Dear NHS England

1. Can you please provide the number of Data Protection Impact Assessments conducted by NHSE in 2023?

2. Can you please advise if these were a full assessment or a screening?

3. Can you please disclose a brief description of each assessment, for example the title and any reasonable explanation to assist the reader?

4. Can you please disclose a copy of your internal guidance and the template for your assessment?

5. Can you please disclose a copy of any training you have given to internal colleagues about assessments, for example the slides in any training session.

Thank you

Warwick Clark

CONTACTUS, England (NHS ENGLAND - X24), NHS England

*THIS IS AN AUTOMATED RESPONSE - YOUR EMAIL WILL BE RESPONDED TO BY A MEMBER OF
THE TEAM ALSO​​**   

 

Thank you for your email.      

We are currently receiving an extremely high volume of enquiries.    

You may find the following information helpful.     

 

How can the Customer Contact Centre help me?     

 

We’re here to support patients and their representatives with enquiries
about healthcare services. 

 

We can also help with enquiries or complaints about healthcare in prison,
military healthcare and some specialised services that support people with
a range of rare and complex conditions.      

 

You can find out how to feedback or make a complaint about an NHS service
here:     

 

[1]https://www.england.nhs.uk/contact-us/co...

   

Covid-19 enquiries   

 

For information about coronavirus (COVID-19), including information about
the COVID-19 vaccine, go to
the [2]https://www.nhs.uk/covid-19-advice-and-s.... You can also
find guidance and support on the [3]GOV.UK website.   

 

If you are contacting us about new COVID-19 treatments, more information
is available on the [4]NHS website.    

 

Does the NHS England Customer Contact Centre provide medical advice?     

 

No. Our advisors are not clinically trained and are unable to provide
medical advice.      

 

For help from a GP, visit your GP surgery’s website, use an online service
to contact your GP, or call the surgery.     

 

For urgent medical help, use the [5]NHS 111 online service, or call 111 if
you are unable to get help online. For life-threatening emergencies, call
999 for an ambulance.    

 

If you need help for a mental health crisis or emergency, you can get
24-hour support and advice.  To find out where to get urgent help for
mental health visit the [6]NHS website. 

 

There is more information about getting medical help on the [7]NHS
website.  

 

How do you use my information? 

 

NHS England’s privacy notice explains how we use, share and store your
personal information. You can find this on our
website: [8]https://www.england.nhs.uk/contact-us/pr...

 

Thank you for your email. 

 

NHS England Customer Contact Centre     

show quoted sections

FOICRM (NHS ENGLAND - X24), NHS England

Dear Warwick Clark, 

NHS England has assessed your communication as a request under the Freedom
of Information (FOI) Act 2000. Your request is being dealt with under the
terms of the FOI Act and will be answered within twenty working days. Your
reference number is FOI-2403-2078567.

For further information regarding the FOI Act, please refer to the website
of the [1]Information Commissioner’s Office (ICO). For further information
regarding NHS England, and the information we publish, please visit [2]our
website.

If you have any queries about this request or wish to contact us again,
please email [3][NHS England request email] and the message will be
forwarded appropriately. Please remember to quote the above reference
number in any future communications.

Yours sincerely,

Freedom of Information

NHS England
PO Box 16738
REDDITCH
B97 9PT

Tel: 0300 311 22 33
Email: [4][NHS England request email] 

show quoted sections

FOICRM (NHS ENGLAND - X24), NHS England

3 Attachments

Dear Warwick Clark

We refer to your email of 03 March 2024 in which you requested
information under the FOI Act from NHS England.
 
Your request

You made the following request:

 1. Can you please provide the number of Data Protection Impact
Assessments conducted by NHSE in 2023?

 2. Can you please advise if these were a full assessment or a screening?

 3. Can you please disclose a brief description of each assessment, for
example the title and any reasonable explanation to assist the reader?

 4. Can you please disclose a copy of your internal guidance and the
template for your assessment?

 5. Can you please disclose a copy of any training you have given to
internal colleagues about assessments, for example the slides in any
training session.

Decision
NHS England holds the information you have requested but has decided to
withhold some information under section 12 of the FOI Act.

Please note however, that this is only a partial return, as the
organisation does not operate a single consolidated list for all three
legacy organisations (NHSD, NHSE and HEE) and in particular NHSD and HEE
do not have a list of all DPIAs that were undertaken in 2023. This is
relevant because the official merger occurred in 2023 and as such DPIAs
undertaken with legacy processes would count towards the final figure of
DPIAs undertaken in 2023. The attached list is the title of each DPIA
undertaken by NHS England (legacy organisation and process) in 2023, which
totals 156. This list is likely to be incomplete from an NHSE legacy
perspective due to various reasons.
 
The column with information states the names/titles of the DPIA, but
sometimes has more information (e.g. a brief descriptor of the DPIA),
please note, staff names have been removed from this list.

 1. 156 (only partial information as described above)

2. & 3.

Section 12

Please note NHS England have applied a Section 12 to this request. Section
12 of the Freedom of Information Act 2000 allows a public authority to
refuse a request if the cost of providing the information to the applicant
would exceed the ‘appropriate limit’ as defined by the Freedom of
Information and Data Protection (Appropriate Limit and Fees) Regulations
2004:
“Section 12 Exemption where cost of compliance exceeds appropriate limit
(1) Section 1(1) does not oblige a public authority to comply with a
request for information if the authority estimates that the cost of
complying with the request would exceed the appropriate limit”.
The Regulations states that the appropriate limit to be applied to
requests received by local authorities is £450 (equivalent to 2.5 days of
work) for the purposes of the estimate the costs of performing these
activities should be estimated at a rate of £25 per hour (£25 x 18hours =
£450).
In estimating the cost of complying with a request for information, an
authority can only take into account any reasonable costs incurred in:
“(a) determining whether it holds the information,

(b) locating the information, or a document which may contain the
information,

(c) retrieving the information, or a document which may contain the
information, and

(d) extracting the information from a document containing it”.
We have carried out a reasonable and proportionate search to locate all of
the documents that relate to the above request for information and outline
how this was carried out.
It is estimate that the review, extraction and recording required for each
document, in order to produced a response for questions 2 & 3, would take
between 7 & 9 minutes (depending on the complexity and completeness of the
original DPIA).
156 documents @ 7 mins = 1092 minutes (18 hours 12 minutes)
156 documents @ 9 mins = 1404 minutes (23 hours 24 minutes)
Until the documents are opened we would not know the level of complexity
or completeness of the original DPIA.
If you would like to refine your request to obtain information (i.e.
request information across smaller parameters – time period, specific
teams etc.) we have some suggestions below which may help:
A list of the DPIA titles has been provided as a partial response to Q3,
in order to provide advice and assistance to the requestor. This maybe
sufficient information for the requestor, but also if the requestor
requires more detailed information regarding specific DPIAs, the requestor
could make a further request for access to those documents
Information requested that could be answered within the 18 hours time
limit is:
Please see above

If you would like to resubmit your refined request please do so on the
following link [1][NHS England request email]  

 4. The internal DPIA template is attached

 5. Please see attached DPIA Training Guide

Copyright

NHS England operates under the terms of the Open Government Licence (OGL).
Terms and conditions can be found on the following link:

[2]http://www.england.nhs.uk/terms-and-cond...

Review rights

If you consider that your request for information has not been properly
handled or if you are otherwise dissatisfied with the outcome of your
request, you may seek an internal review within NHS England of the issue
or the decision. A senior member of NHS England’s staff, who has not
previously been involved with your request, will undertake that review.

If you are dissatisfied with the outcome of any internal review, you may
complain to the Information Commissioner for a decision on whether your
request for information has been dealt with in accordance with the FOI
Act.

A request for an internal review should be submitted in writing to [3][NHS
England request email]

Yours sincerely,

Freedom of Information
NHS England
 

show quoted sections

Dear NHS England,

Thank you for your reply.

I am content with your explanation regarding section 12 for part 3 and think you have provided reasonable advice and assistance. I will consider the information and if necessary make a new focussed request if I am interested in particular information on your list.

Yours faithfully,

Warwick Clark