Legal Notices

Review of PIA document for LIN:

Although the PIA was initially made for LIN and Revalidation, TIS will be available over the internet to trainees. They will need to accept Privacy notices, terms and conditions of use on first time login.

The expectation for TIS (formerly to be called LIN) is to have trainees to accept cookie and privacy policy which should be similar to the one on HEE domain.

https://www.hee.nhs.uk/about-us/contact-us/privacy-cookies

Review of PIA document for LIN:

No. LIN (TIS) will not utilise N3. Patient identifiable data is not to be entered onto the system. NHS Digital has validated this approach and LIN (TIS) will follow https:// commercial practice and the GSDM.

Review of PIA document for LIN:

Mainly trainees, Training Programme Directors (TPD), HEE Staff, Education Supervisors, Devolved Administrators. 

(Page 14 of the PIA)

Non-NHS organisations that will have access to TIS (LIN) data include: 

Education Institutions - Higher Education Institutions and Further Education Institutions;Regulatory and curriculum setting bodies;Independent Health Sector Organisations that work with HEE for NHS training. These organisations include, for example, primary care service providers, UKAS accredited independent medical laboratories and independent sector treatment centres; NHS Business Services authority (covering NHS Protect); NHS Litigation Authority; Law enforcement organisations such as UK Police and UK security organisations.

Handling of sentitive data within TIS: The PIA pre-dates TIS. There is now availability of more sensitive data on TIS whilst new components are being developed on TIS, e.g. Ethicity, Equality and Diversity Monitoring information.  

Should this be part of an overall process that involves project board as stated in LIN PIA to ensure all parties are in agreement of the persoanl/sensitive data available on TIS?

Review of PIA document for LIN:

The LIN Project Board will attend to the handling of sensitive data in keeping with its Information Governance Policy Framework throughout the business requirements gathering process and all subsequent stages of the project, including procurement, development and implementation. This includes all aspects of sharing, reuse and
limitation in the size of data mining “cells”.

Trainees will need to see and agree a Privacy and Cookie Policy on first time logging in in order to participate in the HEE's training programmes. (Splash screen).

Privacy policy to have information regarding consent for the processing of personal identifiable or sensitive data. 

Is HEE's Privacy Notice and Cookie Policy sufficient for TIS?

https://www.hee.nhs.uk/about-us/contact-us/privacy-cookies

Implicitly - Privacy Notice on HEE's website including use of any Apps associated with LIN (TIS).

Explicitly? - Re-written for TIS with slight amendments to be available within TIS? 

Should it have a Terms and Conditions of Use either implicitly by logging in or first time consent on user registration or first login?

Terms & Conditions of use to cover the following which are not explicit on HEE website:

• Definitions
• Acceptance of terms
• Use of the TIS solution
• Secure access
• Copyright
• Validity of Information (disclaimer) e.g. https://www.gov.uk/help/terms-conditions

There may not be registration on TIS by trainnes but they will be invited by email to join. 

Implicitly - Privacy Notice on HEE's website including use of any Apps associated with LIN (TIS).

Explicitly? - A re-written Privacy Notice for TIS with slight amendments which the trainnes have to accept on first login an visible all the times thereafter via a hyperlink.

Is a separate cookie policy required to be available as a link on TIS and accessible all times?

• TIS use google analytics which is perhaps not similar cookies used by HEE domain cookie policy.

The expectation for TIS (formerly to be called LIN) is to have trainees to accept cookie policy which should be similar to the one on HEE domain.

https://www.hee.nhs.uk/about-us/contact-us/privacy-cookies

Assumption is trainees will need to accept cookie policy on first visit to the TIS landing page. 

What are the cookies used by Google Analytics on TIS?

Information about the cookie name, Duration and Purpose required.

Consideration for GDPR (May 2018) and therefore seek guidance on Information Governance.

TIS Phase 1 goes live beginning of April 2018.

https://connect.hee.nhs.uk/Interact/Pages/Content/Document.aspx?id=3456

https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

Retention of data within TIS. - DPA Principle 5

Recommentation (approved on 31 March by TIS Project Board):

HEE should come to a corporate view on the above risk, consulting within DEQ, DPD and with corporate colleagues responsible for information governance. Following this and before taking any action to remove and delete data it would be best to consult more widely as appropriate across all of the UK national NHS training and education authorities and learner stakeholders with a view to alignment andagreement on a consistent policy to underpin equal treatment of data subjects.

HEE Records management policy - 5.6 Retention and disposal – there are consistent and documented retention and disposal procedures to include provision for permanent preservation of archival records

Is this still outstanding?

Should we consider Intrepid and Oriel as a precedence?

• Oriel - Data Archiving Policy.docx

Have the data flows to the following been risk assessed and mitigated?

• Intrepid
• ESR
• GMC/GDC

The GMC, a major Non-NHS recipient of LIN data, has its own compliant data retention regime. All organisations using the system will be required to provide an annual return for the IAO to this effect.

The governance around ESR integration is well documented and rigorous. It is possible that integration with other systems such as e-Portfolios will be considered in due course and, if so, this will be subject to a fresh PIA.

Does Keycloak allows configuration of cookies? If so, can they be aligned with HEE's cookies policy?

https://www.hee.nhs.uk/about-us/contact-us/privacy-cookies

What are the retention periods (what is the minimum timescale) for TIS data?

Note: This is distinct from Legacy data that will be availble in the mirror up to a point. We are here referring to data that will be held on TIS.

Do we need to explicitly make mention on this on TIS Private notice?

REview of PIA document for LIN:

The LIN project board has yet to consider the extent to which the system might remain available to learners after the end of their training programme.

The data retention periods for TIS will be stated in due course. Learners may want access to their data over the duration of their training programmes and perhaps for longer. Authorised users may require historical access to their data. HEE will propose the archive rationale and this may involve selected data being extracted and stored on a secure server. It is also planned to share the data, under clear agreements, with organisations involved in training, education and development. HEE will be clear about data retention arrangements for day-to-day operations and longer-term research and evaluation purposes. Where it is planned to use data for research and evaluation purposes outside the basic data retention period the HEE Board will be requested to approve it on a case-by-case basis to ensure compliance with the Data Protection Act.