DPIA process and related issues

The request was partially successful.

Dear NHS Digital,

Further to the publication of your Data Protection Impact Assessment of Hospital Episode Statistics on 26 March 2019, I would like to make a request under the Freedom of Information Act. For the purposes of the Act, please take the date of your receipt of this request as 3 April 2019.

Please would you provide:

1) Copies of the “Screening Questionnaire" and "Guidance Notes” mentioned in Section 1 of the DPIA, as well as copies of any other components of NHS Digital's documented DPIA process required under GDPR / DPA 2018, as explained by the ICO’s guidance on DPIAs.

2) Copies of any and all questions consulted on and/or surveys made in relation to Data Protection issues to do with (a) HES, (b) CDS and (c) SUS in the 12 months leading up to the introduction of GDPR in May 2018, and the 11 months since.

3) Noting the action to “[upload the] approved DPIA to the Unified Register” in Section 6, please provide copies of every DPIA currently held in this Unified Register.

Please do not delay your response on the basis that you cannot provide some or any of the information for any one of the items above; I am happy for you to provide partial information in a timely manner, on the understanding that you will provide more complete information as soon as it is available.

I would be grateful if you would send me the requested information promptly and in any event not later than the twentieth working day following the date of receipt of my request.

If my request is denied in whole or in part, or specific items within the responses are withheld from disclosure, then you must justify all deletions by reference to specific exemptions of the Act, as per Section 17 of the Act. Where you rely on a qualified exemption to withhold disclosure, you are obliged to consider the public interest in your decision and the refusal notice must explain not only which exemption applies and why, but also the public interest arguments addressed in reaching the decision.

Yours faithfully,

Phil Booth

NHS Digital Enquiries (NHS DIGITAL), NHS Digital

 

Ref: NIC-284769-P1Z5B 

Dear Phil Booth,

I am writing to acknowledge that your request for information was received
by NHS Digital on 03/04/2019 and is currently being considered.

If NHS Digital is able to provide you with the information you have
requested, then under the Freedom of Information (FOI) Act you are
entitled to receive it promptly and in any event no later than the 20th
working day following the date of receipt. However, we may need to contact
you to clarify your request. If this is required we aim to do this
promptly but no later than 7 days after receiving your initial request for
information.

May I take this opportunity to explain the FOI Act in more detail? The Act
provides a 'General right of access to information held by public
authorities'. However, it also defines a number of exemptions which may
prevent the release of some or all of the information you have requested.
Therefore, NHS Digital will assess your information request in light of
any relevant exemptions.

If exemptions do apply, then NHS Digital may decide not to release all, or
part, of the information you have requested. I shall inform you if this is
the case, and advise you of your rights of appeal.

If the information you request contains reference to a third party then
they may be consulted prior to a decision being taken as to whether to
release the information to you.

The response to your request will be sent to you by email, however if you
require your response in any other format, please contact us to discuss a
suitable format.

NHS Digital will not normally charge a fee to provide you with the
information you have requested, unless the cost of dealing with your
request is more than £450 as outlined in Section 12 of the FOI Act and
Section 3 of the The FOI and Data Protection (Appropriate Limit and Fees)
Regulations 2004. If it appears likely that your request will cost more,
then NHS Digital is able to refuse to supply the information.  As per our
obligations under Section 16 of the FOI Act, every effort will be made to
provide you with details of how you may be able to reframe your request in
order for us to complete the required work within the (£450 / 18 person
hours) cost limit.

If you have any queries or should you wish to make a complaint about the
manner in which your request is being processed then please do not
hesitate to contact us at [1][NHS Digital request email] in the first
instance. Any complaints will be investigated in accordance with NHS
Digital's complaints procedure.

Further information about your rights under the Freedom of Information
Act, is available from the Information Commissioner's Office, Wilmslow,
Cheshire and on the NHS Digital website.

Kind Regards,

Contact Centre Team
NHS Digital
[2]www.digital.nhs.uk

0300 303 5678
[3][NHS Digital request email]

1 Trevelyan Square | Boar Lane | Leeds | LS1 6AE

You can find out more about our service, including our response times and
customer charter on the NHS Digital website:
[4]https://digital.nhs.uk/about-nhs-digital...

[5]Privacy and cookies

show quoted sections

NHS Digital Enquiries (NHS DIGITAL), NHS Digital

7 Attachments

Ref: NIC-284769-P1Z5B 

Dear Phil Booth,

Many thanks for your recent request to NHS Digital.

We have now received a reply to this from our colleagues in the
Information Governance team.

Please see the attached file(s).

Kind Regards,

Contact Centre Team
NHS Digital
[1]www.digital.nhs.uk

0300 303 5678

[2][NHS Digital request email]

1 Trevelyan Square | Boar Lane | Leeds | LS1 6AE

HSCIC now operate under the new trading name of NHS Digital – clarifying
our role as the national information and technology partner for the health
and care system.

[3]Privacy and cookies

show quoted sections

Dear NHS Digital Enquiries (NHS DIGITAL),

[AMENDED REQUEST BELOW]

Many thanks for your response and attachments. Apologies for my delay in replying.

Thank you for confirming (section 2) that when Data Protection law changed in May 2018, NHS Digital did nothing as regards HES.

I'm glad that you appreciate that the intent of my request was not vexatious. When I submitted it, there was no way for me to know how many DPIAs you held or in what form. Your statement:

"Whilst we appreciate that your request was not intended to have a vexatious effect on us, we do consider that the time this would take, which would divert valuable resources away from delivery of ourcore programme, services and information governance support, including the work we are currently undertaking to update our DPIA templates and process, would impose a significantly oppressive resource burden on us. This burden would bewholly disproportionate to the value of the information that would be disclosed, particularly given it is our intention, as part of the roll out of the new DPIA template, to publish all our DPIAs in the future."

makes it quite clear that my request merely hit a cost limit, and that you intend to publish the information I requested in due course anyway.

The ground for refusal you give is therefore incorrect:

"We are therefore refusing this aspect of your request under s14(1) of FOIA on the basis that the request is vexatious."

My request was/is not vexatious (as you agree), but it rather hit a cost limit - for which the grounds for refusal can be found in s12 of FOIA: https://www.legislation.gov.uk/ukpga/200... - and you have said you intend to publish all of your DPIAs in future - for which the grounds for refusal can be found in s22 of FOIA: https://www.legislation.gov.uk/ukpga/200.... I point this out so that hopefully other people's requests (and my own) are not refused on the wrong grounds in future.

Thank you for offering to provide any specific DPIA. At this point I do not have any particular one in mind, but please - instead of providing the DPIAs themselves - would you provide a list of the titles/names of each of the 180 DPIAs that you hold. (I presume that this can be assembled from a straightforward query on your systems, and a simple list will not in itself require any redaction.)

For clarity, I will restate my request formally:

Further to your response to my FOI request regarding "DPIA process and related issues" on 3 May 2019, I would like to make a request under the Freedom of Information Act. For the purposes of the Act, please take the date of your receipt of this request as 1 July 2019.

Please would you provide a complete list of the titles or names of every DPIA currently held in NHS Digital's Unified Register.

Please do not delay your response on the basis that you cannot provide some or any of the information; I am happy for you to provide partial information in a timely manner, on the understanding that you will provide more complete information as soon as it is available.

Yours sincerely,

Phil Booth

NHS Digital Enquiries (NHS DIGITAL), NHS Digital

 

Ref: NIC-312101-G4M7G 

Dear Phil Booth,

I am writing to acknowledge that your request for information was received
by NHS Digital on 1/7/2019 and is currently being considered.

If NHS Digital is able to provide you with the information you have
requested, then under the Freedom of Information (FOI) Act you are
entitled to receive it promptly and in any event no later than the 20th
working day following the date of receipt. However, we may need to contact
you to clarify your request. If this is required we aim to do this
promptly but no later than 7 days after receiving your initial request for
information.

May I take this opportunity to explain the FOI Act in more detail? The Act
provides a 'General right of access to information held by public
authorities'. However, it also defines a number of exemptions which may
prevent the release of some or all of the information you have requested.
Therefore, NHS Digital will assess your information request in light of
any relevant exemptions.

If exemptions do apply, then NHS Digital may decide not to release all, or
part, of the information you have requested. I shall inform you if this is
the case, and advise you of your rights of appeal.

If the information you request contains reference to a third party then
they may be consulted prior to a decision being taken as to whether to
release the information to you.

The response to your request will be sent to you by email, however if you
require your response in any other format, please contact us to discuss a
suitable format.

NHS Digital will not normally charge a fee to provide you with the
information you have requested, unless the cost of dealing with your
request is more than £450 as outlined in Section 12 of the FOI Act and
Section 3 of the The FOI and Data Protection (Appropriate Limit and Fees)
Regulations 2004. If it appears likely that your request will cost more,
then NHS Digital is able to refuse to supply the information.  As per our
obligations under Section 16 of the FOI Act, every effort will be made to
provide you with details of how you may be able to reframe your request in
order for us to complete the required work within the (£450 / 18 person
hours) cost limit.

If you have any queries or should you wish to make a complaint about the
manner in which your request is being processed then please do not
hesitate to contact us at [1][NHS Digital request email] in the first
instance. Any complaints will be investigated in accordance with NHS
Digital's complaints procedure.

Further information about your rights under the Freedom of Information
Act, is available from the Information Commissioner's Office, Wilmslow,
Cheshire and on the NHS Digital website.

Kind Regards,

Contact Centre Team
NHS Digital
[2]www.digital.nhs.uk

0300 303 5678
[3][NHS Digital request email]

1 Trevelyan Square | Boar Lane | Leeds | LS1 6AE

You can find out more about our service, including our response times and
customer charter on the NHS Digital website:
[4]https://digital.nhs.uk/about-nhs-digital...

[5]Privacy and cookies

show quoted sections

NHS Digital Enquiries (NHS DIGITAL), NHS Digital

1 Attachment

Ref: NIC-312101-G4M7G 

Dear Phil Booth,

Many thanks for your recent request to NHS Digital.

We have now received a reply to this from our colleagues in the
Information Governance team.

Please see the attached file.

Kind Regards,

Contact Centre Team
NHS Digital
[1]www.digital.nhs.uk

0300 303 5678

[2][NHS Digital request email]

1 Trevelyan Square | Boar Lane | Leeds | LS1 6AE

[3]Privacy and cookies

show quoted sections