SAVVI - Information Governance Framework
revision | on | by | note |
1 | 09/03/2021 | Paul Davidson, SAVVI | 1st draft |
2 | 15/03/2021 | Paul Davidson | Restructure |
Phases of data use in the SAVVI Process 4
Reusing existing personal data to build a risk-index 4
Defining Vulnerability and the Local Context 4
Propose a Lawful proposition for sharing 6
Agree in principle to share @VulnerabilityAttribute data 9
Prepare Information Governance Documents 10
Set up procedures to support individuals’ rights 12
Making a Proposal via the Digital Economy Act 13
About the Digital Economy Act 2017 13
Check existing Information Sharing Agreements 14
Using the Public Service Delivery - ‘Multiple Disadvantages’ Objective, or a future Objective. 14
Complying with the DEA Code of Practice 15
SAVVI - Vulnerability Purpose 18
SAVVI - initial risk data questionnaire 18
SAVVI - Lawful Basis Proposition 19
SAVVI - Agreement on the Legal and Lawful Basis to share data 20
SAVVI - Proposition for a new Data Share under the Digital Economy Act 21
This document describes the SAVVI Information Governance Framework.
SAVVI is the ‘Scalable Approach to Vulnerability via Interoperability’. SAVVI proposes
See the SAVVI website at http://www.savviuk.org
Personal data is re-used, shared, and analysed, to find potentially vulnerable people; and then new data is generated or created, and passed to a network of organisations to provide support.
This SAVVI IG Framework recommends the steps to take throughout the process so that information is handled legally and ethically.
This framework makes reference to ...
[1] | |
[2] | ICO Guide to the UK General Data Protection Regulation (UK GDPR) |
[3] | Data Sharing process proposed by Greater Manchester Health and Social Care Partnership |
[4] | |
[5] | |
[6] |
This SAVVI Information Governance Framework learns from the ICO’s Data Sharing Code of Practice [1] where it says
… and from ICO Guide to the UK General Data Protection Regulation (UK GDPR) [2] where it says
The SAVVI Process already defines the roles of the organisations involved in a Vulnerability Initiative. These definitions are found in the SAVVI Glossary.
@LeadOrganisation | An organisation responsible for coordinating a vulnerability initiative. |
@SourceOrganisation | An organisation that provides @Attribute data. |
@ResponsibleOrganisation | An organisation which is made responsible for a @Case. |
@DeliveryOrganisation | A service provider who delivers actions that respond to a @Need |
In summary
topic | requirement | input/output | references |
Data Controllers | The ICO describes a Data Controller as ... “A controller determines the purposes and means of processing personal data”. | ||
This SAVVI Information Governance Framework considers each of the organisations in the SAVVI Process to be ‘Controllers’. | |||
Accountable Governance Group | Each Controller will have a Governance Group that is responsible and accountable for ‘Information Governance’, so that it can take decisions and adopt IG documents. | output:SAVVI Project Structure | [6]-effective governance and oversight mechanisms |
Data Protection Officer | output:SAVVI Project Structure | ||
Project Team and Expert Input | List the members of the team and stakeholders Emphasising diversity and access to skills and expertise. | output:SAVVI Project Structure | [6]-diverse, multidisciplinary teams with wide ranging skill sets contributes to the success of any data or tech project. |
This Information Governance Framework is a part of the ‘SAVVI Process’, and covers
topic | requirement | input/output | references |
Define the purpose of the Vulnerability Initiative | @LeadOrganisation Define the purpose of the vulnerability initiative. Search the SAVVI Catalogue to see if an existing definition can be used. | Input: SAVVI Catalogue output: SAVVI Vulnerability Purpose | [3]-step2 [3]-step6 [3]-step7 [6]-a clear articulation of its purpose. |
Demonstrate that the @LeadOrganisation has a duty to address the vulnerability. | output: SAVVI Vulnerability Purpose | ||
Rationale | Document the local context, consequences and objectives for the Vulnerability | output:SAVVI Data Ethics Assessment | [6]-clarity on what public benefit the project is trying to achieve and what are the needs of the people who will be using the service or will be most directly affected by it. |
Document the Benefits and Risks of sharing the data | output:SAVVI Data Ethics Assessment | [3]-step5 | |
Risk Stratification Policy | Search the SAVVI Catalogue for the selected vulnerability to find Risk Models that could be used as the basis for the selected Vulnerability. | Input: SAVVI Catalogue | |
Document the @VulnerabilityAttributes data that will be used in the Risk Model. Document the rules that will be applied to determine a @RiskCategory. | output:SAVVI Risk Stratification Policy | ||
Document the evidence that the selected Risk Model is successful in identifying people at risk | output:SAVVI Risk Stratification Policy | ||
Statement that data has been minimised. | output:SAVVI Risk Stratification Policy | [3]-step12 | |
Ethics | Assess the Ethics of the proposed data shares for
| output:SAVVI Data Ethics Assessment output:Equality Impact Assessment | [5] The ethical issues around the use of data are factored into the decision-making process and any new data analysis techniques are assessed against the Data Ethics Framework. [6] Record your answers to create a data ethics assessment. |
In particular
| Input: User Research, Public Consultation output:SAVVI Data Ethics Assessment | [6]-Determining proportionality | |
Adopt | @LeadOrganisation An accountable governance group signs off the risk stratification policy. | Input : SAVVI Vulnerability Purpose Input: SAVVI Risk Stratification Policy Input SAVVI Ethics Assessment | [6]-effective governance and oversight mechanisms [6]-to eliminate your project’s potential to have unintended discriminatory effects on individuals and social groups. |
Publish | Publish the Vulnerability Initiative. Promotion such as press releases. Consider Feedback. | Input: SAVVI Vulnerability Purpose Input: SAVVI Risk Stratification Policy Input: SAVVI Ethics Assessment | [6]-made open to inspection by publishing information about the project in a complete, open, understandable, easily-accessible, and free format. [6]-Share your models |
For each @Vulnerability Attribute
topic | requirement | input/output | references |
SAVVI Catalogue | Consult the SAVVI Catalogue to see if there is a proposition for the @VulnerabilityAttribute to be shared for this @Purpose, to find
Use the ‘Proposition’ as the starting point for an opinion from the @LeadOrganisation. | input:SAVVI Catalogue | |
Lawful Basis | Select and justify one or more Lawful Basis Provision. The ICO provide a Lawful basis interactive guidance tool One or more of (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). (d) Vital interests: the processing is necessary to protect someone’s life. (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party | output:SAVVI Lawful basis | [1]-Lawful Basis |
Special Category Data or Criminal Offence Data | Determine if the @VulnerabiltyAttribute is
| output: SAVVI Lawful basis | [3]-step21 [2]-Lawful Basis for Processing |
If ‘special category data’ | find an Article 9 ‘condition for processing’ one-off
| output: SAVVI Lawful basis | [3]-step22 |
Check for further conditions required by the Article 9 condition | output: SAVVI Lawful basis | ||
If Criminal Offence Data | Check for further conditions required | output: SAVVI Lawful basis | |
Organisation Type | Consider if the source Organisation Type is
| output: SAVVI Lawful basis | [1]-Lawfulness |
Legal Gateway | If the Source Organisation Type is ‘public’ ... Propose a Legal Gateway to share this @VulnerabilityAttribute for this @Purpose. | output: SAVVI Lawful basis | [3]-step14 [1]-Lawfulness |
Peer Group Review | If the selected legal gateway is not present on the SAVVI Catalogue for the @Purpose, ask for a review by the SAVVI IG QA group. | Input: SAVVI Lawful basis output: SAVVI IG QA Group review output: update to SAVVI Catalogue | |
escalate | If a Legal Gateway cannot be found, make a proposal via the Digital Economy Act. | [1]-Data sharing across the public sector: the Digital Economy Act codes | |
Adopt | @Lead Organisation If a Legal Gateway has been found - an accountable governance group signs off the lawful proposition, having sought internal legal opinion. | output: SAVVI Lawful basis | |
Abort | If a Legal Gateway cannot be adopted, abort the intention to share the @Vulnerability Attribute for the @Purpose. Return to defining the Risk Stratification Policy, so that the @VulnerabiltyAttribute is removed. | [3]-step25 |
For each @Vulnerability Attribute
topic | requirement | input/output | references |
Identify Source Organisations | Consult the SAVVI Catalogue to see which ‘organisation types’ are typically controllers for a dataset that contains the selected @VulnerabiltyAttribute | input:SAVVI Catalogue | |
List the actual @SourceOrganisations that may be controllers for a dataset that contains the selected @VulnerabiltyAttribute | |||
Lookup an organisation’s published information about the datasets that it holds. | Input: Information Asset Register Input: Register of Processing Activities | ||
Check that a @SourceOrganisation is a legal entity. Cannot share person identifiable data with organisations that are not legal entities. | ??? | [3]-step3 | |
Consider if the source organisation is
| [1]-Lawfulness | ||
Define the Dataset | Consult the SAVVI Catalogue to see if a named Organisation has already listed the @VulnerabilityAttribute as shareable for the Vulnerability Purpose.
| Input: SAVVI Catalogue | |
Contact the @SourceOrganisation to ask about the availability and quality of data | [3]-step11 [6]-You must ensure that the data for the project is accurate, representative, proportionally used, of good quality, and that you are able to explain its limitations. [6]- Are all metadata and field names clearly understood? | ||
Propose lawful data sharing in principle | Contact the @SourceOrganisation to establish agreement to the Lawful basis for data sharing. | Input: SAVVI Lawful basis | [6]-Are individuals or organisations providing the data aware of how it will be used? |
Abort | If the @SourceOrganisation does not agree that the proposed data share is Lawful - abort the intention to share the @VulnerabilityAttribute from the @SourceOrganisaitonfor the @Purpose. Return to defining the Risk Stratification Policy, so that the @VulnerabiltyAttribute is removed. |
topic | requirement | input/output | references |
Establish the role of each Organisation in the data share. | Define as
| [3]-step4 | |
Privacy Statement | @SourceOrganisation and @LeadOrganisation prepare a joint Privacy Statement | output:SAVVI Privacy Statement | [3]-step18 [2] - ICO guidance on Privacy Notices |
Agree a communication plan to publicise the data sharing. | output:SAVVI Comms Plan | [3]-step19 | |
Opt-Out | ?? | [3]-step20 | |
DPIA | Complete an initial Data Protection Impact Assessment Check the SAVVI Catalogue to find DPIAs that other organisations have used when sharing this data for this purpose. | input :savvi catalogue output:dpia | [2]-Data protection impact assessments |
Consider Security risks and mitigations | output:dpia | ||
Adopt the initial DPIA | output:dpia | ||
Make necessary arrangements to mitigate risks | |||
Complete and adopt final DPIA | output:dpia | ||
Data Sharing Agreement | Create a Data Sharing Agreement | inputs Output:data sharing agreement | |
Appropriate Policy Document | If processing ‘Special Category Data’ , or Criminal Office Data. | output: SAVVI Appropriate Policy Document |
Adopt a Data sharing agreement / memorandum of understanding | @Lead Organisation @Source Organisation Publish | output:data sharing agreement | [3]-step31 |
Update SAVVI Catalogue | Add a Data Sharing Agreement to the SAVVI Catalogue. | output:SAVVI Catalogue | |
RoPA | @LeadOrganisation add an entry to the Record of Processing Activities. | output:RoPA |
topic | requirement | input/output | references |
Right to be informed | the right to be informed about how and why their data is used - and you must give them privacy information | input:SAVVI Privacy Statement | [2] - Right to be Informed. |
the right to access personal data held about them (the right of subject access); | output : Response to a Subject Access Request | [2] - Right of Access | |
Right to rectification erasure, restriction. | the rights to have their data rectified, erased or to have processing restricted; | Input: Response to Subject Access Request | [2] - Right to Rectification [2] - Right to Erasure |
Right to Object: | the right to object; To be removed from current and future vulnerability initiatives. | input:SAVVI Privacy Statement | [2] - Right to Object |
Right to Data Portability | ??? | ||
Automated Decision Making | the right not to be subject to a decision based solely on automated processing. | [2] - Rights related to automated decision making including profiling | |
Handling Complaints | Publish data sharing so that ... Individual data subjects may have queries or complaints about the sharing of their personal data, particularly if they think the data is wrong or that the sharing is having an adverse effect on them. | Output: Complaint Handling Procedures | |
If an existing legal gateway cannot be found, it may be possible to use the data sharing powers in the Digital Economy Act 2017.
The Digital Economy Act 2017 - Code of Practice says ...
The Digital Economy Act 2017 creates a mechanism for establishing clear and robust legal gateways which will enable public authorities to share relevant information on the individuals and families they are working with in compliance with the data protection legislation. The primary purpose of this power is to support the well-being of individuals and households. |
The ‘public service delivery power’ gives you the ability to gain access to the data you need to respond more efficiently and effectively to current and emerging social and economic problems. |
Normally, information disclosed under these powers can only be used for the purposes for which it was disclosed. However there are very limited instances where information can be used by a public authority for another purpose. These circumstances vary between the powers but include:
|
Health and adult social care bodies are not included in the list of specified persons permitted to use the new powers in England or for UK-wide activities.
Objectives are listed at https://registers.culture.gov.uk
When the Act was published, it contained a number of ‘Objectives’, including
That is “identifying individuals or households who face multiple disadvantages and enabling the improvement or targeting of public services to such individuals or households and providing for the monitoring and evaluation of programmes and initiatives”
Since the Act was published, further ‘Objectives’ have been added
topic | requirement | input/output | references |
Check the Register | Information Sharing Agreements are listed at the Register of Information sharing agreements under chapters 1, 2, 3 and 4 of part 5 of the Digital Economy Act 2017 See the ‘Information Sharing Agreements’ tab. If a suitable one is found, it can be used as the basis of a proposal for the same purpose/’disclosed information’ with new controllers. | input:DEA Register of Data Shares. output:SAVVI Proposition for a New Data Share under the DEA. |
topic | requirement | input/output | references |
Check for an existing ‘Objective’ | [5] says “If your organisation has identified that the sharing of personal data is necessary to achieving a social or economic policy you should check whether the policy aims fall within one of the existing objectives set out in regulations.” The existing Objective that may be relevant to Vulnerability is ‘Public service delivery - Assisting individuals or households who face multiple disadvantages’ Check if the Purpose for the Vulnerability Initiative is in scope of ‘multiple disadvantages’. that is “identifying individuals or households who face multiple disadvantages and enabling the improvement or targeting of public services to such individuals or households and providing for the monitoring and evaluation of programmes and initiatives” | Output: SAVVI opinion on how ‘multiple-disadvantages’ fits with vulnerability. | |
If there is no existing suitable objective | [5] says “If it doesn’t you should consider whether your purpose for information sharing falls within the criteria in section 35 and should be added as a new objective via regulations (see section 2.3).” | ||
If there is a suitable ‘Objective’ - make a proposal | Make an assessment as to why the proposed datashare fits with the Objective. Check that the parties to the Datashare are listed in Schedule 4 Identify the policy objective and the data needed to support it. Assess the Ethics of the Data Share Data Protection Impact Assessment Business Case Security Plan | Input: [5]-Schedule 4 input:SAVVI output:SAVVI Proposition for a New Data Share under the DEA. | |
Add to the Register | You should notify the secretariat for the Public Service Delivery review board in the Department for Digital, Culture, Media and Sport (DCMS) of your information sharing arrangement, to be maintained in a searchable electronic register available to the general public. | ||
Draw up an appropriate data sharing agreement | Having established that there is a lawful basis to share data, draw up an appropriate data sharing agreement with the @SourceOrganisation. |
The Digital Economy Act Code of Practice sets out a number of requirements on parties to data sharing. Here we have picked out some that are particularly relevant to SAVVI. All requirements of the code will need to be complied with.
topic | requirement | input/output | references |
Statements | A statement that due regard has been had to the Code should be included in any information sharing agreement produced for such sharing. | ||
DPIA | A Data Protection Impact Assessment will be conducted for all data sharing under the code. | ||
Transparency | Data sharing under the code will be published | ||
It is important that citizens can understand what data is being shared, the specific purposes for which it is being shared, which bodies are disclosing and receiving that data, the potential benefits to be derived from the data sharing, and where appropriate how long that data will be held for. Furthermore, under the data protection legislation, controllers are required to keep records of their data processing activities. | |||
Minimisation | You must only share the minimum data required to fulfil the stated purpose for sharing. | ||
Agreements | Information sharing agreements must include details of retention and destruction policies that prevent the retention or use of data for longer than it is needed or its use for any purposes other than those for which it was disclosed/received (subject to limited exceptions provided for in law). | ||
You should put procedures in place to ensure that data no longer required is destroyed promptly and securely and rendered irrecoverable. The same will apply to data derived or produced from the original data, (subject to the specific rules on data processed for research purposes). You should refer to the ICO guidance on Deleting Personal Data. | |||
Quality | You should check the accuracy of data prior to sharing | ||
Organisations involved in an information sharing arrangement should also agree procedures and processes for:
| |||
Security | You will need to agree a security plan as part of any formal information sharing agreement with public authorities and third parties who are party to the data share. Security plans should include:
| output:SAVVI Security Plan | |
Non-public authorities can only participate in an information sharing arrangement once their sponsoring public authority has assessed their systems and procedures to be appropriate for secure data handling. | |||
Conflict of Interest | Where an information sharing arrangement proposes that information be disclosed to or received from a body which is not a public authority,[footnote 9] the body should be asked to declare all potential conflicts of interest (see Annex A), for example from other work it does for public authorities or its own commercial interests. An assessment should be made of any conflicts of interest that the non-public authority may have, to identify whether there are any legal or reputational risks involved in sharing data with the organisation. | output:SAVVI Proposition for a New Data Share under the DEA. | |
it is possible to create a new ‘objective’ via regulations. To propose a new ‘objective’, you need to determine what types of data are required, which bodies hold the data and how the ability to share personal data will support the achievement of your policy objectives.
The DEA Code of Practice gives examples of potential new ‘Objectives’
Consider if the purpose of the datashare is relevant the Digital Economy Act | All objectives must meet all of the following conditions which are set out in section 35 of the Digital Economy Act 2017:
| ||
Abort | If not relevant - abort the intention to share the @VulnerabilityAttribute from the @SourceOrganisaitonfor the @Purpose. | ||
Propose to DEA Review Board | All proposals for ‘objectives’ must be submitted to the review board. The review board will be supported by a secretariat based in the Government Digital Service and will sit on a quarterly basis. |
Each document generated from these templates should have a cover sheet that includes
Version | ||
Date | ||
Adopted by | An accountable governance group in an organisation | |
Adopted date | ||
Contact Info |
@Lead Organisation | ||
Vulnerability | A description of a vulnerability that could apply to a person or household. At this stage, this should not include a local context or prioritisation, so that the definition can be shared and re-used. | |
Duty | References to acts and regulations that give rise to a relevant duty. Preferably, references to a URL from legislation.gov.uk |
@Source Organisation | {defined by @Lead Organisation} | |
@Vulnerability Attribute | {defined by @Lead Organisation} | |
Dataset | Which dataset(s) is the @VulnerabilityAttribute contained in? {could be pre-filled from the SAVVI Catalogue} | ?? |
Purpose that it is held? | {could be pre-filled from the SAVVI Catalogue} | |
Supplier / System | Is the dataset contained in a system? Supplier / System name | |
Can data be extracted? | Formats? Can data be extracted to the SAVVI Logical Model? | |
Identifiers | What References use use to identify
| |
Data Quality | {List of data quality dimensions} - statement for each. | [4] |
Incorporate relevant parts of [1] the ICO data sharing checklist
Proposed by | @Lead Organisation | |
Vulnerability | {as defined in the Risk Stratification Policy} | |
Data Attribute | {defined by @Lead Organisation} | |
GDPR Article 6 Provision(s) | Check boxes for any of (a) the data subject has given consent to the processing of their personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. | [1]-Lawfulness |
Special Category Data | Is the data?
This document should then cover information required for ‘Appropriate Policy Document’ See [2] What are the conditions for processing and Data Protection Act 2018 - Schedule 1 for Schedule 1 Conditions | Data Protection Act 2018 - Schedule 1 |
GDPR Article 9 Provision(s) | Checkboxes for (a) Explicit consent (b) Employment, social security and social protection (if authorised by law) (c) Vital interests (d) Not-for-profit bodies (e) Made public by the data subject (f) Legal claims or judicial acts (g) Reasons of substantial public interest (with a basis in law) (h) Health or social care (with a basis in law) (i) Public health (with a basis in law) (j) Archiving, research and statistics (with a basis in law) | [2] Rules for Special Category Data |
Legal Gateway(s) | Referring to legislation.gov.uk | |
Rationale | A narrative to explain why the proposition is Lawful. | |
Legal Opinion | The legal opinion from a representative of the @LeadOrganisation | |
Compliance with the Human Rights Act | Statement form the @LeadOrganisation Particularly to Article 8 of the Convention, which gives everyone the right to respect for their private and family life, home and correspondence, is especially relevant to sharing personal data. |
Incorporate relevant parts of [1] the ICO Data sharing request form template
Proposed by | @Lead Organisation | |
Vulnerability | {as defined in the Risk Stratification Policy} | |
Data Attribute | {defined by @Lead Organisation} | |
GDPR Article 6 / Article 9 Provision(s) | ||
Legal Gateway(s) | Referring to legislation.gov.uk | |
Rationale | A narrative to explain why the proposition is Lawful. | |
Legal Opinion | The legal opinion from a representative of the @LeadOrganisation |
The Digital Economy Act Code of Practice says
you must develop and agree a business case with the other bodies participating in the data share. A single business case will need to be developed for each information sharing arrangement. An information sharing arrangement could cover multiple transactions, and may cover the exploration of the benefit of sharing a single data asset, through to the trialling of a complete business process (for example under the debt and fraud powers).
Business Case | An outline of the information share. This should include:
Persons included in the information share. This should include:
How the benefits of the information share will be measured. This should include: + the potential benefits the information share could bring; + the success criteria for the data share and the methodology you will use to measure success. A statement of adherence to the Code of Practice:
|
The SAVVI Catalogue is currently draft at http://52.56.166.229/html/datalicence
The SAVVI Catalogue will contain Information Governance scenarios that have been established with the SAVVI programme or contributed by organisations who have used the SAVVI Process.
This information can be a starting point when considering what data to use to find vulnerable people. However, organisations will need to take their own legal advice when deciding if data sharing is lawful.
The Catalogue will contain