Data Protection Impact Assessment (DPIA)

Need for a DPIA:

“Genius” is the software that has been written and developed by Intelligent OH Ltd in conjunction with Worxinfo Ltd (Developer). Genius will process health information of employees and workers of employers within the UK. The health information will be accessed by Occupational Health advisors where they have been referred and given permission by the individual. The health information will not be accessed by any other individual but a report providing workplace adjustments will be created by Genius using automated decision-making and sent to the referring advisor. Therefore, health information is being processed by Genius under the control of Intelligent OH Ltd. A DPIA is required because it is a legal requirement for any type of processing that’s likely to result in a high risk to the rights and freedoms of data subjects. Intelligent OH Ltd is processing, via Genius, large amounts of health information of a number of data subjects.

Nature of Processing:

An Advisor will select the appropriate service which will be either:

-          Pre-placement health assessment

-          Periodic Health Monitoring (such as night worker questionnaires)

-          Statutory Health Surveillance (as indicated by the appropriate H&S regulations / risk assessment)

-          Self-reporting of new symptoms / new diagnosis of work-related ill-health

-          Workplace adjustments assessment where symptoms / diagnosis have been assessed by a Health Professional

-          Leaver health status assessment when finishing regulated activities / exposures

-          Health risk assessment (such as driving, where fitness standards apply)

All of the above services require health information from the individuals and processing is necessary for the purposes of preventive or occupational health medicine for the assessment of the working capacity of the individual.

The health data will be inputted by the data subject which is then processed automatically via the automated decision-making pathways. The outcome is a report which is sent to an advisor that contains confirmation of fitness for work or recommendations for workplace adjustments or further referral. No health information is included in the report.

Regular auditing will take place to ensure that the report outcomes are appropriate and consistent with Occupational Health knowledge. This auditing will take place by a qualified Occupational Health professional. Genius has been developed in a way that only Lucy Kenyon, Managing Director - Clinical, will have access to the data, and she alone can grant access which will only be in line with legislation. System development does not require the Development team to have access to the raw data. The integrity of the nightly Database Backups is checked and copied onto our dedicated server with a copy on our Developers’ server to ensure live data is protected.

Where the data subject is required to have a follow-up or further referral, this will only be with their permission and express permission will be requested to share their data with the assigned Occupational Health professional.

The GENIUS system is hosted at a UK based Professional data centre. Only the Developers have access to the Server Administrator password. All data is stored in a SQL database and only the Developers have access to the Database password. Users have no direct access to the database as they interact via a web page that connects to a Java application. The web page passes button clicks and queries to the Java application which interrogates the database and performs all business rules and calculations the Server before returning a new Web page. The data never leaves the database on the Server.

The data will be deleted in line with statutory requirements, or where we have received a specific written request from the data subject or in line with our data retention policy. This will also apply to any and all back-ups.

Data Flow process accessed here - Data flow.pdf

The processing identified as likely high risk is transfer of data between professional advisors and Occupational Health practitioners. All other processing remains with employer or Genius/Intelligent OH Ltd.

Scope of Processing

The data is personal health information so would be deemed special category data.

The data collected will be as minimal as possible but sufficient to ascertain the health of the data subject and their ability to carry out their work effectively. The data requested will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

For health surveillance this data will be collected at least annually or at the appropriate interval. Other than health surveillance it will be collected sporadically for reason of an event. Such an event might be starting a new job, leaving a job, conduct concerns, job performance concerns, a medical diagnosis or presentation of symptoms.

The data will be kept in line with our retention policy.

All of the assessment is automated and online – Genius is initially available for use in the UK but the software may be accessed from people who are abroad when they are conducting their assessments.

Context of Processing:

The nature of Intelligent OH / Genius relationship with the employees (data subjects) is transactional and online. The employees (data subjects) have full control over the information that they choose to provide, and the only information that the Advisor will see is a workplace adjustments report. The answers to the questions will not be provided to the advisor or to the employer. We make it clear to the employees (data subjects) how the data will be used and they will see an example report to be assured of the level of information provided to the advisors. Children will not use Genius. Vulnerable workers will use Genius as the system is designed to support vulnerable workers with adaptations or alterations in the workplace.

Genius Users have no direct access to the database which is hosted at a UK based professional data centre.  Access to the data itself has to be requested from Lucy Kenyon who is the only person who can authorise access. The Developer has delegated data processing rights as the System Administrator.

Genius is novel in that it is automated decision-making about occupational health outcomes which has not been done successfully before – it is a different way to deliver Occupational Health services.

Purposes of Processing:

Processing health information of employees (data subjects) will enable provision of a workplace adjustments report to improve the working life of individuals and ensure that they stay in employment. The benefits of processing are to empower employers to make changes to the individual's workplace or job duties to enable the individuals to carry out their role more effectively and maintain stable employment.

Consultation Process:

Throughout the process we have sought the views of representations from an Occupational Health specialist, a HR specialist and a technical specialist in terms of software development. We have sought feedback from customers of OH services so that we can ensure service improvements are incorporated into the system. We have beta testers who will be providing feedback and we have also employed an Occupational Health practitioner to audit the system to ensure that outcomes are correct and appropriate in the automated reports.

Compliance and Proportionality Measures:

Our lawful basis for processing is consent.

Processing of the data is the only way that we can achieve the purpose which is production of the workplace adjustment reports – this is an improvement on the current method which is higher risk as it involves manual processing by humans and human error is riskier than software automation.

We ensure data quality and data minimisation by regular auditing by an OH professional and data challenge sessions with every new feature or way of processing in our software development meetings.

The information that we give to individuals is just the workplace adjustments report.

We support data subjects’ rights by only collecting personal data for specified explicit and legitimate purposes and not further processing in a manner that is incompatible with those purposes. Protected characteristics are not reported externally except with consent to assist managers considering workplace adjustments and in anonymized formats to inform strategic planning of health and wellbeing services. They are retained in order to carry out population surveillance to identify health trends and needs and prioritise preventative OH interventions within industries or companies or specific locations.

If the employee (data subject) does not consent, then the Advisor receives a report to pass onto the employer that states that they did not consent. No health information is provided even if the questions were partly completed.

There are three ways that information can be released to the employer and their advisor:

1.      With consent from the employee (data subject).

2.      Where there is a legal duty to do so, for example an Order from a legal court.

3.      Where there is a safeguarding issue (this is highly unlikely with the use of Genius/Intelligent OH unless someone reports something concerning in a free text box within the online questionnaire).

Limited measures are required to ensure processors comply because data entry is automated and the source data (inputted from the individuals) is hidden and not accessible unless expressly authorised by Lucy Kenyon, Data Protection Controller. This authorisation would only be granted where there is a documented data access request where there is a lawful basis. There are 6 lawful bases for processing: Consent, Legitimate Interest, Contract, legal obligation, vital interests, and/or public task and evidence would be required to support the request before Lucy Kenyon could grant access. In the unlikely event that access would be granted, it would not be free access and would be strictly limited to the specific data required within the request. This would also be done under direct supervision by Lucy Kenyon personally or an appropriately authorised representative.

Personal data must be accurate and kept up to date – use of Genius is driven by self-assessment of the employee (data subject) so accuracy will be high. Where personal data is inaccurate, it will be erased or rectified without delay.

If there is Group consent, the records can be transferred from Occupational Health to another provider to maintain legal record keeping for the provision of records as they must sit with an Occupational Health provider if the Advisor or Employer choose to switch to another provider. The legal basis of processing would be performing the service of a contract. In the absence of group consent, we would archive the records. This also applies with respect to the right to data portability.

Data subjects are able to exercise a right to restrict processing for their data by contacting [email protected] or submitting a contact request on www.intelligentoh.com.

Data subjects have the right to object. There is an opt-in/out option for users to determine if Intelligent OH is able to use information submitted to Genius anonymously to produce statistical information for employers and industries.

Integrity & Confidentiality:

Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. All Intelligent OH staff and Developers who work on Genius’ continuous improvement:

-          Maintain up to date policies and procedures.

-          Attend mandatory data protection awareness training.

-          Ensure access to a data subject’s record is audited and available for employees to view so that they can see who and when anybody has viewed their personal information.

-          Sign data protection clauses within their respective contracts.

System Access:

Genius is a completely standalone system accessed through a secure portal URL.

Employee identification, employment and contact information will be uploaded manually by an Advisor when they are granted access to their own ‘cases’.  They can then add an ‘employer’, an ‘employee’ and a ‘case’. They and every advisor within the same advisory consultancy business will have access to those cases.

The ‘admin’ users are super users who have full control. ‘Admin’ access is only approved for OH professionals within Intelligent OH Ltd to ensure data is protected and seen only by those who need to do so for the purposes of delivering the service.

In conclusion, the access to different levels of information is role-based. The roles are:

Super users – Intelligent OH Ltd OH professionals only

Admin – Has ability to add ‘advisors’ but not see data.

Advisors – Can add ‘employer’, ‘employee’ and ‘case’. Will receive workplace adjustment report and will see identification information as that is required to add a new ‘employee’ to the system. Identification information is Name, email address, DOB and NI number.

Employee – Can enter data and see a summary of their responses and will see a copy of the report prior to consent and receive their copy of the report after consent.

Employers do not have direct access to the system.

Access is tightly controlled to ensure it is only available to the relevant people. Super Users will conduct user access audit every 6 months.

The standard authentication method for the application is by email address and password. When a user is initially created in Genius, they are sent a link to access their account and reset their password if they don’t want to use the one automatically generated for them.   

Nobody except for the software development team have access to the infrastructure of the system. Only OH professionals directly employed by Intelligent OH Ltd have access to the employee health data.

The Genius system allocates a password to each user comprising of the first four characters of their surname, padded out with underscores if necessary, plus a random three digit number. The user then only has to remember the number so less likely to write it down. No more than three login attempts are allowed before Admin are alerted so very low risk of a colleague guessing the number.

Rights in Relation to Automated Decision Making and Profiling

ICO states “Individuals have the right not to be subject to a decision when it is based on automated processing and produces an adverse legal effect or significantly affects the individual.” Genius asks questions as a clarification pathway to identify the most relevant recommendations according to existing peer-reviewed evidence. This is different to automated decision-making, albeit the process is automated. As individuals have the right to obtain an explanation of a solely automated decision after it has been made, and to offer transparency for all users, the reports will be referenced pointing users to the evidence used to reach the workplace recommendations suggested.

Audit:

Genius displays an audit record of all changes made and data inputted – showing details for what has changed on records and by who. These are seen by Super Users.

Business Continuity Planning:

Genius is hosted on Ionos server with SSL certificate in place.

Ionos has a georedundant infrastructure meaning our data is mirrored in two data centres so hosting is uninterrupted even during maintenance downtime and outages. They use their own server shield technology to prevent DDoS attacks. There are also backups of 6 days allowing us to recover files if anything is deleted or lost.

Should the system not be available, Intelligent OH Ltd would resort to a manual paper process immediately.

Data Reporting

Due to the nature of the data that we are collecting, we will be able to produce anonymised reports on health trends across the UK, spread across different industries, and in larger companies, business specific anonymised trends. Intelligent OH Ltd has legitimate interest in processing this data anonymously to identify health trends/concerns and share with industries so that companies can take preventative and/or protective action as appropriate.

Legitimate Interest Test: