Universal information governance templates and FAQs

A DPIA is a process that helps you systematically identify, analyse and where possible mitigate the data protection risks of specific projects, plans or activities within your organisation.

It helps you assess and demonstrate compliance with your data protection obligations.

Where there is a high risk to individuals, you are legally required to complete a DPIA. For example, when you are using or sharing the health and care data of a large number of people.

However, even if it is not legally required, it is best practice to conduct a DPIA whenever you are using and sharing sensitive information, such as identifiable information about a person’s care. A DPIA will assist you to identify and prevent problems with your planned project or activity, reducing the associated costs and damage to your reputation which might otherwise occur.

It is also a mandatory requirement of the Data Security and Protection Toolkit that health and care organisations understand when a DPIA is needed and have their own process in place for conducting DPIAs.

The DPIA template can be used for any use of health and care data or other data such as employment data.

This includes by research sponsors who wish to use data for research purposes. The template includes further information about how the template can and can’t be used in research. The HRA also has guidance on the use of DPIAs in research settings.

A DPIA should be completed during the planning stage of a project before any health and care data is used or shared. For example, if you were implementing a new technical system for managing patient records, you would need to complete a DPIA when designing the new system before any medical records were transferred over.

If the information sharing is a high risk to individuals, completing a DPIA would be a legal requirement. However, you may not know whether a specific project will legally require a DPIA until you have completed a preliminary assessment.

A preliminary assessment is built into the NHS England DPIA template via some questions at the start of the document, which you can use to justify whether you need to complete a full DPIA.

The DPIA should be filled out by staff members who understand the details of the project or activity and how information will be used and shared, such as the project or service lead.

You should be supported by your organisation’s data protection officer (DPO), IG lead or team, or by your management team if you are a small organisation.

You will need to know the details about the type of data involved in your project or activity, how your organisation will be using and sharing the data, and the lawful basis to justify the use of the data.

If you do not have this information, you should ask your DPO, your IG lead or team, or your management team for support.

This will depend on your governance process, the data your project involves and the associated risks.

If you work in a larger organisation, your DPIA might need to be reviewed and approved by your:

• DPO
• senior information risk owner (SIRO)
• Caldicott Guardian
• information asset owner (IAO)
• IG lead
• IT or cyber lead

If you work in a smaller organisation, your DPIA will likely need to be reviewed and approved by a member of your management team.

You should speak to your organisation’s DPO, IG lead or team, or your management team to find out whose approval is needed.

Any mitigating actions identified in the DPIA to reduce risk should be factored into your project plan where relevant. For example, creating a new process to be followed to send and receive information, or rolling out a training programme.

If you have any risks that remain high even after applying mitigating actions, you must consult the ICO before starting to use or share information.

The DPIA should be reviewed and updated whenever necessary. This may be, for example, when there is a change to how information is being used or shared.

See the ICO’s guidance for more information about what you need to do after completing your DPIA.

This NHS England template DSPA combines the requirements of a data processing agreement (DPA), data sharing agreement (DSA), and joint controller arrangement (JCA).

The DSPA is a legal document which sets out the roles and responsibilities for two or more parties that are sending, receiving or using data.

The DSPA can be used in a number of circumstances. For example, in a scenario where you and a number of other organisations within an Integrated Care System (ICS) are setting up a new electronic patient record system (EPR), the DSPA could be used:

• between you as the controller (the organisation deciding on why and how the data is being used and shared) and the EPR system provider as the processor (the organisation who is being instructed to use or share the data) as a legally-binding document of instructions being given to the processor
• to document data sharing between you and the other controller organisations to facilitate partnership working if you are able to view each other’s patient records

In the following scenarios, completing a DSPA (or equivalent) is a legal obligation if:

• your organisation is using a processor you are legally obliged to document the instructions to the processor within the DSPA or equivalent data processing agreement such as a DPA - for example, if you are using a technology provider to deliver a virtual ward app and dashboard, or if you are using a confidential waste disposal supplier to collect and destroy paper records
• you are acting with another controller as joint controllers of personal data (two organisations who have decided to use the same data for a shared purpose and in the same way): it is a legal obligation to have a DSPA or equivalent joint controller arrangement such as a JCA to establish each organisation’s responsibilities

In other scenarios, completing a DSPA (or equivalent) is good practice and will help you demonstrate accountability:

If you are routinely sharing data with another controller organisation, it is good practice but not a legal requirement to have a DSPA or equivalent document such as a DSA in place. It will also help you demonstrate compliance with the accountability principle of data protection law, because it demonstrates that you are taking responsibility for how you use information.

For example, if you are setting up a new community service for mental health where GPs will share information about their patients to allow healthcare support workers to provide the patients with care. However, it is unlikely to be appropriate to complete a DSPA for one off or ad hoc specialist referrals between health and care organisations.

The DPSA template can be used when sharing health and care information and other types of information such as employment data. The template should not be used for research purposes. NHS organisations that are sharing information for research purposes should use the UK research template contracts and study agreements.

Whenever you share information with another organisation, you should consider whether a DSPA should be completed beforehand. Where the DSPA (or equivalent) is a legal obligation for the sharing arrangement, as in the situations outlined above, you must complete the DSPA (or equivalent) before using or sharing any data with the organisation.

If you are unsure about whether you are legally required to complete a DSPA, you should speak to your DPO, IG lead or team, or your management team. You may also want to seek legal advice, depending on the nature of the sharing arrangement.

The templates and guidance on this webpage only cover requirements from a data protection perspective, and you should speak to your contracts or legal colleagues if you are unsure if any additional contracts documents are needed.

However, if your organisation is already intending to sign a contract with the other organisation(s) to cover wider legal requirements such as payments and clinical services, it is possible to reference or embed the DSPA into the main contract. For example, if the contract is on a framework and has a section to fill in for the data processing agreement, you do not need to populate that section but can add in text such as ‘All data processing requirements and terms have been captured in the DSPA [add name or reference number]’.

As the majority of the content needed for the NHS England DSPA can be taken from the NHS England DPIA, any member of staff can transfer the information. This may be the project or service lead with input from the IG lead or team, or the IG lead or team may complete all of it, depending on your local arrangements.

The IG lead or team, DPO or management team for small organisations should review the agreement and ensure it is correct and complete.

You may wish to seek legal advice if you need support with this.

You will need to know:

• the role each organisation plays in the sharing or processing arrangement
• the aims of using or sharing the information
• the types of information being used or shared
• the lawful basis for using or sharing the information

You should mostly be able to copy over this information from your DPIA.

The DSPA must be signed by all organisations who are using or sharing the information. This must be done by an authorised signatory, in accordance with your organisation’s governance process.

The signing can be done either by:

• physically signing the DSPA with a pen
• applying an electronic signature to the electronic document
• using an online portal that allows signatories to ‘sign’ the agreement by clicking a button to accept the terms
• recording agreement by all parties over e-mail

Once all signatures are added, the document must be sent to all signatories through email or other means, or stored somewhere accessible to all parties, such as within the online portal if one has been used.

You should ensure that you have a robust process in place to allow you to comply with the review period set out in the DSPA. This must include clearly assigning responsibility for managing the review and keeping a record of when the review has taken place.

An IAFR is a document which holds details of all the information assets within your organisation. It includes electronic data, such as the shared care record, and physical assets, such as paper case notes.

The IAFR template from NHS England has been designed to capture both the requirements for an Information Asset Register (IAR) and for a Record of Processing Activities (ROPA).

It is a legal requirement to have an up-to-date ROPA covering all data processing.

It is a Data Security and Protection Toolkit requirement to have an up-to-date IAR covering all your organisation’s information assets.

The IAFR template combines these two requirements into one document to reduce duplication.

Maintaining an up to date IAFR gives you an important tool for understanding what data your organisation holds and processes. It helps you to assess and mitigate risks to this data and is invaluable in the event of an incident where data is compromised or unavailable.

The universal IAFR template can be used to identify and document all your organisation’s information assets and flows of data. It does not just apply to health and care data. It can be used to document information assets and data flows for a variety of purposes for example finance, personnel, staff training or complaints.

An IAFR (or equivalent) should be completed and maintained from the time you start using and sharing personal information. For example, if you are setting up a new service that involves sending people’s information to a new supplier, you should update the IAFR with information about the new data flow when the service starts.

Responsibility for creating and maintaining an IAFR should be clearly assigned by your organisation, but it can be shared amongst multiple people. This might be the DPO, the IG lead or team, or your management team.

The register should be reviewed and approved by your senior management team (in accordance with your governance structure) at least once annually.

You will need to know what information assets your organisation holds, who the asset owners are, what identifiable data is used by each asset, and where the data flows to and from.

If you do not have this information, you should consult your senior management team.

The IAFR should be kept on the system and updated whenever necessary.

Reasons for necessary updates might be:

• starting a new service or function
• stopping an existing service or function
• sharing new or different information with another organisation
• sharing the same information with another organisation for a different purpose
• changing the way you share the information

People who are assigned responsibility for information assets, known as information asset owners (IAOs), often supported by information asset administrators (IAAs), should regularly review their information assets and flows. When changes occur, they should notify the appropriate individuals to ensure the IAFR remains up to date.

A PN is a document which informs people about how their data is being used, what their rights are under data protection legislation, and how they can exercise them.

A key principle of data protection laws is being transparent with people about how you use and share their information. A privacy notice should be one of your main tools for demonstrating transparency.

Publishing a PN and making it available to the public is also a requirement of the Data Security Protection Toolkit.

The template PN can be used for any use of health and care information or other types of information such as employment data.

However, if you are a sponsor for research or research site you will need to prepare a separate PN about your use of personal data for research. You should refer and link to the HRA’s transparency template for sponsors, or its transparency template for sites, as appropriate. The PN should not be used to cover the use of data for research purposes.

You must ensure that a PN is available to individuals before you start to use or share people’s information.

Any staff member who knows the details of the project or activity can fill out the PN. However, it should be approved by the DPO, IG lead or team, or management team at the end of the process.

You will need to know your organisation’s processes for using and sharing information, records management and upholding individual rights. If your organisation has completed a DPIA for the project or activity, the information can be taken from there. All data uses recorded in your IAFR must be reflected in your PN to ensure transparency. For a detailed list of information which should be included in a PN, see the ICO's guidance.

Your PN should be published either on the website, displayed on notice boards or printed and made available, so that it is accessible to staff and members of the public.

The PN should updated whenever it is appropriate to do so. Reasons for necessary updates might be when your policies change, or when a new staff member is appointed to the role of DPO within your organisation.