ESR and the new General Data Protection Regulation
For some months, the NHS and IBM ESR team has been assessing the impact of the new General Data Protection Regulation (GDPR) legislation that will apply from 25th May 2018.
The new regulation places additional or enhanced requirements on Controllers (NHS User Organisations) and the Processors that support and provide the ESR system.
The ESR GDPR Project Team is working towards the ESR service being provided in line with the regulation by the time it comes into effect.
Changes to the ESR service to support User Organisations in delivering their GDPR obligations.
We have received a number of requests from Employing Organisations asking for confirmation that ESR will be GDPR compliant by the 25th May. Further to the GDPR impact assessment undertaken, we are progressing a number of specific requirements to meet the new regulations, so as to support User Organisations to be GDPR compliant when using ESR:
Subject Access Request
The ESR team is developing a new report that will provide details of all the personal data ESR holds on an individual. This will help User Organisations to respond when individuals request a copy of their personal data.
The list of Personal Data items held by ESR and therefore candidates for inclusion on the report is still under review, but it is already clear the number of items is extensive. Once the list is agreed, it will be shared with User Organisations.
As the report could contain sensitive data from across all the ESR functional areas including HR, Payroll, Learning and Occupational Health, the intention is to make the report available on a new User Responsibility Profile (URP). This will ensure the ability to run the report can be limited to selected individuals at the User Organisation that have the necessary training and clearance to be able to view the data the report contains.
Some fields, such as contacts, appraisals and referees, may contain personal data items for another person. It is therefore expected the Responsible Officer at the User Organisation will need to validate the content and where necessary redact certain items before issuing it to the individual.
The details of the structure and format of the report are still being considered, but the current plan is to make it available in Excel or PDF format to meet the GDPR requirement for the report to be “in a commonly used electronic form”.
Data Portability Request
In addition to the Subject Access Report, a further report is being developed to extract the personal information items that the individual themselves would have originally supplied to the User Organisation.
This will be a subset of the data items to be provided in the Subject Access Report. The final list of items to be included in this report is still under review, but once agreed will be shared with User Organisations. The new Data Portability Report will be made available via the new URP.
To comply with GDPR, the data from the report is currently planned to be made available in a file that is in the industry standard “.csv” format – (Comma Separated Variable).
Fair Processing Notices
The regulation requires Controllers to provide individuals with both the purpose for which data is held / being processed as well as details of other recipients with whom that personal data is shared. As users of the ESR System, NHS User Organisations will be required to comply with this article of the regulation and provide individuals with this information before it is entered onto ESR. From 2018 and on an annual basis thereafter, the NHS ESR team will write to all User Organisations to reiterate the additional fair processing obligations placed upon them by GDPR.
To support User Organisations in meeting those obligations and in communicating with their ESR users, the ESR Terms and Conditions available via the url https://my.esr.nhs.uk link from the ESR logon page will be updated to add clarity on the systems ESR integrates with and why, e.g. HM Revenue and Customs - for the purpose of sharing deductions from Payroll for Income Tax and National Insurance and Tax Code updates.
If you have any questions about anything you have read in this article please contact the NHS ESR Central Team via esr.communications@nhs.net