Data protection impact assessment: GPES Data for Pandemic Planning and Research (COVID-19)
Under the UK GDPR, a Data Protection Impact Assessment (DPIA) is required to be undertaken by the data controller(s) where the processing of personal data is considered to be of a high risk to the rights and freedoms of individuals.
In particular GDPR requires a DPIA to be carried out where there is processing of personal data relating to health on a large scale.
The GP practices are the controllers of the collected data before it is extracted and shared with NHS Digital. When it has been collected by NHS Digital, NHS Digital becomes the controller of the collected data. The collection by NHS Digital of this collected data is considered to require a DPIA to be carried out by NHS Digital. NHS Digital has therefore prepared this document as its DPIA to satisfy its own compliance requirements as a controller of the collected data under the COVID-19 Direction.
Further information
We've carried out a disproportionate burden assessment on the GPES Data for Pandemic Planning and Research – Data Protection Impact Assessment (DPIA), which has been published as a 105-page PDF.
Last edited: 21 August 2024 9:47 am