal United Hospitals Bath Maidstone & Tunbridge Wells Wrightington, Wigan & Leigh East Suffolk and North Essex	Yes, possibly, or not sure	Data will be provided both directly from Vinehealth and via the university. Both datasets will be pseudonymous with platform and trial references, rather than clinical IDs like NHS number.	(m) We decide what IT systems or methods are used to process the personal data, (o) We decide the details of the security measures protecting the personal data, (p) We decide how to ensure the retention schedule is adhered to	I think Vinehealth will be the primary data controller in respect of patients that have signed up to their platform, but there will also be the trusts that the sites operate under that will also have some responsibility for patients being directed to Vinehealth. As the deployments were specifically commissioned to support research and evaluation of the platform, I think we will only be dealing with Vinehealth directly, and agreements will be with UoS and VH. The RCT will have informed consent and any users of VH will also have had a user agreement.	Yes, possibly, or not sure	The RCT has informed consent (unsure whether this will specifically have covered the health economy service evaluation), the platform has a user agreement.	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not	Participants have consented, but will seek to ensure that any data received is not personally identifiable, with the use of pseudonymisation.	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Explicit consent	Not processed	Not processed	Definitely not	If the data is considered Personal then it will include treatment, diagnosis and symptom information for the participants.	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not		https://www.vinehealth.ai/						https://exigia.com/wp-content/uploads/fluentform/ff-830c699ba3bce086fdb510c4d0f9c43f-ff-DRAFT-Scoping-plan_Vinehealth-CUA-v1.pdf		Our contract is with VH and KSS AHSN, and should cover the data requirements direct from VH, but there is likely to be a need for a Data Sharing Agreement to cover the transfer of data via UoS. Currently waiting for a template agreement from UoS, which we will share with you for review when received.	This appears to be a fairly standard processing activity covered by UI's contract with VH that I assume has or will be vetted. If and when data sharing agreements appear please pass them to me for an assessment, remembering that by entering into them you may be agreeing that you are a (joint) controller of personal data. It isn't clear to me at this stage that this would be the case. Just because a data feed comes from UoS doesn't necessarily mean that it couldn't be covered by their agreement with VH and the your processing contract with them. 23/02/2024 Following discussion re a potential DPA with UoS, UoS were asked to clarify their role and replied with a 'Joint Controller' Agreement between themselves and Vinehealth.			16	13.2	Assessed	12	read	2023-09-20 14:40:48
Health Inequality - Reducing Restrictive Practice (SABP)	Unity Insights	26/11/2021		Conor	Briant	Peter	Aldridge	pete.aldridge@unityinsights.co.uk	See also: FREED.	Data gathering to support the build of a dashboard and eventual evaluation report into the Patient Safety Collaborative's Reducing Restrictive Practice care package in Mental Health settings, with a particular view on how it affects health inequalities across this sector. Data collection will be regional, while the care package (and efforts to reduce restrictive practice) is part of a national mandate.	Surrey and Borders Partnership NHS Foundation Trust (SABP), KSS AHSN & UI, Mental Health Units within SABP area	Yes, possibly, or not sure	All of the following data is at patient-level (pseudonymised using what I believe is an internal Trust ID number) - Patient's initials - Protected characteristics (age, sex, ethnicity, religion/belief etc.) - Appointment dates and waiting times - Clinical data relating to factors such as: -- Symptom scores (e.g. PHQ-9) -- Information on eating disorder-related symptoms (e.g. binge episodes, vomiting episodes etc.) -- Measures such as height, weight and BMI -- All for pre-treatment, mid-treatment, post-treatment and follow-up. - Full name of the therapist/Consultant/clinician		UI are Data Processor, would expect SABP to be the Data Controller as they are already collecting the relevant data on clinical systems. [DPO Note: UI act on behalf of KSS AHSN who are a Processor]	Definitely not		Definitely not		Definitely not	Definitely not	Yes, possibly, or not sure	[Conor] Was '"unsure whether Legitimate Interest would be relevant, but if the pseud ID is unidentifiable then the data may not be considered PD." [DPO] I have changed the basis from Legitimate Interest to Public Task because NHS Trusts such as SABP as the Controllers cannot use Legitimate Interest as they are a Public bodies. As usual this is a complicated NHS situation where the research is sponsored from NHSE/I, and it could be argued that they are deciding the purpose of the processing at least jointly with the trusts. That however is probably academic	Definitely not		Reasons of substantial public interest	Not processed	Reasons of substantial public interest	Not processed	Not processed	Not processed	Reasons of substantial public interest	Not processed	Reasons of substantial public interest	Definitely not	Highlighted these as a specific part of this work is to look at the demographics of individuals that have had events where restrictive practice is used. There is a field regarding the involvement of police, but nothing about the individual's history in terms of criminal data.	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not											See notes re Public Task vs Legitimate Interest. I think the DPIA also recognises this on Page 19 - Applications of Data Rights. A (voluntary) DPIA was undertaken by SABP as controller. Latest version is 2.1, 10/2019. This stated that the records would be anonymised, but there seems some doubt whether it would be just pseudonymised. They also state correctly that a DPA could be required if the data turns out to be personal (inc. pseudonymised). We would then need to be clear if that DPA would be with KSS AHSN, UI or both (This is the Other Action ticked, but depends on resolution of the anonymisation vs pseudonymisation issue which the meeting of 18/02/2022 may have resolved).				13.1	Assessed	11	read	2023-09-11 14:16:31
Powerful Medical (PMCardio)	Unity Insights	05/04/2024		Conor	Briant	Pete	Aldridge	pete.aldridge@unityinsights.co.uk	Question re. PM's third country status and whether we have a responsibility to ensure sites are aware of the data being transferred to EU (and that they've done the right checks)	The project is a result of a funding award from NIHR I4I FAST, applied for by UI as the sole applicant. Collaboration agreement in place with PM covering delivery of the project. This project will explore the feasibility of the wider adoption of PMCardio by the NHS by conducting a real-world validation study evaluating the implementation of the PMCardio in a primary care setting. The aim of the evaluation is to measure and compare the outcomes and benefits of implementing the technology within select sites. A mixed methods approach is recommended to analyse quantitative, qualitative, and health economic outcomes to generate evidence against the key evaluation questions.	Powerful Medical Pilot Sites (primary care - GPs across multiple PCNs within a single ICB, exact number/who TBC, 40 interested). NHS Northamptonshire ICB Eastern HIN - providing project management support (funded by Arden and GEM CSU)	Yes, possibly, or not sure	Currently trying to keep the data required for the evaluation as an aggregated dataset, but there will be sub-sets relating to practice, suspected conditions, and some basic demographics (age/gender) that might lead to small numbers in some groupings.	(j) We jointly decide the means by which and by whom the personal data is processed, (b) We decide what types of personal data to collect, (m) We decide what IT systems or methods are used to process the personal data, (p) We decide how to ensure the retention schedule is adhered to	I think the active role in driving the pilots and evaluation activity increases the role of UI beyond the usual processor role, but am not 100%	Definitely not		Definitely not		Definitely not	Definitely not	Definitely not		Definitely not	Nothing agreed at this stage, we need to ascertain the final data design and consider whether consent is required. As expected to be all aggregate, may not be required.	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not sure	Not processed	Not processed	Definitely not	I think the outcomes of the process will only be needed, in aggregate terms, to identify the kind of issues diagnosed with some broad (age, gender) demographic groupings and accuracy markers from clinicians (whether or not they agree with the app), rather than any of the analysis outputs from the app itself. Therefore I don't think we will need data directly relating to individual's health.	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not		https://www.powerfulmedical.com/	https://www.nihr.ac.uk/documents/nihr-i4i-fast-contract/34842	https://www.powerfulmedical.com/legal/pmcardio-privacy/	https://www.powerfulmedical.com/legal/pmcardio-terms/	https://www.powerfulmedical.com/security/	Please note, a further issue exists in that the company operates in the EU and a third country assessment may be needed (doesn't directly affect us, but if we are a joint controller we might need to ensure any joint agreements with sites cover the requirements)	https://exigia.com/wp-content/uploads/ff-b57619a67168b1a70cf621025e34967a-ff-Powerful-Medical-Scope-v1.0.docx, https://exigia.com/wp-content/uploads/ff-d988a6e76ced34c1138b578eb8110c9c-ff-Powerful-Medical-Unity-Insights-0697-Evaluation-service-contract-Apr-24-Final.pdf		Further to ensuring sites/ICB have the right 3rd country tests in place, do we have a responsibility to ensure the right agreements are in place between PM and the sites to process identifiable healthcare and biometric data as part of their service? Or any reputational risk if any of this doesn't get picked up by the ICB? Obligations for reporting if we identify any breaches? Conor has concerns that a risk might exist where clinicians might sign up for the personal account instead of through the pilot and this might arise in the data. Not aware of any safeguards to prevent this. I'm not sure of how we would be in a position to know (I think this would be the GPs responsibility). There is the ability to sign up and process up to 5 ECGs without a subscription. T&Cs state that the customer (GP) is the controller IRO the data they upload to the platform.			conor.briant@unityinsights.co.uk	16	13.5	Assessed	10	read	2024-04-05 16:05:02
O2matic	Unity Insights	22/04/2024		Sam	Sutton	Pete	Aldridge	pete.aldridge@unityinsights.co.uk		O2matic produce an automated system to adjust the oxygen flow, being trialled for COPD and respiratory patients, based on oximetry readings and other clinical markers, reducing time and reliance upon clinical staff to recognise and react to changes in patient condition and enhancing the support for patients undertaking Pulmonary Rehab. We are providing quant analysis in support of the trial/pilot (not a full clinical trial) into the product's deployment.	O2matic Medway Community Healthcare CIC HIKSS (work is being done as part of our service contract with them)	Yes, possibly, or not sure	Data will be taken from both O2matic and the trust, which will be linked and so expected to be pseudonymous in nature, unless a data flow is agreed through which the data can be linked before sharing.	(k) We are processing the personal data for the same purpose as another controller, (l) We decide how to store the personal data, (m) We decide what IT systems or methods are used to process the personal data	Unity will be a Data Processor for the evaluation work.	Yes, possibly, or not sure	Informed consent will be used for the trial.	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not		Explicit consent	Not processed	Not processed	Not processed	Not processed	Not processed	Explicit consent	Not processed	Not processed	Definitely not	demographic data and clinical markers for the condition will be gathered to support analysis.	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not		https://o2matic.com/	https://www.medwaycommunityhealthcare.nhs.uk/about-us					https://exigia.com/wp-content/uploads/ff-5e5250cbd081e3608bb6cefcf2ac1a26-ff-O2Matic-Scoping-Plan.docx		We have a call with the trust next week to discuss data flows and potential DSA requirements, if deemed necessary. May updated after if needed.			sam.sutton@unityinsights.co.uk	16	13.5	Assessed	9	read	2024-04-22 17:25:08
Anya	Unity Insights	18/06/2024	#3450	Alex	Round	Pete	Aldridge	pete.aldridge@unityinsights.co.uk		Anya is a breastfeeding support app designed to provide support for new parents, we are undertaking an evaluation following its introduction through a couple of community health teams (CHTs) in the North West. Anonymous and aggregated data is expected primarily, including some demographic data. A few interviews will be held with the community team leads.	Anya (LatchAid Ltd) Manchester Community Health Team Wigan Community Health Team	Yes, possibly, or not sure	Should only be the interview contact details, we don't have a contract with the CHTs, so will obtain consent for the interviews (no data relating to the individual will be recorded, other than the recording itself). Data from the app provider will include a patient reference, but this will not link into any clinical systems and will be irreversible. All CHT data to be aggregated.		Data Processor	Yes, possibly, or not sure	For interviews, information will be provided with the interview invites and confirmed again at the outset of the interviews.	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not		Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not	Age, ethnicity and post code sector to be provided by the app provider, but not in identifiable format.	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not		https://anya.health/									Seems routine and straightforward.			16	13.5	Assessed	8	read	2024-06-18 13:29:33
Lifebox	Unity Insights	02/07/2024	#3481	Léa	Quentin	Pete	Aldridge	pete.aldridge@unityinsights.co.uk	Dana Daderko is also working on this with Léa.	Definition LifeBox is a digital pre-operative assessment tool which supports patient assessment, hospital decision-making and personalised patient care. We are undertaking a quant and health economic evaluation covering its use in Royal Sherwood hospitals. Commissioned by Definition Health, who own/provide LifeBox).	Sherwood forest hospitals NHS foundation trust (Kings Mill and Newark hospitals) Definition Health (LifeBox provider)	Yes, possibly, or not sure	Data will use a pseudonymous patient level reference to link data provided by Definition Health (DH) with Surgery data provided by the trust. This will be a project specific reference defined by DH and we will not be able to reverse or identify. However, we will receive some demographic data (age group, gender, ethnicity, post code (first four digits)), so need to ensure this remains unidentifiable. [See DPO Comments]	(m) We decide what IT systems or methods are used to process the personal data	I believe UI will be a Data Processor	Definitely not		Definitely not		Definitely not	Definitely not	Definitely not		Definitely not	As the reference is not identifiable I don't think any personal data is being processed, will upload an example data template for review. (See DPO Notes)	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not	As mentioned ethnicity data is being collected, but not in a form of personal data.	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not		https://www.definitionhealth.co.uk/lifebox-epoa-solution/						https://exigia.com/wp-content/uploads/ff-ab597e3d725fe2ebf30a30d0b32d9132-ff-LifeBox-Data-Template-v3.xlsx	Data template attached. Surgery tab data to come from the trust (except the demographic data fields, which will be linked from the DH data), all other tabs to come from DH systems.	Some survey data (anonymous) covering patient experience may be gathered, these data are gathered by the platform as standard (not UI design).	The fact that you are processing pseudonymous data means that you are processing personal data even though you can't identify whose data it is. This is not however a problem assuming that you have contracts/DPAs with the controllers and represents a good minimisation and data security approach. Assuming you have satisfactory contracts and DPAs with the processors this appears to be a standard UI processing operation.			16	13.5	Assessed	7	read	2024-07-02 13:13:30
Real Birth Company - SBRI	Unity Insights	30/07/2024		Ben	Williams	Pete	Aldridge	pete.aldridge@unityinsights.co.uk		Real world evaluation of implementation of maternity information and training system at Epsom and St Helier. Pseudonymised patient-level data including age band, ethnicity and post code sector, plus clinician surveys / interviews.	Epsom and St Helier Uni Hospitals Trust Real Birth Company	Yes, possibly, or not sure	Pseudonymous ID used to link two datasets, one from the company, one from the trust (data flow attached later). ID is to be provided by the company and so would be reversible to them, although they will have user agreement to process information.		UI is a processor IRO this project.	Yes, possibly, or not sure	User consent from RBC trainees, no direct consent regarding the outcomes data we would like to access (hospital episode details to understand attendance and outcomes).	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not		Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not	We are going through the process of DPIAs etc with the trust, but we are asking for outcomes data (attendance details) that can be linked to the demographic data (age group, high level ethnicity), so this might step into an area where we either need informed consent or request an anonymous dataset with the linkage already completed.	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not		https://www.therealbirthcompanyltd.com/about/	https://www.therealbirthcompanyltd.com/2024/01/31/new-funding-awarded-for-second-sbri-project/					https://exigia.com/wp-content/uploads/ff-4b218400e52b7ab81f8c0608db6b60c3-ff-202401_UI-The-Real-Birth-Company-SBRI-Evaluation-Plan-FINAL.pdf, https://exigia.com/wp-content/uploads/ff-19415bb7e8bdbf72c60d45b278071268-ff-Proposed-RBC-Data-Flow-v1.0.pdf		As previously mentioned, this might step into an area where we either need informed consent or request an anonymous dataset with the linkage already completed. We have a request to consider whether a DSA is needed (I have advised we need to properly communicate the data flow to let the controller make an informed decision.	1. As a processor for RBC I agree that you will need a DPA or suitable contract with them. 2. The Trust would need informed consent from its patients to share any identifiable or re-identifiable personal (outcome) data. 3. If there is any such data sharing, the DSA, baed on the patient consent, should be between the Trust and RBC and not with UI (regardless of the supply route) as UI would only be processing it whilst acting as a processor for RBC and not in its own right.			16	13.5	Assessed	6	read	2024-07-30 10:56:40
DHSC Women and AI booklet	Health Innovation KSS	10/10/2024		Lisa	Devine	Pete	Aldridge	pete.aldridge@unityinsights.co.uk	Melissa Ream is also working with Lisa to co-ordinate this. This relates to Kelly's email on the 4th.	The HIN have been engaged by DHSC to help produce a booklet on developments utilising AI to support Women's Health. To achieve this DHSC will conduct a data collection process, through a survey, which will then be passed to HIKSS to reviews responses and put together the booklet. The DHSC DPO office has been engaged and provided some guidance regarding consent steps, HIKSS are considering asking for some slight changes to enable further contact where the HIN feels it can support the innovators. The review process will include a panel, including an AI fellow, who works as a GP. We are asking whether a formal agreement is needed before providing access to any data. There is also no formal contract that I am aware of, subject are aware of data being passed to HIKSS in the consent step, but there's nothing to cover the exchange of results between DHSC and KSS.	DHSC HIKSS AI Fellow Participants (data subjects acting on behalf of their companies - although some may be researchers)	Yes, possibly, or not sure	Just Name, Role and Email to support follow-up queries.	(p) We decide how to ensure the retention schedule is adhered to, (i) We decide how long to retain personal data, (r) We decide how to delete and/or dispose of the personal data	HIKSS are a data processor, as DHSC are collecting the data and designing the data collection.	Yes, possibly, or not sure	Message from deputy DPO at DHSC: Thanks for your time earlier. As discussed, you’ll just need some kind of tick box or permission request on the MS Form that asks if the individual is happy to provide their contact info for XXX future purposes. And then you’ll need separate ones for: - Sharing the contact info with external partners (such as the HIN) - Subscribing to any regular communications (e.g. newsletters), which will also need to have an “opt-out” option whenever they receive one And then just provide a link to DHSC’s overarching privacy notice at the end if anyone wants more info on how DHSC process their personal data Kind Regards,	Definitely not		Definitely not	Definitely not	Definitely not		Definitely not		Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Not processed	Definitely not	None	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	Definitely not	None									No contract or anything to provide, or a link to the draft form yet. I don't think this is the biggest risk as the data is minimal, but it's strange that there's not even an MOU to cover the commercially sensitive data that might be coming across. I guess if the DPO is happy enough, that might be fine. I do think there should probably be something to ensure the AI Fellow is held to the same IG standards as other staff. I agree that if the GP/AI Fellow is not an employee of the controller or processor then sharing with her/him needs formalisation and transparency.	I would advise against totally relying on a DPO being happy (even me!). Of course if you are acting as a processor you need a contract/DP Agreement and the consent needs to reach the standard of informed consent. Tick boxes alone could be inadequate i.e. they may need supplementing with a detailed explanation, guidance and perhaps a means of asking questions for clarification.			16	13.5	Assessed	5	read	2024-10-11 10:47:16