Information Governance
7.1 Understanding When a DPIA is Required
Returning to the spectrum of social prescribing to understand when information governance is required:
- Sign-post. This is when someone (a friend/family member another community asset) suggests to a person to try an activity or a group. The Person may have seen it advertised on social media, local newsletters/papers promoting the activity or the support group. The overall responsibility is for the Person informed about the activity or event to find out more by investigating for themselves as to whether the recommendation and/or suggestion to them is suitable for them to attend.
If the sign-post is suggested by a Healthcare Professional to a Patient it would be advisable for the Healthcare Professional to know whether the activity or group they were suggesting to the patient is suitable and a reputable organisation. An example of a reputable organisation is a registration with ALISS/NHS24/Scottish Services Directory, endorsement by a Health and Social Care Partnership. In addition there may be initiatives whereby ‘Provider Agreements’ have been arranged between organisations e.g. Green Health Partnership in NHS Highland.
Likewise, another Service Provider e.g. community asset may also become the ‘identifier role’ and after meeting with a Person/Client attending one of their own sessions suggest to engage with another service/organisation. Again, it would be advisable when suggesting or recommending a Person to another organisation to make sure the recommendation was to a reputable organisation.
Note: A sign-post has no personal information shared between organisations and therefore requires no information governance arrangements.
- Self-Referral. A self-referral is when a Person has referred themselves to an organisation and provided their own personal information to the organisation. An example of this could be an on-line form within the webpage of the organisation to sign-up to attend an organised activity.
Note: The organisation would be the Data Controller from the start and in this case NHS Grampian would not require to be involved with information governance arrangements.
A GP practice may have a self-referral form on their webpage for Patients to self-refer themselves to the GP Link Worker for example. The on-line form may or may not interface with the GP practice IT System and update the Patient’s medical record with details of the self-referral.
Note: In this case the GP Practice current Privacy Notice found on their webpage will cover any aspects with the self-referral updating the Patient record.
NHS24/Scottish Services Directory (SSD) has the functionality for some of their registered organisations to have an on-line enquiry form completed by the Person providing their own personal information to be contacted by that organisation to discuss further the Person’s enquiry.
Note: The information governance arrangements required for the self-referral functionality is for each organisation to have their own Privacy Notice. Self-referral is not about an organisation sharing personal information about someone to another organisation. The Person sharing their personal information whether that is by completing on-line or paper forms or even over the telephone or in person to another organisation is doing so with their authorisation.
- Social Prescription Referral. A Healthcare Professional (the Identifier) recommends a referral pathway to a non-clinical Service Provider. The Patient (the Service User) provides consent to be referred and also provides consent for personal information to be shared with the Service Provider via the GP Link Worker (the Connector). Information is updated onto the Patient’s medical records. In addition there may be a request for progress information to be recorded back to the identifier with regards to the impact of the social prescription upon the Patient’s health and wellbeing.
Note: A DPIA would be required in this case.
7.2 What to Consider When Completing a DPIA
There are several areas concerning information governance to consider and agree as part of the project team implementing the social prescribing project. First of all need to establish if there are any current sharing agreements already in place with the specific Service Providers and what additional arrangements maybe required. The Process Map and a Data Flow Diagram is useful to illustrate and explain the ‘Data Journey’ (see Appendix 3 and 12). Privacy Notices will have to be either reviewed or established between organisations as well as Risk Assessments explaining how data will be shared and stored safely with mitigations in place to avoid data breaches (see Appendix 11). For Service providers there is a requirement to evidence the organisational and technical controls illustrating how personal data will be managed and stored (see Appendix 17).
The DPIA will outline the Data Controllers and the Data Processors and their role and responsibilities. This will include NHS Grampian’s Data Protection Officer (DPO). Information Sharing Agreements (ISAs) will be compiled and jointly agreed between parties (see Appendix 14).
At Appendix 7 – DPIA Guidance for Completing the OneTrust On-line Form for Social Prescribing Projects can be found to aid the completion of an on-line DPIA One-Trust form. A One-Trust form has to be triggered by the Information Governance Team following a conversation with the team to ascertain a DPIA is required.
Once a OneTrust form is generated by the Information Governance Team the project team leads need to start completing the form uploading additional documents within certain sections of the on-line form. A list of all the supporting documents required for the DPIA can be found within Appendix 7 and listed below:
| DPIA Ref | Item | Appendix Ref |
| 3.1 | Business Case | Appendix 1 |
| Memorandum of Understanding | Appendix 8 | |
| 3.2 | Data Subject Sheet – Personal Data Elements GP Practice Referral Form to GP Link Worker (via SCI Gateway) | Appendix 4 |
| 3.7 | Process Map | Appendix 3 |
| Data Flow Diagram | Appendix 12 | |
| Referral Form from GP Practice to GP Link Worker(via SCI Gateway) | Appendix 4 | |
| GP Link Worker Assessment Form | Appendix 5 | |
| GP Link Worker Referral Form to Service Provider | Appendix 6 | |
| Standard Operating Procedure for GP Practice | Appendix 15 | |
| Standard Operating Procedure for Link Worker | Appendix 16 | |
| 3.8 | Social Prescribing Privacy Notice for GP Practice | Appendix 9 |
| Social Prescribing Privacy Notice for Service Providers | Appendix 10 | |
| 3.19 | Information Sharing Agreement | Appendix 14 |
| 3.21-3.38 | Organisational and Technical Controls Template | Appendix 17 |
| 4.8 | Risk Assessment Table | Appendix 11 |
Once a DPIA is completed and signed off by the DPO the Governance Pack for the project will require to be reviewed within three years if there have been no changes to the data processing prior to this time period.
As well as information shared from NHS Grampian to the Service Provider there needs to be consideration and agreement as to what identifiable and non-identifiable information/reporting is to be provided back from the Service Provider to the GP Practice or GP Link Worker.