We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
| Describe source of the risk and nature of potential impact on individuals |
Likelihood of harm (Remote; reasonable possibility or more likely than not) |
Severity of impact (Minimal impact; some impact; or serious harm) |
Overall risk rating (Low; medium; or high) |
Options to mitigate (treat) the risk |
Effect on risk (Eliminated, Reduced, Accepted) |
Residual harm (Low; medium; or high) |
Measure approved Name and Date) |
Actions taken (Date and Responsibility for completion) |
|---|---|---|---|---|---|---|---|---|
| How will volunteers ensure that when they are approached by researchers that this is genuine, for example, not a scam or phishing | Reasonable possibility | Some impact | Medium |
All studies so far have used the service for NHS Digital to make initial contact with their cohort, as a processor on their behalf, directing them to a study specific pre-screening site. The PN sets out the email address that is used by the NHS Digital Contact Centre to make these approaches. For studies choosing to approach their cohort themselves researchers will only use the official clinical trial email account to approach the volunteer – this is made a condition of data access. Information is provided to volunteers on the specific trials they may be approached by on the Be Part of Research webpage. Volunteers advised that recruitment is regional and that they will be contacted by the centre nearest to them. If volunteers are to be contacted by telephone they will be provided with a study reference in the invite email, a researcher will quote this when contacting them by telephone – the Be Part of Research webpage will reference this approach as needed. Statement included in the Privacy Notice telling individual how to check a contact email is coming from an official email address and including links to National Cyber Security Centre and Action Fraud website with tips as to how to recognise a scam. https://www.actionfraud.police.uk/scam-emails |
Reduced | Low | - |
Include in Privacy Notice Official emails and contact details included in NIHR to Be Part of Research Website - as needed. Links to National Cyber Security Centre and Action Fraud included in the Privacy Notice. Further work required with NHSD Cyber Team, NCSC and Researchers on the security of email, addresses they use – as needed. Owner: IAO
|
| Risk of individual being contacted too many times by researchers. | Reasonable possibility | Minimal impact | Low |
This is mitigated by the limited number of CV19 vaccine trials running in the UK – as estimated between 5 and 12. NHSD will manage this within DARS. We have processes in place to limit contact to no more than 8-12 times a year through the data extraction process and will not contact an individual where they have indicated they no longer wish to be contacted in this regard. If NHS Digital is making contact on behalf of a researcher as a processor, then there will be a maximum of 1 follow up (or chaser) email for each study. |
Reduced | Low | - |
NHSD data extract process limits number of trials an individual is put forward for to 12. Where researchers are provided with contacts they will be required to apply a similar rule of 1 chase-up email only. They also have a limited time period to make contact – this will be agreed as needed and documented in the DSA. Owner: IAO |
| As there is no linkage to NHS Digital data or data from the devolved administrations, there is a risk that an individual has died after signing up and their family may see an email sent to them asking them to participate in a trial with potential distress to family members. However this risk would not impact the data subject themselves. | Remote | Minimal impact | Low |
Without authentication it is not possible for NHS Digital to check for death on PDS. However this risk is minimal for MVP where contact is only by email. Researchers are asked to feedback if they discover an individual has died. We will attempt to confirm this by sending an email and then will mark the individual's record as inactive. |
Accepted | Low | - | For consideration after MVP if alternative contact methods are introduced. |
|
Someone tries to use the service to sign up someone for CV19 vaccine research without their knowledge (such as signing up a public figure) |
Remote | Minimal impact | Low |
Email verification occurs at an early part in the patient journey – so although this is not a verification check it ensures that the person accessing the service has access to the email address being used to register for the service. If they are using a third party’s address, then this also means a notification email will be sent to that account which reduces the risk of spoofing. Further verification of the user would be required before NHSD would link any data to the individual. This is therefore currently out of scope until an authentic mechanism is built and implemented. |
Accepted | Low | - | Consider this further when authentication mechanism is introduced. |
|
Inadequate or no transparency Patients are not sufficiently informed about how their personal data is being used through inadequate or lack of transparency material. The risk to data subjects is that their personal data is processed in an unfair or unexpected way, potentially causing distress. |
Remote | Some | Low |
Information provided during the user journey. User testing to ensure information is clear. Privacy Notice in place which is written in plain English and contains full details of how data is used. Further communications materials to promote service. |
Accepted | Low | - |
Layering of Privacy Notice to be considered in future releases to help reduce length of the Notice and increase ease of use. Owner: |
|
Risk of data being disseminated to organisations that do not meet the required security standard expected by NHS Digital The risk to data subjects is that their personal data including special category data is processed by an unauthorised third party resulting in distress, anxiety and other harm to the rights and interests of the data subject. |
Remote | Minimal | Low |
NHS Digital Clinical Trials and DARS Team are responsible for assessing and fulfilling the applications for access to the data, which will include assessing the security arrangements that the clinical trials have in place for processing the data. Data will not be shared unless the clinical trials meet the required security standards. These applications will only be successful if they pass the appropriate ethical, legal and Information Governance requirements set out by DARS to ensure that data is only shared where it is secure, lawful and appropriate to do so. IGARD also provides independent oversight and scrutiny. |
Accepted | Low | - | None |
|
Risk that an individual changes their email address or that the information they have provided becomes out of date. |
More likely than not | Some impact | Low |
At MVP there are no options for a user to update their details other than to withdraw their permission and re-register. For MVP this has been explained in the Privacy Notice and in the FAQs on the Service pages. An authentication mechanism could remedy this and also support the facilitation of other rights, such as SARs, and updating details. The impact of out of date data decreases once we stop sharing the data, which is from 30 July 2022, therefore the overall risk decreases. |
Accepted | Low | - |
Include in Privacy Notice. Mechanism and update process to be considered as part of future development of wider PtC Service linked to introduction of an authentication mechanism. |
|
The personal data is held for longer than necessary for the purposes set out in the COVID-19 Direction. This could result in the personal data being held for longer than is necessary and be a breach of the GDPR as there would not be a lawful basis to process the data. The risk to data subjects is that the risks associated with data breaches and unlawful use of their data are not eradicated as they should be by data deletion at the time the data is no longer required for the legal purposes for which it is held. |
Remote | Minimal impact | Low |
The data will only be disseminated up to 3 months after the expiry of the CV19 Directions and S255 Requests, that is, 31 July 2022 The Collected Data shall be retained for 8 years following last use in accordance with the NHS Digital Records Management Policy for record keeping and legal reasons and securely destroyed 31 July 2030. Information Assets are regularly reviewed by Asset Owners to prevent personal data being retained for longer than considered necessary. IG Team will also be supporting NHS Digital to review all COVID-19 assets on expiry of COVID-19 Directions and Section 255 Requests. NHS Digital has created a record within the IG Team of all COVID-19 assets which have been collected or created. A separate area where COVID-19 data sets collated and or processed under the COVID-19 Direction or COVID-19 Section 255 Requests are held has also been created. Upon instruction the data can be easily be securely deleted. |
Reduced | Low | - |
Owner: IAO As Information Asset Owner to ensure processes are in place to manage data appropriately in line with this DPIA and NHS Digital’s records management approach. |
| - | Remote | Minimal impact | Low | - | Accepted | Low | - | None |
| - | Remote | Minimal impact | Low | - | Accepted | Low | - |
Owner: IAO |
| Risk that right to rectify information can only be done by withdrawing information and re-signing up. Thus making it difficult for a participant to exercise this right. | Remote | Some impact | Low |
Currently the only way to rectify information, including if they’ve had a COVID test or there are any changes to their health conditions following initial sign-up, is to withdraw permission and re-sign up. This has been highlighted more in the Privacy Notice. |
Accepted | Low | - | This issue has been added to the backlog to be addressed in further releases of the service. |
| There is currently only one mode of communication for researchers to communicate initially with individuals about participating in the vaccine studies, which is not inclusive and may omit some communities or parts of communities from participating. | Remote | Some impact | Low |
Currently the only way for researchers to communicate with individuals through the Service is via email. It is noted that the Service is not the only way that trials will recruit and therefore there will still be other recruitment initiatives outside of the Service organised by the trials which may reach out to other individuals who are not able to use the digital sign up process. |
Accepted | Low | - | The option to include a telephone number has been added to the Service. |
| - | Reasonable possibility | Some impact | Low | - | Reduced | Low | - | - |
| - | Reasonable possibility | Minimal | Low | - | Reduced | Low | - | - |
| - | Reasonable possibility | Some impact | Low | - | Accepted | Low | - | Owner: IAO |
| Risk we may receive, through the feedback process, the details of a volunteer who has not registered on the NHS Covid Vaccine registry. This could be due to onward sharing of the invitation by the volunteer, incorrect declaration from the volunteer during the pre-screener process or an administrative error from the clinical trial site. | Reasonable possibility | Minimal impact | Low |
We are implementing validation of data we receive from the clinical trial site against the main volunteer registry to ensure that any volunteer details that do not also exist on our registry will be destroyed. Detailed process to be developed which will be agreed with trials prior them accessing the service. Further details to be included in next version of DPIA. |
Accepted | Low | - |
To provide text to trials to add to their consent materials to inform participants of the feedback loop. Amendment to the data processing agreements may also be required once process is agreed. |
| Risk that emails we are sending out from NHS Digital about the progress of the vaccine trials are regarded as emails being sent by NHIR or Be Part of Research due to content and branding which does indicate the emails are from NHSD. This may not be within patient expectations who may consider their details have been passed on to other organisations without their consent. | Reasonable possibility | Some impact | Medium | Email is sent from NHSD email address, but additional steps should be taken:
|
Reduced | Low | - |
Discussed with NIHR and NHS Digital Communications – with mitigation actions implemented from October onwards Owner: IAO |
| Risk that emails we are sending out from NHS Digital on behalf of researchers as their processors are regarded as emails sent by NHS Digital, contrary to the permissions given for researchers to contact the individuals. | Reasonable possibility | Some impact | Low |
Do not use an NHSD email address Update Privacy Notice and Be Part of Research Website pages to indicate emails may be sent by NHSD email if the above not possible Include in the content of the email if an NHSD email has to be used that NHSD is sending the email on behalf of the researcher as their processor |
Reduced | Low | - | - |
| Risk that emails we are sending out from NHS Digital about service updates are not covered by the permission given. | Remote | Some impact | Low | Process will include a check with IG to confirm the message is in compliance with the permission given. | Reduced | Low | - |
Documented process being developed. Owner: IAO |
Last edited: 22 March 2023 1:05 pm