Information Policy Development Group
11th February 2015
Agenda Item No.
CHI Seeding – Privacy Impact Assessment
Report by:
Wards Affected:
Purpose
Norman Kurzman, I.T. Services, Fife Council
All
This report assesses the privacy risks and compliance elements associated
with Fife Council, seeding all active client SWIFT records with the NHS CHI
(Community Health Index) number as a secondary identifier.
Data matching involves sharing some data, including some demographics
related to Fife Council clients and NHS registered patients, including the CHI
number. A PIA is recommended by the statutory Data Sharing Code of
Practice issued by the ICO (Information Commissioner’s Office).
This PIA identifies possible privacy risks and assesses potential impacts
associated with matching social and health care records via SWIFT / AIS and
NHSCR (NHS Central Register).
Recommendation(s)
The Information Policy Development (IPD) Group is asked to:



Note the contents of this Privacy Impact Assessment;
Support the control measures identified;
Support the initiative to match records within Fife Council and NHS Fife
databases, based on patient (NHS Fife) and client (Fife Council)
demographics and link the records by associating the SWIFT ID (primary
ID) and CHI number (secondary ID).
Resource Implications
Resources will be required to define, develop, provide training and implement
the necessary operational and technical controls, along with the technical
capability to set up secure communications between NHS Fife, NSS ISD and
Fife Council. Ongoing support will be required to review audit logs on a
regular basis and monitor the data processing agreement on a regular basis.
Legal & Risk Implications
This PIA will be supported by a Data Processing Agreement drawn up
between Fife Council and The Common Services Agency for the Scottish
Health Service (commonly known as NHS Services Scotland) (Information
1
Services Division) (NSS ISD); along with guides to Social Work staff on the
usage of the CHI number.
Fife Council will continue to be the overall Data Controller of the SWIFT / AIS
system and NHS Fife will continue to be the Data Controller of patient’s CHI
numbers.
NSS ISD will process CHI numbers and perform automated data matching by
joint instructions from NHS Fife and Fife Council.
Impact Assessment
A Fife Council EqIA Checklist is not required because this report does not
propose a change or revision to existing policies and practices. Employees
within their respective organisation (NHS or Fife Council) will be subject to
existing policies and practices as defined in their respective organisation.
This project is consistent with the council’s information policies, and Scottish
Governance legislation and guidance supporting the sharing of personal
sensitive information of adults in regard to Health and Social Work Integration.
It also complies with relevant legislation including the Data Protection Act
1998 and the Human Rights Act 1998 and is consistent with the best practice
guidance on privacy produced by the Information Commissioner’s Office.
Consultation
A consultation workshop between NHS Fife and Fife Council Social Work staff
was undertaken in November 2014 to develop the list of data attributes which
are within scope for the Health and Social Work Integration Programme.
The CHI number will be a multi-system identifier. There has been
consultation with NSS ISD to agree CHI seeding of the Fife Council’s SWIFT /
AIS system based on matching demographics. A discussion with the ICO was
undertaken on CHI seeding all active SWIFT / AIS clients as opposed to
adults only.
The relevant Information Governance, Security, IT and legal advisors from
both organisations have been involved in this assessment.
2
1.0 Background
1.1
The Public Bodies (Joint Working) (Scotland) Act 2014 (“PBA”) has introduced
legislation which requires local authorities and health boards to work together
in respect of the integration of health and social care (H&SC) connected with
adults.
1.2
NHS and Fife Council need to share data about individuals receiving health
and social care.
1.3
At the present time, staff browse through a significant number of SWIFT / AIS
records to manually match health and social care records before providing a
service to the client/patient. This manual exercise is prone to human error, is
inefficient and time consuming.
1.4.
The current process does not ensure all the relevant information is available
for health and social care as and when needed through SWIFT / AIS which
has a negative impact for client/patient care.
1.5.
A NHS Community Health Index or CHI number is a national ten digit (date of
birth + 4 other numbers) and provides a unique number for health
communications related to a given patient.
1.6.
By adding the CHI number, as a secondary identifier into all active SWIFT /
AIS records, this is less of a privacy risk than NHS staff doing a manual
search within SWIFT / AIS before accessing the detailed case file to find and
then confirm matching individuals and ensures a more streamlined integrated
service. DPA Principle 1 states personal information must be fairly and
lawfully processed. Additionally DPA Principle 3 states personal information
must be adequate, relevant and not excessive.
1.7.
NSS ISD as the Data Processor processes CHI numbers on behalf of the
NHS Fife the Data Controller and carries out the data matching of Fife Council
SWIFT / AIS data with the CHI number on behalf of both Fife Council and
NHS Fife. The processing of personal data on behalf of Fife Council is
controlled by a Data Processing Agreement between Fife Council and the
NSS ISD. Additionally NSS ISD provides this service to other NHS Boards in
Scotland.
1.8.
Supporting Privacy Notices will inform patients / clients of this arrangement to
share personal information between NSS ISD and Fife Council to match
health and social care records as part of the integrated H&SC.
3
2.0 PIA Screening Process
2.1
Privacy Impact Assessment Best Practice
The Information Commissioner (ICO) in 2014 produced a new privacy impact
assessment code of practice: http://ico.org.uk/news/latest_news/2014/privacyimpact-assessments-code-published. This guidance was utilised to identify
possible privacy risks and assess potential impacts associated with matching
social and health care records via SWIFT / AIS and the CHI register.
2.2
Requirement for a PIA
Data matching involves sharing some data, including demographics related to
Fife Council clients and NHS registered patients, including the CHI number. A
PIA is highly recommended by the statutory Data Sharing Code of Practice
issued by the ICO. This data matching exercise does not change the original
sensitivity of the SWIFT / AIS database. The SWIFT / AIS system holds a
significant volume of personal and sensitive data pertaining to all the Council’s
Social Work clients.
2.3
Data matching assessment
This data matching exercise will join data related to active clients of Fife
Council Social Work services who are also NHS Fife patients.
The data needed for the matching exercise is basic demographics from
SWIFT / AIS (Table 1 below) and the corresponding data from NHS Central
Register (NHSCR).
This data is held electronically within the SWIFT / AIS systems and NSS ISD
(on behalf of NHS Fife).
The data involved in the matching exercise is not personal sensitive but is still
subject to confidentiality. The data involved from the NHS is already available
from the NHSCR.
Appendix A provides a high level data flow.
4
Table 1 – Demographics for Matching SWIFT / AIS & CHI Records
SWIFT / AIS
Unique social work reference known as the SWIFT ID
Surname
Forename
Gender
Date of Birth
Postcode
Date of Death
The sharing of demographic data cannot currently be undertaken real-time or
via a web service for new clients / patients as the NSS ISD do not have this
capability and also require all active client records in SWIFT / AIS to be resent
for each subsequent matching exercise.
2.4
Purpose
The purpose is to match the CHI number to SWIFT / AIS records, to allow
NHS staff in the future to have direct access to active clients in Social Work.
This supports joint adult / health & social care service under PBA 2014.
The aim is to deliver integrated adult health care. Additionally matching of
Council and NHS information will support analysis of management
information, costs and inform strategic planning.
2.5
Legal basis for data matching and sharing
Disclosure of information will be conducted within the legal framework of the
Data Protection Act 1998 (DPA), the Human Rights Act 1998 and in
compliance with the common law duty of confidence.
For the purpose of CHI Seeding, the CHI number will be data matched with
SWIFT / AIS records and added into SWIFT / AIS based on these legal
conditions:


Schedule 2, Paragraph 5(b) the processing is necessary for the
exercise of any functions conferred on any person by or under any
enactment.
Schedule 2, paragraph 6(1) the processing is necessary for the
purposes of legitimate interests pursued by the data controller or by the
third party or parties to whom the data are disclosed, except where the
processing is unwarranted in any particular case by reason of prejudice
to the rights and freedoms or legitimate interests of the data subject.
5
2.6.
ICO Advice and Guidance
The original advice provided by Maureen Falconer, Senior Policy Officer at
the ICO in November, 2014, was that CHI seeding could only be undertaken
for selected adult client records.
However, on the 5th December 2014 at a meeting with Maureen Falconer,
ICO, she verbally indicated a risk assessment should be undertaken as part of
a PIA to determine if all active clients in SWIFT could be CHI seeded and any
use of the CHI number by Fife Council must be restricted to use as a
secondary identifier only – it must not be used for any other purposes. This
includes active adults and children; it does not include carers, medical
professionals or other third parties.
The justification for CHI seeding active client records in SWIFT / AIS is to
minimise the risk of NHS staff having direct access to search the entire
SWIFT / AIS database for patients which may or may not have a care
package.
Whilst SWIFT / AIS security restricts access to the underlying information
such as Criminal Justice records, it is not possible to restrict the initial view of
client names. The current SWIFT training recommends that wildcards should
be used within each forename and surname, so occasionally more than the
required client’s information could be returned when confirming manual
matching. Using the CHI number will minimise such wildcard searches.
Adding the CHI number as a secondary identifier into all active client SWIFT /
AIS records is seen as less of a privacy risk than NHS staff doing a manual
search within SWIFT / AIS prior to confirming matching individuals. Using the
CHI number to access records, supports DPA Principle 2 where personal
information must be processed for limited purposes and Principle 3 which
states personal information must be adequate, relevant and not excessive.
A Guide for Fife Council staff and NHS staff will be prepared to detail how the
CHI number has to be used as an additional secondary identifier only to
support information sharing.
2.7.
Data Accuracy
The accuracy of the data matching process relies on a scoring system
depending on the number of data items (“fields”) that attract a successful
match as follows:
DOB
up to 15 pts
Surname
8-17 pts
Forename
8-17 pts
Gender
1 pt
Postcode
up to 15 pts
Address
up to 15 pts
GP
5-8 pts
CHI
up to 5 pts
6
Once the automated matching is completed, a manual review of non-exact
matches will take place within NSS ISD to improve the highest possible
accuracy and match rate. Whether the potential match is accepted or rejected
is dependent on a combination of the score and whether there are any other
possible matches that compete with or rival the highest scoring match.
Where exact matches are found (where two names, gender, DOB and
postcode/address match exactly to the details on the CHI database) the
match is auto-accepted. The result of this approach is an estimated error rate
of no more than 1 in 5000 cases.
Following the matching process, the output file is sent securely to Fife
Council. There are two main types of output available:
2.8.

Level 1 – a list of the CHI numbers matched to each record (using the
unique record/client identifier) plus the match score and a flag
indicating the type of match (exact, name-only mismatch, address-only
mismatch etc.)

Level 2 – the above plus full details of the incoming record data and
the corresponding data held on CHI
Fair Processing / Privacy Notices
NHS Fife and Fife Council will update their existing online privacy notices and
data sharing leaflets to notify members of the public that personal information,
including identifiers and demographics, will be shared between partners and
with NSS ISD for the purpose of providing integrated health and social care
services.
In addition, patients and service users will be provided with appropriate
information about data sharing between agencies at the initial point of contact.
For example, this could be in the form of providing a verbal explanation of
shared service provision to patients when they are initially admitted to
hospital.
2.9.
Effect of Deletion of Data
The deletion of a patient’s or client’s record for a valid purpose, including
potential differences in retention schedules will need to be factored into local
work instructions for the Council and NHS Fife.
2.10. Arrangements for Data Not Matched
Details of how rejected or mismatched records will be processed to improve
data accuracy will be detailed in supporting work instructions.
2.11. Processing via Portal (relevant for future data sharing arrangements)
7
The proposal is that once the matching exercise is completed, the NHS will be
able to access social care data related to a particular patient needing a care
package, by entering the CHI number into a Portal enquiry screen to bring up
the matching client within the SWIFT / AIS system. Alternatively when there
is no match on CHI number, NHS staff will revert to the search process
described above through a Portal. NHS users will confirm that the correct
person is selected by validating their address and DOB. Once this check is
completed, access to the detailed record will be enabled to allow them to view
and update cases notes. The Portal to manage access and viewing /
updating of SWIFT / AIS client records is forecast to be ready by Q3 2015.
2.12.
Other Privacy Risks
Privacy Risk
Will the implementation of CHI
seeding involve the collection of
new information by Fife Council
about individuals?
Response
Yes, as the NHS CHI number will be
added into the SWIFT record as a
secondary identifier.
Negligible to no distress for the data
subject. Less privacy risk as access to
non relevant records will be minimised
compared to current manual process.
No.
Will individuals be required to
provide additional information
about themselves?
Will the information collected be
used for additional purposes?
The CHI number will not be used for
new or additional purposes beyond
adult care.
Guide to Fife Council staff will detail
how the CHI numbers is used as an
additional secondary identifier.
Yes, Fife Council will have access to
the CHI number which they did not
have before. The CHI number will not
be shared with other agencies /
partners.
No.
Will information be shared with
other agencies or people who
currently do not have access to
this information?
Does CHI seeding involve using
intrusive technologies e.g.
biometrics or facial recognition?
Will CHI seeding change the way
that decisions will be made about
individuals, or involve actions
which will significantly impact on
the privacy of individuals?
No, since at the present time decisions
are also made based on “manual”
matching. However, it will improve
efficiency and safety.
Improved collaboration between NHS
practitioners and Social Workers using
a single definitive version of ‘truth’
about care packages and related client
/ patient information will ensure better
8
management of a client’s holistic needs
and will impact positively both on the
speed and quality of decision-making
and service-delivery of an individual’s
care package(s).
Negligible. The CHI number within a
record will be kept in line with Fife
Council’s existing retention policies.
This processing doesn’t increase the
current risk of the SWIFT / AIS
database. Current controls are
considered satisfactory.
Information kept for too long
Data not held securely
Data in transit for data matching will be
via an approved secure method agreed
between NSS ISD and Fife Council.
This processing doesn’t increase the
current risk of the SWIFT database.
Current controls are considered
satisfactory.
Information disclosed to unauthorised individuals / agencies
2.13. Security and Organisational Measures
All collection, processing and storage of information in SWIFT / AIS will be in
accordance with the Council’s policies and procedures and relevant
information legislation including the Data Protection Act 1998, Freedom of
Information (Scotland Act) 2002 and the Environmental Information (Scotland)
Regulations 2004.
Wherever possible technical policy controls will be applied, for example
access controls, automated retention schedules, version control and audit
monitoring. Behavioural controls, such as employee training and provision of
guidance material will be utilised where appropriate.
Information held in SWIFT / AIS will be backed-up every 24 hours as a
minimum requirement; this is in accordance with current business continuity
arrangements. In an event where disaster recovery is required, it is expected
that the Council’s DR Site will provide system continuity.
During agreed annual reviews, both Fife Council and NHS Fife will discuss:





Adequacy of both sets of policies, procedures and technical security
controls;
Reported breaches;
Unlawful processing risk and mitigation;
Contracts with data processors;
Choice of data processors.
9
2.14. NSS ISD as Data Processor
There is an agreed Data Processor Agreement with NSS ISD as the Data
Processor, detailing the security the Data Processor has in place. NSS ISD
also has the following agreed controls to prevent accidental data lost / damage
/ destruction:







Backups;
Data recovery procedures;
Systems/data resilience;
Business continuity plans;
Safe destruction & data retention policy;
Clean desk policy;
Data in transit security arrangements.
Access controls will ensure that information will be restricted only to those
individuals whose role within NSS ISD requires access to perform the
matching and quality process.
2.15. International Transfers
No international transfers of data have been identified.
2.16. Privacy and Related Risks
The key privacy risks are listed below.
Privacy
Issue
Data used for
additional,
inappropriate
purposes
Inaccurate,
insufficient or
out-of-date
data
Information
kept for too
long
Impact on
Individuals
Distress,
embarrassment,
damage to
relationships
and / or
reputation. In
extreme cases
physical harm.
Loss of
entitlements or
provision of
inappropriate
services e.g.
client care
package.
Distress,
potential for loss
of status /
employment
e.g. spent
Compliance Risk
Control Measure
Data Protection Act
1998 – Principle 2
Behavioural
controls e.g.
training &
guidance
materials which
support Council
policies and
procedures.
Use of single
primary data
source rather than
multiple copies.
Data Protection Act
1998 – Principle 4
Data Protection Act
1998 – Principle 5
10
Application of
agreed retention /
deletion schedules
where this is
technically
criminal
convictions.
Data not held Anxiety caused
securely
by fear of
disclosure.
Identity theft.
Distress,
physical harm,
damage to
relationships
and / or
reputation.
Information
disclosed to
unauthorised
individuals /
agencies
Impact on
client if the
CHI seeding
is incorrect
and matches
the wrong
person
Identity theft.
Distress,
physical harm,
damage to
relationships
and / or
reputation.
Distress, health
service not
provided
feasible.
Data Protection Act
1998 – Principle 7
Data Protection Act
1998 – Principle 7,
and potentially also
Principle 8
Data Protection Act
1998 – Principle 4
Role based
access control
using Active
Directory Groups
is used to display
the SWIFT / AIS
icon on the
desktop; however
actual access is
controlled
separately via a
SWIFT
administration
function. Audit
monitoring.
Role based
access control
using Active
Directory Groups.
Council policies
and processes.
Review matching
from NSS ISD
result set and
undertake manual
checks where
there is any
uncertainty.
2.17. Privacy Solutions
Fife Council already has a number of control measures in place to reduce the
privacy risks associated with the management of information, for example
policies, procedures, training materials, access controls, audit monitoring and
incident management.
The following controls are specific to the Council’s SWIFT / AIS environment:
2.18. Fife Council Social Work Policies and Procedures
Fife Council has a number of policies/procedures that all staff are governed
by.

Fife Council Discipline Policy & Procedures:
http://publications.1fife.org.uk/uploadfiles/publications/c64_DI02Discipli
naryPolicyandProcedure.pdf

Fife Council Data Protection Policy:
11
http://www.fife.gov.uk/publications/index.cfm?fuseaction=publication.po
p&pubid=23EA47EB-9876-C415-654E50839378E8BF
2.19. SWIFT / AIS User Access Controls
User access is based on roles, where users are members of specific groups
which have defined permissions. Access is controlled via a SWIFT
administration function which will manage employees moving roles or leaving
the Council or NHS Fife. Control is authorised by managers, who request
access for designated individuals in specific roles through the Service
process.
2.20. Training and Support Materials
The following materials will be available to all SWIFT / AIS users:


SWIFT / AIS user / training documentation;
Social Work data protection training will be made available to the NHS
staff accessing the SWIFT / AIS system.
2.21. These controls all support good information practices and will encourage NHS
staff to effectively manage the in scope adult care data whilst complying with
relevant information legislation.
2.22. Although the technical controls within SWIFT / AIS are not able to completely
prevent risks; the system can provide audit reports detailing what clients were
searched for and which client records were subsequently opened. This
information can be used to reduce the risk of a re-occurrence, for example by
targeting staff training, or in exceptional cases, disciplinary action.
2.23. Information breaches will follow the reporting mechanism within Fife Council
and NHS Fife. Where this involves an information breach for instance of NHS
Fife staff inappropriately accessing the SWIFT / AIS system, the Fife Council
Information Policy Manager will inform the NHS Fife Information Policy
Manager and vice versa. These incidents will be logged and an investigation
commenced in the organisation in which the staff member is employed. Any
follow-up disciplinary action will follow the relevant organisation’s defined
procedure for managing such events.
12
3.0 Recommendations
3.1
The IPD Group is asked to:
 Note the contents of this Privacy Impact Assessment;
 Support the control measures identified;
 Support this initiative as part of the Health and Social Work integration
between Fife Council and NHS Fife.
Background Papers
The following papers were relied on in the preparation of this report.
 Local Government (Scotland) Act, 1973
 Local Electoral Administration and Registration Services (Scotland) Act, 2006
 The Public Bodies (Joint Working) (Scotland) Act, 2014
 National Health Service Central Register (NHSCR)
http://gro-scotland.gov.uk/national-health-service-central-register/about-theregister/index.html
Report Contact
Norman Kurzman
Information Policy and Standards Manager
Telephone: 08451 555555 + 440536
Email – norman.kurzman@fife.gov.uk
13
Appendix A – High level data flow
NHS
CHI SYSTEM
(hosted in NHS Tayside)
Births
NHSCR
GPs
(on behalf of the
NHS)
Patient registration requests
NSS/ISD
New CHI records
Data Quality Checks
National Register
ISD
Data Matching &
CHI seeding SWIFT
SWIFT demographics
CHI seeded records
14
COUNCIL