|
answer text |
<p>Under the General Data Protection Regulations 2016, data controllers are under
a legal obligation to complete Data Protection Impact Assessments (DPIAs) particularly
where it involves high risk processing. All National Health Service organisations
processing patient data as data controllers are therefore required to complete DPIAs
and where necessary, to consult with key stakeholders to ensure risks to privacy are
identified and mitigated as far as possible.</p><p>A DPIA for the NHS COVID-19 Data
Store has been completed and is published on the NHS England website. The data held
in the Data Store has gone through a process of pseudonymisation. Identifiable data
is not held or made available to users and nor are they permitted to remove the data
from the controlled area.</p>
|
|