Important: Demonstration Site
This PEUGIC project portal is a mock-up for demonstration purposes. It only contains made-up patient data; you MUST NOT enter real data here.
DPIA (Data Protection Impact Assessment)
Last updated: 10/04/2023
Approved by the NDRS Caldicott Guardian for the PEUGIC pilot phase: 11/04/2023
1. Introduction
Endoscopy is the main diagnostic test for oesophageal and gastric cancer (together upper gastrointestinal (UGI) cancer) and so optimising its delivery will make an important contribution to improving cancer outcomes. Over 1,000,000 endoscopies are undertaken each year in the National Health Service (NHS) to investigate individuals with UGI symptoms that could be indicative of cancer.
In more than 99% of endoscopies no cancer will be found but subsequently an UGI cancer may be diagnosed in some of these patients. This is known as a post-endoscopy UGI cancer (PEUGIC). While a small number of these will be rapidly growing new tumours that were not present at the initial examination, the majority will already have started to form in the oesophagus or stomach but were simply not identified at endoscopy.
The current PEUGIC incidence rate in the English NHS is unacceptably high at 8.5% of all upper GI cancers, has increased over the last ten years and there are large variations between NHS trusts (1). Recent evidence shows that many of these PEUGICs are occurring in certain high-risk populations including young people, women, those with Barrett’s oesophagus or those with high levels of other comorbidities (1). There are, therefore, a substantial number of people that could have had their cancer detected at an earlier stage or even, potentially, prevented. In consequence, support for endoscopy services and evidence that will help reduce PEUGIC rates, especially in high-risk groups, is urgently needed.
This project is intended to provide both the endoscopy service support and the evidence required. Following a process of root cause analysis based on the World Endoscopy Organisation (WEO) recommendations (2,3), it will quantify at a population-level why PEUGICs arise and so generate robust intelligence to inform interventions to prevent them. It will do this by aiming to:
- Prospectively identify all PEUGICs that occur within the English NHS and provide each provider with the information on all the PEUGICs associated with their endoscopies.
- Establish a mechanism to enable a review and root cause analysis to be undertaken to robustly quantify why each of these PEUGICs occur.
- Provide evidence to help the Joint Advisory Group on GI Endoscopy (JAG) and other relevant partners, to introduce interventions to prevent the occurrence of PEUGICs and, hence, reduce the English PEUGIC rate.
2. Why is a DPIA required?
The PEUGIC root cause analysis project will involve the processing of sensitive information for a large number of individuals with upper GI cancer, as well as gathering information as to why that cancer failed to be diagnosed at an earlier time point. These data will be gathered without informed consent. As a result, a DPIA is required.
3. What is the Post-Endoscopy Upper GI Cancer root cause analysis project?
The PEUGIC root cause analysis project will be composed of four interlinked work packages. These are:
Work package 1: Identification of all PEUGICs in the English NHS
Previous work has developed a method to quantify PEUGIC rates using routine data across the NHS (1). To date, this algorithm has only been applied retrospectively to calculate historical rates but, recently, access to almost real-time information on endoscopy data was established within the National Cancer Registration and Analysis Service (NCRAS). This project will adapt the algorithm to run prospectively and, every time an upper GI cancer is identified by NCRAS, records will be searched to determine if that individual had previously undergone an endoscopy in which the cancer was not detected and where that endoscopy was performed. If so, the cancer will be classed as a PEUGIC and the service in which this index endoscopy was performed will be notified of its occurrence. That service will then be responsible for capturing details of the tumour and other relevant factors about the PEUGIC and transferring them to the root cause analysis system described in work package 2.
Work package 2: Development of a secure web-based root cause analysis (RCA) tool
Based on pilot work (3) and the previous recommendations of the WEO consensus group on post colonoscopy colorectal cancer (PCCRC) (2), a proforma will be developed that captures the data items required to understand the reasons for a PEUGIC occurrence and that are necessary for a RCA review. These data will be captured in a secure web-based tool that will facilitate national data capture. The system will enable each endoscopy provider in the country not only to be informed of the occurrence of a PEUGIC and the need for a RCA to be undertaken on that case but also to provide a structured method for them to report the results of the RCA they undertake that can be captured centrally and that will enable robust analysis of the reasons for their occurrence. The resource will build on the system already developed for the national PCCRC audit, which has already been successfully rolled out across all NHS secondary care providers in England.
Work package 3: Quantifying the reasons why PEUGICs occur
Once the RCA data have been captured from endoscopy providers, analyses will be undertaken to assess common factors across the population and generate robust information as to why they occur.
Work package 4: Interventions to reduce the occurrence of PEUGICs
The evidence generated in workstream 3 will then be disseminated in an effort to inform interventions designed to reduce the occurrence of PEUGICs.
4. The nature of the processing of the PEUGIC data
4.1 How will the PEUGIC data be collected, used, stored and deleted?
Contact details collected as part of the portal
When clinicians and other professionals register for access to the portal they will be asked to submit the following data items:
- First name and surname
- Email (nhs.net or NHS accredited email)
- Mobile phone (for two factor authentication)
- GMC/NMC number (optional)
- Organisation
They will also be asked to accept the following consent questions:
- I consent that NHS England can keep my details on record, create an account on the PEUGIC RCA tool and use them to contact me about the PEUGIC RCA project
- I consent that NHS England can share my name, email address and organisation name with the PEUGIC project team as part of the monitoring and follow-up
- I consent that the PEUGIC team can use the data I provide in the PEUGIC RCA tool anonymously for national data analysis
This information will be compared to NHS databases to verify the users and will be used to create their accounts. This information will be held in the National Disease Registration Service (NDRS) server.
Data items collected in the portal
PEUGIC cases will be identified as new upper GI cancers are registered within NCRAS. At regular intervals each individual with an upper GI cancer (ICD10 codes C15, 16 and 17.0) provisionally registered will be sought within the Hospital Episode Statistics (HES) database linked to NCRAS data to determine if an endoscopy, which failed to diagnose the cancer, was undertaken in the 3 to 36 months prior to the diagnosis of the tumour. If so, this record will be deemed a PEUGIC and basic information about the tumour will be imported into the PEUGIC root cause analysis project tool. This will include information to identify the patient as well as details about the tumour, the date of the endoscopy and where it was undertaken. The data items taken from the NCRAS dataset are listed below.
General details and patient factors:
- NHS number
- Patient name
- Sex
- Date of birth
Cancer details
- Date of cancer diagnosis
- Trust of cancer diagnosis
- Hospital of cancer diagnosis
- Cancer site
- Histology
- T (if present in Cancer Registry data)
- N (if present in Cancer Registry data)
- M (if present in Cancer Registry data)
- Overall stage (if present in Cancer Registry data)
Index endoscopy details
- Date of index endososcopy
- Trust of index endoscopy
- Hospital of index endoscopy
This information will then be transferred to the root cause analysis portal and, regularly (every four months), each endoscopy provider in the country will be notified of their cases. One or more nominated individuals (registered with the portal) at each provider will then investigate the endoscopies in question and complete the root cause analysis dataset. The data items they will collect are listed in Appendix 1. The data items on the portal will be updated following the root cause analysis pilot.
Once a provider has reviewed their cases the data will be submitted back to NCRAS and all returned cases will be collated into a national dataset. Clinicians undertaking root cause analysis as part of this project may not have access to relevant staging and outcome data for patients, e.g. if the patient was referred for endoscopic or surgical resection or oncological therapy at another centre. The following additional information will be extracted therefore from HES, the Cancer Analysis System (CAS) (cancer registry analysis database) and other reference data tables:
- Index of multiple deprivation (IMD)
- Survival time
- Ethnicity (derived from the self-reported ethnicity captured in the episode of care that recorded the diagnostic endoscopy)
- Charlson comorbidity scores
- Stage at diagnosis derived from imaging
- Pathological stage T, N, M and overall
- Surgery undertaken and operation type
- Chemotherapy undertaken, treatment intent, adjuvant status and performance status from SACT
- Radiotherapy undertaken and treatment intent
- Immunotherapy undertaken and treatment intent
- Endoscopic resection therapy undertaken
Moreover, for patients that have had a previous upper GI cancer, the following information regarding the(se) previous cancer(s) will be extracted:
- Cancer site
- Cancer morphology
- Pathological stage T, N, M and overall
- Diagnosis date
- Stage at diagnosis derived from imaging
- Surgery undertaken and operation type
- Chemotherapy undertaken, treatment intent, adjuvant status and performance status from SACT
- Radiotherapy undertaken and treatment intent
- Immunotherapy undertaken and treatment intent
- Endoscopic resection therapy undertaken
All direct patient identifiers will be removed and analyses will then be undertaken to investigate, at a population level, the reasons why PEUGICs occur and, hence, evidence to inform initiatives to prevent them. Existing pilot evidence suggests that approximately 70% of PEUGIC are potentially avoidable (3). Whether PEUGIC are avoidable or not can only be determined through the root cause analysis in this project. The outcomes of PEUGIC patients with potentially avoidable PEUGIC will be an important driver of quality improvement efforts in endoscopy.
Finally, the results of these analyses will then be disseminated to relevant parties. This will include providers who will be able to see their results in comparison to collated national rates of PEUGIC causes, as well as relevant professional bodies who quality assure national endoscopy services.
4.2 Sharing of the PEUGIC root cause analysis project data
The data will be shared in a number of ways. Firstly, they will be used for analyses aimed at determining why PEUGICs occur. The results of these analyses will be shared with both providers and professional bodies to inform interventions to reduce PEUGIC rates. These results will also be published in peer-reviewed publications and other reports, as well as being presented at conferences and meetings.
The data the analyses are derived from will also be retained in the NCRAS. If researchers or analysts external to the root causes analysis team wish to make use of the data for other projects then they will be able to do so by following the standard NCRAS request process through the NHS England’s Data Access Request Service (DARS).
4.3 Data flows
The flow of data in the PEUGIC root cause analysis project is described in Figure 1.
Figure 1: Data flows in the PEUGIC root cause analysis project
5. The scope of the data processed as part of the PEUGIC root cause analysis project
5.1 The nature of the data being collected
The data items to be collected are described above and include information on all relevant aspects as to how the PEUGICs have occurred.
5.2 How much data will be collected?
Preliminary work suggests there will be around 1,300 PEUGICs identified annually. This will amount to between 10 to 30 PEUGICs per provider depending on their endoscopy workload. Initial funding for the PEUGIC root cause analysis project will enable us to capture up to 18 months’ worth of data (so around 2,000 PEUGICs) but it is anticipated that further resource will be sought to extend the work beyond the two years of the project and so enable ongoing data capture.
5.3 How frequently will data be collected?
Each provider will be notified of their cases after batches of provisional registrations captured by NCRAS are linked to HES data. This will happen every four months. The frequency of this may vary, however, depending on other NCRAS work priorities as the linkage will not be specific for this project and will be undertaken at the same time as those undertaken for others.
5.4 How long will data be kept for?
The extracted data will be kept for at least five years after completion of the project by the analysis team. The data will provide a valuable resource for research and so will be kept alongside the standard cancer registration dataset and managed in an identical way. Any data analysis processes (I.e data cleaning) will be fed back to the cancer registry team to retain this knowledge.
5.5 What geographical area will the data cover?
The data will include all PEUGICs that occur in England. Once feasibility has been demonstrated in this population it is expected there will be enthusiasm to extend the work to include the rest of the United Kingdom. This would demand, however, the use of data not currently available in the NCRAS system and so is beyond the scope of this DPIA. If the work is to be extended further information governance approvals would be sought to enable this from the relevant bodies in Scotland, Northern Ireland and Wales.
6. The context of the processing of data for the PEUGIC root cause analysis project
6.1 What is the nature of your relationship with the individuals?
The individuals included in the project will be those who have undergone an endoscopy that did not detect an upper GI cancer that subsequently was diagnosed. This is an extremely negative event for such people as it means that an opportunity to find their cancer at an earlier, more treatable, stage or even prevented was missed. Whilst this root cause analysis project will not be able to rectify this missed opportunity for those affected, it does hope to generate evidence to limit the number of instances in which this happens in the future.
6.2 Would the individuals involved expect you to use their data in this way?
Given that the failure to identify a cancer at the earliest opportunity may have grave implications for the individual then it would be reasonable to assume that they would view it as extremely important to review their case to understand why this happened.
Patient support groups such as Heartburn Cancer UK have confirmed how vitally important they think this work is to improving patient outcomes for upper GI cancer and are fully supportive of patient data being used in this way.
6.3 Does the PEUGIC root cause analysis project include children or other vulnerable groups?
Any individual who is diagnosed with an upper GI cancer through an endoscopy (and who is over the age of 18) will be included in the project. These individuals may be from vulnerable groups but this would not be apparent to the project team. Only details relevant to why the endoscopy did not detect the cancer will be captured.
6.4 Are there prior concerns over this type of processing or security flaws?
There are no existing concerns over this type of processing or security flaws in the system described.
6.5 Is the processing novel in any way?
The methods of processing of the data are not novel. The method for identifying PEUGIC cases is based on the existing methods for identifying post-colonoscopy colorectal cancer. Cases and the web-tool being used to capture the data will be based on the existing one for that national audit and the data being captured are those recommended for reviewing such cases (3).
6.6 What is the current state of the technology in this area?
The methods described are the current state of the art technology in this area.
6.7 Are there any current issues of public concern you should factor in?
There is always public concern about the use of patient data without informed consent. Although these concerns are well recognised by the PEUGIC root cause analysis project team it would not be possible to consent all the individuals involved in this work and there is a strong public benefit of proceeding with the project. Any person diagnosed with a PEUGIC has had an opportunity missed for their tumour to be diagnosed at an earlier stage or even prevented. Rates of PEUGIC are unacceptably high and there is considerable unexplained variation between endoscopy services. It is estimated that the numbers could be reduced by up to 800 per year (3). This project will seek to generate the evidence that will enable that reduction and so is hugely valuable. Concerns about the use of personal data are, however, recognised so measures have been taken to ensure patient identifiers are restricted to a limited number of NCRAS staff and the clinical teams who undertook the relevant endoscopies on the individuals concerned.
6.8 Are you signed up to any approved code of conduct or certification scheme?
The PEUGIC root cause analysis project will be undertaken within the NCRAS environment which is NHS Data Protection and Security Toolkit (DPST) approved. In addition, NCRAS has legal permission to collect patient data to use it to protect the health of the population. This project will be undertaken within those approvals.
On the 1st October 2021, permission was provided to NHS Digital under legal instructions known as Directions, from the Secretary of State for Health and Social Care, under section 254 of the Health and Social Care Act 2012 (2012 Act). The Directions are called the National Disease Registries Directions 2021. They instruct NHS England to collect and use confidential patient information to operate the NDRS.
NHS England have published a transparency notice outlining how and why they operates the NDRS.
The NDRS has powers to publish anonymous statistical data under section 260 of the 2012 Act and to share data under section 261 of the 2012 Act. It also has powers to share data, subject to security and privacy safeguards outlined above, under other laws, for example under Regulations 2, 3 and 5 of the Control Of Patient Information (COPI) notice.
Under UK General Data Protection Regulation (GDPR), NDRS can only collect and use personal data if they have a legal basis under Articles 6 and 9 of the UK GDPR. The legal basis for NDRS collecting and analysing personal data is Article 6(1)(c) of the UK GDPR, as they are required to do this to operate the NDRS under the National Disease Registries Directions 2021.
As the data collected is health data, which is a special category of data under UK GDPR, the NDRS also have an additional legal basis under Article 9(2)(g). The processing of the data is substantially in the public interest and in accordance with the law, for the purposes of NHS England exercising its statutory functions under the National Disease Registries Directions 2021. It is substantially in the public interest to improve NHS cancer treatment and care, improve patient outcomes in England and how these are affected by sex, ethnicity, disease type and geographic region. This is also permitted under paragraph 6 of Schedule 1 of the Data Protection Act 2018.
On the 1st February 2023 NHS Digital merged with NHS England. Any information referring to NHS Digital in this document will be updated once NHS England update their guidance.
7. The purpose of processing the PEUGIC root cause analysis project data
The purpose of processing the PEUGIC root cause analysis project data is to benefit all people who undergo an endoscopy in the future. The direct benefit will be to reduce the number of cancers that are missed by endoscopy in England. The steps taken to prevent missed cancers will also help to improve the general quality of endoscopy. This is important as high quality endoscopy increases the likelihood that any pre-cancerous lesions in the upper GI tract will be identified and this will stop cancers from forming and so prevent the disease. As the evidence generated would be relevant to all endoscopy services across the world, the work will have an international impact.
The research outputs associated with the work may also have a positive impact on the academic careers of all the project team but there will be no other direct benefits for their involvement in the work.
7.1 Consultation process
Extensive consultation has already been undertaken for the PEUGIC root cause analysis project and this will continue through the duration of the project. Stakeholders who have been consulted include:
1. Patients
The project has been discussed with the Heartburn Cancer UK, Action Against Heartburn and the Oxfordshire Oesophageal and Stomach Organisation patient groups and they are fully supportive and have had input into the study’s design. Mrs Mimi McCord, Chairman of HCUK, is a lay co-applicant on the project and member of the project steering group and will be closely involved in all aspects of the delivery of the project.
2. Professional bodies
The results of the PEUGIC root cause analysis project will have major implications for how endoscopy is delivered across the NHS. As a result, it is vital that those professional bodies overseeing endoscopy services are involved in the work from the outset. An oversight committee including representative from JAG, the British Society of Gastroenterology, the Association of Upper GI surgeons of Great Britain and Ireland and NHS England has, therefore, been convened and it will meet regularly throughout the course of the project and ensure the data are used in an appropriate and constructive manner.
3. Relevant data providers and processors
Extensive discussions have been underway to determine the optimal use of data for this project. For example, over several years collaborations have been underway to derive robust methods for detecting PEUGICs as well as to define a minimum dataset to enable their reporting (1,3). This evidence has informed the methods that will be adopted in this project. In addition, it is recognised that it is essential to do the utmost to protect the confidentiality of PEUGIC patients whilst also capturing these data. This has already been achieved for similar projects, such as the National Post Colonoscopy Colorectal Cancer Audit using the web-based data capture tool created by NCRAS. This project is, therefore, also using that methodology to increase efficiency and ensure data security.
The web tool will be developed and managed by Health Data Insight. The project team also includes academics from the University of Oxford as well as practicing gastroenterologists and members of staff from NCRAS. All members of this team have undertaken extensive training in the secure and appropriate handling of data and are aware of their responsibilities in ensuring data security.
8. Necessity of access to, and compliance of, data for the PEUGIC root cause analysis project
According to the GDPR, the lawful basis for processing personal data is Article 6(1)(c) legal obligation.
8.1 Will the processing of data for the PEUGIC root cause analysis project achieve its purpose?
The processing of data for the PEUGIC root cause analysis project will have an immediate benefit for individual services and endoscopists. This is because, at present, services struggle to identify PEUGICs (especially if they are diagnosed in a different hospital) and are not sure how to assess them. The new PEUGIC root cause analysis project system will provide them with both notification of their cases and a structured way to assess them. In addition, the system will enable accurate monitoring of what services are doing with minimal effort.
Furthermore, there would also be an accelerated benefit achieved by sharing a much wider pool of intelligence by looking at PEUGICs across the whole of England. This will make it possible to identify factors and themes across many providers that may not yet have occurred at a local level and which can be highlighted to mitigate problems before they arise or become apparent in individual services. The project will identify these factors and themes, and through the JAG and other stakeholders disseminate the learnings. If the national picture provides strong enough evidence that certain guidelines, processes or practices will prevent PEUGICs (such as identifying the highest risk groups and offering them more frequent surveillance, perhaps with image enhancing or other techniques) then it is expected that these will be incorporated into national guidance and requirements to achieve/maintain JAG accreditation.
These important outcomes could not be achieved via any other mechanisms.
8.2 How will data quality and data minimisation be achieved?
Cases will be identified for inclusion in the PEUGIC root cause analysis project via the NCRAS. The cancer registration work of NCRAS involves a team of highly trained and skilled staff and extensive quality assurance. In addition, the clinical teams who have managed any PEUGIC patients identified will be notified of their existence providing an additional mechanism of validating the data captured.
The new data items beyond the standard cancer registration dataset provided to the project directly from endoscopy providers have been derived by the pilot root cause analysis work (3). The vast majority will be captured via drop down menus and tick boxes and free text fields will be kept to a minimum to ensure data are appropriately coded throughout. The web forms being used to capture the data will be extensively tested and piloted prior to national roll-out of the audit. This process is intended to ensure the consistency and quality of data captured.
Finally, direct patient identifiers are only required for the initial linkage to identify the PEUGIC cases and to notify providers of those cases which are relevant to their service. These sensitive identifiers will, therefore, only be accessible to an extremely limited number of individuals within the cancer registry and the direct clinical care teams of patients. The resulting root cause analysis data will have these identifiers removed prior to any analysis to protect patient confidentiality.
8.3 What information will you give individuals?
Information about the PEUGIC root cause analysis project will be published on a dedicated webpage on the CORECT R website. This site will describe the aims and methods of the study in language that is easy to understand as well as a study specific privacy statement.
8.4 How will you support their rights?
If individuals do not wish their data to be used in research (such as this project) stemming from the secondary use of administrative health datasets then they are able to declare this and ‘opt-out’ of having their data used in this way. This project’s website will sign post the steps individuals need to take if they do not wish for their data to be involved in such projects (via the NDRS website: https://www.ndrs.nhs.uk/patients/opting-out/).
8.5 What measures will be taken to ensure the data processors involved comply?
The work described will be undertaken within the existing structures of NCRAS which are designed to ensure the highest standards of data security are maintained. The data for this study will, therefore, be managed and processed according to those standards. This will ensure the project team comply with the relevant standards.
8.5.1 Registration on the portal
Users will have to register their details before being created an account to access their patient registry data via the portal. During registration, users will be asked for some contact details, as well as their GMC number (optional), mobile phone number and organisation name, which will be stored securely by NCRAS within the portal system.
During registration, users will be asked to provide specific, GDPR-compliant consent for future contact and use of their details/data.
The four consent questions relate to:
- Consent that NCRAS can keep details on record, create an account and contact the user about the PEUGIC root cause analysis project
- Consent that NCRAS can share name, email and organisation name with the PEUGIC project team as part of the monitoring and follow-up
- Consent that the PEUGIC project team can keep name, email and organisation name on record for the purposes of follow-up
- Consent that the PEUGIC project team can use the data in the portal for national data analysis (anonymous) and linking with other datasets such as the National Endoscopy Database
Clear information of how to withdraw consent, are provided with the questions.
Before an account is created a clinician must have their email address verified, the fact they are a clinician with the ability to practice medicine verified and the fact they are at the trust they have told us verified. A full SOP is available for this process.
The lead user for the organisation (Lead Endoscopist/Lead Gastroenterologist) will be asked to register for an account first and then if required they are able to request to add additional users from inside the portal system (via the ‘Add another user’ function).
8.5.2 Continuous access to the portal
Access to data on the PEUGIC portal will be monitored. At twelve months intervals from data collection start, all registered users will have their fitness to practice confirmed again via the GMC register and checks will be undertaken to confirm they still work at the organisation at which they were registered on the portal system. Any users found to be no longer allowed to practice medicine will have their accounts deleted immediately. For any users who are found to have changed organisation, the account will be locked. The user will be contacted to ascertain which organisation (if any) they are now associated with and if they still use their portal account.
8.5.3 Data transfer from organisation via the portal
All data entry and submissions of patient data will take place within the secure N3 network via the portal hosted and managed by NCRAS.
8.5.4 Servers
The data will be stored on servers at a secure data centre on the N3 network, in the same way as the NCRAS encore cancer registration system, and protected in line with the NHS Information Governance Toolkit. All identifiable data will be encrypted on disk.
8.5.5 Security vulnerabilities
The NCRAS IT team maintains active awareness of security vulnerabilities, and the front-end servers are updated and patched regularly against known vulnerabilities.
8.6 How do you safeguard international transfers of data?
The conduct of the project itself will not necessitate any international transfers of data. Researchers from overseas may, however, request access to information derived from the portal. If such a request is made then the NHS England’s Data Access Request Service (DARS) will manage that process and ensure the transfer of any data is legal.
9. Identification and assessment of risks
| Likelihood of Harm: Remote, Possible, Probable | Severity of Impact: Minimum, Significant, Severe | Overall risk: Low, Medium, High | Reasons | |
|---|---|---|---|---|
| Risks of Processing Matrix Impact on Individuals Will the processing lead to individuals suffering… |
||||
| Inability to exercise their privacy rights ie: To be given information about processing; To access their personal data; To request correction; To request erasure; To object to personal data being processed for marketing purposes; To object to processing where the lawful basis is legitimate interests; To restrict processing; To request transfer to another party; Inability to request decisions are made by a person and not by automated processing | Remote | Severe | Low | According to the GDPR, the lawful basis for processing personal data is 6(1)(c) legal obligation. |
| Inability to access services | Remote | Minimal | Low | The ongoing processing of participant data for the PEUGIC root cause analysis project will have no impact on an individual’s ability to access any healthcare services (and is irrelevant to any other services). |
| Inability to access opportunities | Remote | Minimal | Low | The ongoing processing of participant data for the PEUGIC root cause analysis project will have no impact on an individual’s ability to access opportunities. |
| Loss of control over personal data | Probable | Significant | High | See ‘Transparency’ and ‘Data Sharing’ sections - 8.3 and 8.4 |
| Discrimination | Possible | Significant | Medium | Involvement in the PEUGIC root cause analysis project is unrelated to any other aspect of individual’s lives & so involvement is unlikely to result in any form of discrimination. |
| Identity theft | Remote | Severe | Low | Possible causes of loss of data include: (i) hacking or theft of data while in storage at NCRAS; (ii) loss of data in transfer between NHS data providers and NCRAS. The NCRAS Data Sharing policies, technical measures (e.g. default deny firewall, individual accounts with permission management, use of encryption and secure data exchange portals etc.) all mitigate this risk. |
| Fraud | Remote | Minimal | Low | No financial information is stored as individuals are not paid for their participation in the study. |
| Financial loss | Remote | Minimal | Low | No financial information is stored as individuals are not paid for their participation in the study. Knowledge of the underlying medical condition could potentially lead to employment issues but this information would be disclosed anyway irrespective of any involvement with the study. |
| Reputational damage | Remote | Minimal | Low | The ongoing processing of participant data for the PEUGIC root cause analysis project will not result in reputational damage on individuals. |
| Physical harm | Remote | Severe | Low | There are no obvious circumstances where the current data processing could lead to physical harm. |
| Emotional harm | Remote | Significant | Low | There are no obvious circumstances where the current data processing could lead to emotional harm. |
| Loss of confidentiality | Remote | Significant | Low | The NCRAS Data Sharing policies, technical measures (e.g. default deny firewall, individual accounts with permission management, use of encryption and secure data exchange portals etc.) all mitigate this risk. |
| Reidentification of pseudonymised data | Remote | Significant | Low | Personal identifiers and health information are stored within the study database protected by robust security controls. A comprehensive overview of security controls is given in the NCRAS security policy. The risk of this being accessed is therefore remote, making reidentification remote. Any publicly available data will not allow for any participant to be identified and if pseudonymised data should be shared with other researchers, then the only means of reidentification would be via access into the study database via the firewall. |
| Any other significant economic disadvantage | Remote | Minimal | Low | Knowledge of the underlying medical condition could potentially lead to employment or insurance issues & hence economic disadvantage but this information should be disclosed anyway and is separate to involvement with the study, which should have no bearing on either employment or insurance matters. |
| Any other significant social disadvantage | Remote | Minimal | Low | There is no obvious circumstance which would lead to significant social disadvantage. |
| Likelihood of Harm: Remote, Possible, Probable | Severity of Impact: Minimum, Significant, Severe | Overall risk: Low, Medium, High | Reasons | |
|---|---|---|---|---|
| Security Risk Matrix Source of Risk to Individuals A breach of security leading to individuals suffering… |
||||
| Loss of personal data examples: Insecure electronic devices; Unencrypted memory sticks; Paper copies removed from secure work environment; IT system | Possible | Significant | Medium | Possible causes of loss of data include: (i) hacking or theft of data while in storage at NCRAS, (ii) loss of data in transfer between NHS data providers & NCRAS. Mitigated by: Data are transferred encrypted using secure methods and stored encrypted on NCRAS computers behind a firewall. Contracts are in place with relevant NHS central registry bodies to detail requirements & standards with respect to data handling. Agreement will be in place for onward sharing of data. |
| Destruction of personal data | Possible | Minimal | Low | There is no direct consequence to the individuals as a result of possible destruction of personal data (i.e. no provision of service or opportunities are linked to the processing other than the opportunity of taking part in the research). |
| Alteration of personal data | Possible | Minimal | Low | There is no direct consequence to the individuals as a result of possible alteration of personal data (i.e. no provision of service or opportunities are linked to the processing other than the opportunity of taking part in the research). |
| Unauthorised disclosure of personal data examples: Insecure paper waste disposal; Insecure hardware disposal; Use of insecure email accounts; Phishing by email, telephone or face to face | Remote | Significant | Low | There is a small risk of unauthorised (accidental or deliberate) disclosure of personal data. However, to minimise this risk, all staff working on the project are required to complete annual Information Governance training which is monitored centrally. PEUGIC root cause analysis project team members will be bound by NHS England’s data protection policy and associated disciplinary procedures are in place for failure to adhere to this policy. |
| Unauthorised access to personal data examples: Inadequate doors and locks; Inadequate supervision of visitors which is monitored centrally; Inadequate IT system security | Possible | Significant | Medium | There is a small risk of unauthorised personnel accessing personal data due to inadequate physical security. However, to minimise this risk, all staff working on the project are required to complete annual Information Governance training. PEUGIC root cause analysis project team members will be bound by NHS England’s data protection policy and associated disciplinary procedures are in place for failure to adhere to this policy. |
| Inability to access personal data because IT systems used for processing are unavailable | Remote | Minimal | Low | No direct outcome in terms of service provision to individuals results from this situation. |
| Inability to access personal data in a timely manner due to inability of the PEUGIC root cause analysis project team or a third party to restore access to systems in a timely manner | Remote | Minimal | Low | No direct outcome in terms of service provision to individuals results from this situation. |
| Likelihood of Harm: Remote, Possible, Probable | Severity of Impact: Minimum, Significant, Severe | Overall risk: Low, Medium, High | Reasons | |
|---|---|---|---|---|
| Data Protection Principles Risks Matrix Source of Risk to Individuals Will individuals suffer harm because… |
||||
| Personal data will not be obtained direct from patients & informing them of the processing is impossible to achieve or will involve disproportionate effort | Remote | Significant | Low | Data will be obtained from the NHS Registries and there is no planned contact with participants. However, transparency of processing is met by information provided in the Privacy notice on the study website. |
| The purpose of processing is unclear | Remote | Significant | Low | The purpose of processing is made clear via information provided on the PEUGIC root cause analysis project website. |
| The purpose changes over time | Remote | Significant | Low | The purpose of data processing will remain ‘research’ and is very unlikely to change in the future. |
| A new purpose arises | Remote | Significant | Low | The purpose of data processing will remain ‘research’ and is very unlikely to change in the future. |
| Inadequate personal data is collected for the purpose | Remote | Significant | Low | It is highly unlikely that inadequate data is collected as ethics and health registry approvals require justification of the data that is to be processed. In addition, data is collected either directly from participants or from sources which employ robust data integrity and quality processes. |
| Irrelevant personal data is collected | Remote | Significant | Low | It is highly unlikely that irrelevant data is collected as ethics and health registry approvals require justification of the data that is to be processed. |
| More personal data is collected than necessary | Remote | Significant | Low | It is highly unlikely that more data than necessary is collected as ethics and health registry approvals require justification of the data that is to be processed. |
| The personal data held is not accurate | Remote | Minimal | Low | Data accuracy is assured as it is collected from sources which employ robust data integrity and quality processes. |
| The personal data is collected from unclear sources | Remote | Minimal | Low | Data is collected from clear sources as identified in the data flow diagram. |
| The integrity of the personal data is unclear | Remote | Minimal | Low | The integrity of the data is clear as it is collected either directly from participants or from sources which employ robust data integrity and quality processes. |
| The personal data is kept for longer than needed | Probable | Minimal | Low | The PEUGIC root cause analysis project privacy notice clearly states the length of time data is necessary for to undertake the purpose of the processing. As the processing purpose is unlikely to deviate from ‘Research’, we may also exercise the provision under Article 5(1)(e) GDPR that allows NCRAS and Sandwell & West Birmingham NHS Trust to store personal data for a longer period than necessary for the purposes for which it is processed, where the processing is solely for research purposes. This has also been clearly communicated to individuals via the website privacy notice. |
10. Identification of measures to reduce risk
| Risk | Options to reduce or eliminate risk | Risk Eliminated: Reduced, Accepted | Residual risk: Low, Medium, High | Measure approved:YES, NO (To be completed by approver) |
|---|---|---|---|---|
| Loss of control over personal data | Data subjects are informed of their options to opt-out on the privacy page. | Reduced | Low | |
| Discrimination | Knowledge of a data subject’s data in the database could infer that the data subject has been diagnosed with cancer which could affect their employment or insurance. Pseudonymisation and other data minimisation techniques are employed to reduce the likelihood of identification. | Reduced | Low | |
| Loss of personal data. Examples: Insecure electronic devices; Unencrypted memory sticks; Paper copies removed from secure work environment; IT system | Data is transferred encrypted using secure methods and stored encrypted on computers behind a firewall. See NCRAS SLSP for a description of measures to protect data during storage and transfers. Contracts are in place with relevant bodies to detail requirements & standards with respect to data handling. Patient data will not be held on portable or unencrypted devices. All data will be encrypted in transfer. | Reduced | Low | |
| Unauthorised access to personal data. Examples: Inadequate doors and locks; Inadequate supervision of visitors; Inadequate IT system security | Those involved in the PEUGIC root cause analysis project are bound by the NHS England data protection policy disciplinary procedures are place for failure to observe these policies. | Reduced | Low |
11. References
- Kamran U, Evison F, Rutter M, Adderley N, Brookes M, Morris E, Burr N, Valori R, McCord M, Trudgill N. O50 Variation in postendoscopy upper gastrointestinal cancer across endoscopy providers in England: a population-based study. Gut 2022;71:A28-A29
- Rutter MD, Beintaris I, Valori R, et al. World Endoscopy Organization Consensus Statements on Post-Colonoscopy and Post-Imaging Colorectal Cancer. Gastroenterology 2018; 155(3): 909-25 e3
- Kamran U, King D, Abbasi A, Coupland B, Umar N, Hebbar S, Trudgill N. A root cause analysis system to establish the most plausible explanation for post endoscopy upper gastrointestinal cancer. Endoscopy 2022;54:1–10. DOI: 10.1055/a-1917-0192
- Burr NE, Derbyshire E, Taylor J, Whalley S, Subramanian V, Finan PJ, Rutter MD, Valori R, Morris EJA. Variation in post-colonoscopy colorectal cancer across colonoscopy providers in English National Health Service: population based cohort study. BMJ 2019;367:l6090