Data Protection Impact Assessment
Public summary, structured to the NHS England DPIA template. The full signed DPIA is held by the Trust Information Governance team.
Step 1 — Identify the need for a DPIA
Stevyn processes special-category health data (Article 9) of stroke inpatients and identifiable staff data. A DPIA is required under UK GDPR Article 35 because processing is large-scale, involves vulnerable data subjects (acute inpatients), and supports clinical decision-making and statutory audit (SSNAP). Screening completed by the Trust IG team confirmed full DPIA required.
Step 2 — Describe the processing
- Direct clinical care planning on the stroke unit.
- SSNAP submission (anonymised export).
- Service governance, workforce planning, 72-hour assessment compliance.
- Identifiers (Admin role only): name, hospital number, NHS number.
- Clinical (all clinical roles): pseudonymised label, ward, dates, therapy minutes by domain, assessment scores, discharge destination.
- Staff: work email, display name, role, sign-in / access audit timestamps.
Step 3 — Consultation process
Consultation completed with: clinical lead for stroke, therapy team leads (PT/OT/SLT), Trust DPO, Caldicott Guardian, IG manager, and cyber-security team. Patient/public consultation deferred to the Trust Patient Experience group prior to wider roll-out. No external processors are sub-contracted.
Step 4 — Necessity and proportionality
Step 5 — Identify and assess risks
| Risk | Likelihood | Impact | Score |
|---|---|---|---|
| Unauthorised access from a shared / unattended NHS laptop | Medium | High | Amber |
| Over-collection of patient identifiers by clinical roles | Low | High | Amber |
| Privilege escalation (clinician → admin) | Low | High | Amber |
| Account compromise via weak or reused password | Medium | High | Amber |
| Audit gaps — inability to evidence who saw what | Low | Medium | Green |
| Accidental disclosure via SSNAP export | Low | High | Amber |
| Loss of availability during clinical use | Low | Medium | Green |
Step 6 — Identify measures to reduce risk
- 15-minute idle session lock + re-authentication on every clinical write.
- Identifiers visible to Admin role only; clinicians see pseudonymised label.
- Role-based access enforced server-side via Postgres row-level security on every table.
- Full audit log of identifier reads and clinical writes, retained for 8 years, exportable for IG.
- Have-I-Been-Pwned check enforced at sign-up and password change; min 12-char password.
- TOTP multi-factor authentication available; prompt admins and team leads to enrol.
- SSNAP export pipeline strips NHS no., hospital no., name before file generation.
- TLS 1.2+ in transit; AES-256 at rest; UK-only data residency.
- HTTP security headers (HSTS, CSP, Referrer-Policy, Permissions-Policy, X-Content-Type-Options) on every response.
- Trust-managed device estate; no BYOD; no offline export to USB.
Step 7 — Sign-off and record outcomes
This public summary is for transparency. The authoritative DPIA is the signed Word document held by the Trust Information Governance team. Last reviewed November 2025. Next review November 2026.