← Back

Data Protection Impact Assessment

Public summary, structured to the NHS England DPIA template. The full signed DPIA is held by the Trust Information Governance team.

Project
Stevyn — stroke inpatient therapy activity capture
Controller
United Lincolnshire Hospitals NHS Trust
Processor
Lovable Cloud (UK region)
DPO contact
dpo@ulh.nhs.uk
Status
Draft for IG review — pilot
Last reviewed
November 2025
Next review
November 2026

Step 1Identify the need for a DPIA

Stevyn processes special-category health data (Article 9) of stroke inpatients and identifiable staff data. A DPIA is required under UK GDPR Article 35 because processing is large-scale, involves vulnerable data subjects (acute inpatients), and supports clinical decision-making and statutory audit (SSNAP). Screening completed by the Trust IG team confirmed full DPIA required.

Step 2Describe the processing

Nature
Therapy staff log clinical sessions (minutes by domain), assessments, and discharge data on Trust-managed devices on the stroke unit. Data is stored in a UK-region managed Postgres database with row-level security.
Scope
Pilot scope: one stroke unit, approx. 30 inpatients at a time, approx. 20 therapy staff users. Up to 8 years' retention per NHS Records Management Code of Practice.
Context
Replaces paper tally-sheets and a shared spreadsheet. Users are NHS therapy staff; data subjects are stroke inpatients (often unable to consent contemporaneously).
Purposes
  • Direct clinical care planning on the stroke unit.
  • SSNAP submission (anonymised export).
  • Service governance, workforce planning, 72-hour assessment compliance.
Data categories
  • Identifiers (Admin role only): name, hospital number, NHS number.
  • Clinical (all clinical roles): pseudonymised label, ward, dates, therapy minutes by domain, assessment scores, discharge destination.
  • Staff: work email, display name, role, sign-in / access audit timestamps.

Step 3Consultation process

Consultation completed with: clinical lead for stroke, therapy team leads (PT/OT/SLT), Trust DPO, Caldicott Guardian, IG manager, and cyber-security team. Patient/public consultation deferred to the Trust Patient Experience group prior to wider roll-out. No external processors are sub-contracted.

Step 4Necessity and proportionality

Lawful basis (Art. 6)
Art. 6(1)(e) — public task; Health and Social Care Act 2012; SSNAP statutory audit.
Special-category basis (Art. 9)
Art. 9(2)(h) — provision of health or social care, under the responsibility of a registered health professional.
Common-law duty of confidentiality
Implied consent for direct care; anonymisation for SSNAP and service-improvement use.
Data minimisation
Clinicians work from a pseudonymised label only; full identifiers are visible to the Admin role and gated behind a server-side audit log. No free-text clinical notes are stored.
Individual rights
Subject access, rectification, restriction, and complaint to the ICO are facilitated by the Trust DPO. Erasure is restricted where records form part of the health record.
International transfers
None. All data processed in the UK. No sub-processors outside the UK.

Step 5Identify and assess risks

RiskLikelihoodImpactScore
Unauthorised access from a shared / unattended NHS laptopMediumHighAmber
Over-collection of patient identifiers by clinical rolesLowHighAmber
Privilege escalation (clinician → admin)LowHighAmber
Account compromise via weak or reused passwordMediumHighAmber
Audit gaps — inability to evidence who saw whatLowMediumGreen
Accidental disclosure via SSNAP exportLowHighAmber
Loss of availability during clinical useLowMediumGreen

Step 6Identify measures to reduce risk

  • 15-minute idle session lock + re-authentication on every clinical write.
  • Identifiers visible to Admin role only; clinicians see pseudonymised label.
  • Role-based access enforced server-side via Postgres row-level security on every table.
  • Full audit log of identifier reads and clinical writes, retained for 8 years, exportable for IG.
  • Have-I-Been-Pwned check enforced at sign-up and password change; min 12-char password.
  • TOTP multi-factor authentication available; prompt admins and team leads to enrol.
  • SSNAP export pipeline strips NHS no., hospital no., name before file generation.
  • TLS 1.2+ in transit; AES-256 at rest; UK-only data residency.
  • HTTP security headers (HSTS, CSP, Referrer-Policy, Permissions-Policy, X-Content-Type-Options) on every response.
  • Trust-managed device estate; no BYOD; no offline export to USB.

Step 7Sign-off and record outcomes

Residual risk
Low. Reviewed annually or on material change to processing.
Measures approved by
Trust DPO (pending signature)
Residual risk accepted by
Caldicott Guardian (pending signature)
DPO advice provided
Yes — see signed DPIA document held by IG.
DPO advice accepted
Yes
Consultation responses reviewed
Yes

This public summary is for transparency. The authoritative DPIA is the signed Word document held by the Trust Information Governance team. Last reviewed November 2025. Next review November 2026.