Data Protection Impact Assessment
The following information is taken from our Data Protection Impact Assessment (DPIA) on our Remote Consultation tool in relation to the Remote Consultation Assessment (RCA). We have adapted it for use by practices to include in their own DPIA.
Please note we have removed some of the detail from our own DPIA that was commercially sensitive and also to keep the information below relevant to practices.
Feel free to copy and adapt as much of this information as you like.
Describe the nature of the processing
The processing involves the recording of consultations between a GP Trainee and a patient. The recordings may take the form of a remote video consultation, a recording of a face-to-face consultation, or an audio recording of a telephone consultation. Recordings will primarily be made through the FourteenFish platform, with the option for trainees to record using their own device and to then upload the video to the FourteenFish platform.
The recorded consultation video and audio streams are transmitted over TLS 1.2 which prevents them from being intercepted. If the patient has consented to recording, then the video and audio data is recording to disk as the consultation is happening. Because the consent process happens before recording begins, if the patient does not consent to recording then nothing is recorded. Recordings are stored on the FourteenFish servers in London (hosted by Amazon Web Services) using AES-256 encryption which is once of the strongest mechanisms available. At no time does any data leave the EU / UK.
Prior to the start of the consultation the trainee will be required to complete a two-factor authentication process to access the consultation area of the site. This process will require the trainee to enter a telephone number, and to then enter a 6 digit code that is sent via SMS.
The consultation cannot begin until the patient has viewed a consent page, which will clearly explain the purpose and nature of the recording, and the need for the patient’s consent.
The consultation is initiated by the GP Trainee. They enter a patient’s telephone number into the system and this will generate an SMS invite to the patient, informing them that they can now begin their consultation by clicking a link in the SMS message. At the end of the consultation the patient will receive a further prompt with the option to remove their consent if they no longer feel comfortable giving it.
The source of the data is the content of the consultation between GP trainee and patients, who represent the data subjects, and may include detailed discussions of current and historical medical conditions, references to patient notes and previous consultations, physical examinations, and other confidential information that may be disclosed in the course of a medical consultation. This data is therefore of a highly sensitive and personal nature, with a potentially severe impact on the data subject’s rights and freedoms in the event of a breach.
To view any recorded consulations, the trainee will be required to complete the two-factor authentication process which gives them access to view their consultations for 30 minutes.
The recorded content will retained on the trainee’s FourteenFish user account until they submit selected recordings for review by the RCGP examination team. At the point of submission the recorded content will become inaccessible to the trainee. At no point are the recorded files available for download – they can only be viewed through the platform following a log in using two-factor authentication.
RCGP Examiners will then be granted access to review the consultations for the purposes of grading the trainee’s performance. The consultations can only be reviewed through the platform, and users must again be logged in using two-factor authentication. There is no facility for Examiners to download the recorded consultations.
Each consultation may be reviewed by two examiners, and the access rights to the content will be limited so that only specifically allocated examiners can access the files, and the files will only be accessible during specifically determined time periods agreed with the RCGP. When an examiner attempts to access a recorded consultation, the system will check several criteria before allowing access; they must be registered as an examiner on the system, they must be logged in using two-factor authentication, and they must have had the specific file in question allocated to them to review. Furthermore, examiners are required to submit their availability for assessing the consultations, and will only be permitted access during these designated periods of time. Outside of their specific time slot the examiner will not be able to access any recorded files, even if they have had them allocated.
Once the examiner review is complete and marking validated the files will then be permanently deleted from the FourteenFish servers.
The files will be secured with multiple levels of access controls to prevent unauthorised access – this includes preventing access by FourteenFish staff. In the normal course of providing support to users, FourteenFish staff can access user accounts in order to resolve queries, including the facility to “impersonate” a user on the system. The area used for recording and storing recorded consultations is not accessible to FourteenFish staff in this way due to the two-factor authentication process. Files are encrypted at rest using AES-256, meaning a 256 bit encryption key is required to access the files, and this key is controlled by FourteenFish. The files are also encrypted during transit, using TLS 1.2, which is the strongest commonly available HTTPS protocol.
At no point does the trainee have the recording saved on their own device, or a device in the practice. Recordings are always protected using a login (email and password) plus two-factor authentication (SMS to the trainee's mobile phone). Recordings always remain on FourteenFish.
If the patient consents to recording, FourteenFish temporarily stores the patient's phone number so that a follow-up message describing how the recording will be used can be sent to them.
Once they have been sent the follow-up message, FourteenFish immediately run their phone number through a one-way encryption process called a cryptographic hash. This is a secure process whereby the phone number gets encrypted in a way that is not reversible, meaning that even FourteenFish or the trainee can't get the phone number back even if we wanted to.
However, this hashing process still allows any requests by patients under GDPR legislation to be fulfilled, because if the patient were to tell FourteenFish their phone number then they can run it through the same one-way encryption process and see if we have any consultations that match the encrypted phone number. When the consultation recording is deleted, the hash of the phone number is also deleted.
If the patient does not consent to recording then their phone number, then FourteenFish also immediately delete their number from our system since they don't need to send them a follow-up message, and there would not be a recording made of the call.
Describe the scope of the processing
FourteenFish will retain this data for the absolute minimum amount of time necessary for the completion of the assessment process before permanently deleting the data. This is estimated to be around two months to allow for the completion of the examination and review process.
Any consultations that are not submitted for assessment in the RCA will be deleted after 6 months automatically.
Describe the context of the processing
GP trainees will have access to the recorded data up until the point of submission, when the data is made available to at least two examiners to review and mark. At this point the trainee can no longer access the data, and it is only available to specific examiners during specific time periods (designated by the data controller). Patients attending the consultations will constitute the data subjects for this processing, and will be asked to give consent at the start of the consultation prior to the commencement of recording. Patients will also be given a clear option to remove their consent at the end of the consultation which will result in the immediate deletion of the data relating to that consultation. Subsequent requests to remove consent will be processed by the data controller.
FourteenFish hold ISO 27001 certification, which is audited annually. This certification requires FourteenFish to maintain the highest standards In terms of data protection and security, and as such we have a robust range of processes and policies designed to minimise or full mitigate the risk of data breaches.
Describe the purposes of the processing
The goal of the project is to provide a secure, easy to use platform for trainees to record and submit their patient consultations for the purposes of the RCA Examination. The requirement for a remote consultation platform has arisen from the limitations on both face-to-face patient contact, and the restrictions on holding on-site examination days, during the Covid-19 pandemic.
The benefits of this system for patients will be an easy to access consultation with a doctor they may not have otherwise been able to visit during the lockdown restrictions. The benefits for trainees are that they can practice their clinical and consultation skills prior to the submission of their recorded consultations, allowing them to improve their practice and pass their professional exams. At no point does the trainee have the recording saved on their own device, and recordings are always protected using a login (email and password) plus two-factor authentication (SMS to the trainee's mobile phone). The broader benefits would include the facility to provide a remote consultation platform for qualified GPs and other healthcare professionals to use in their daily practice.