Use of Synthetic Data in Live Environments

Similar documents
Data Sharing Agreement

Version 1/2018. GDPR Processor Security Controls

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

INFORMATION SECURITY AND RISK POLICY

EMIS v7.1 Patient Access

General Data Protection Regulation

Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013

Data Protection Policy

Grand Avenue Primary and Nursery School ICT Data management. Contents

Access Control Policy

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

Data Processing Clauses

Data protection. 3 April 2018

Policy General Policy GP20

Q and A from the family information sessions 18/10/2016

PERTS Default Privacy Policy

Data Breach Notification Policy

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

PORTAL TRANSITION GUIDE. 1 February 2019

Data Protection Policy

HIPAA Security and Privacy Policies & Procedures

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

BRIDGEWATER SURGERIES. Privacy Notice

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Made In Hackney Data Protection Policy Last Updated:

The system will prompt for Login ID and Password (NB login credentials will be supplied to all staff after Commissioning).

RelayHealth Legal Notices

Information Technology Access Control Policy & Procedure

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

EPS Implementation Group. Terms of Reference

Data protection policy

PS Mailing Services Ltd Data Protection Policy May 2018

BODY CORPORATE REGISTRATION Application form

A Homeopath Registered Homeopath

Scottish Care Information. SCI Gateway v11.1. Receiving Referrals User Guide

THOMSON REUTERS FX TRADING (FXT)

Date Approved: Board of Directors on 7 July 2016

NHS e-referral Service

GMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

SUS RBAC Assignment Guide User guidance on Payment by Results (PbR) in SUS Payment by Results (PbR) in SUS

Data Protection Policy

SAFE USE OF MOBILE PHONES AT WORK POLICY

Guardian Electrical Compliance Ltd DATA PROTECTION GDPR REGULATIONS POLICY

Health Visitors Allocation Using Monthly Team Planner

GDPR Compliance. Clauses

Patient Reported Outcome Measures (PROMs)

Survey on Patient Safety Culture Database Data Use Agreement

Welcome to the latest edition of your PCSE cervical screening bulletin

Asda. Privacy and Electronic Communications Regulations audit report

St Bernard s Primary School Data Protection Policy

Site Builder Privacy and Data Protection Policy

Healing School - A Science Academy GDPR Policy (Exams) 2018/19

Mobile Working Policy

NHS R&D Forum Privacy Policy: FINAL v0.1 May 25 th 2018

GDPR Draft: Data Access Control and Password Policy

DATA PROTECTION PRIVACY NOTICE PROTECTING YOUR PERSONAL INFORMATION: YOUR RIGHTS, OUR RESPONSIBILITIES

Communications to Community Pharmacy

Statutory Notifications

COLLECTION & HOW THE INFORMATION WILL BE USED

General Data Protection Regulation policy (exams) 2018/19

SALISBURY NHS FOUNDATION TRUST. TITLE - Information Strategy Annual Review

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Requirements for a Managed System

Queen Square Neurophysiology Referral Portal

A PPG guide to using SystmOnline in Woodbridge Medical Practice.

May ORION User Access Procedures

CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION

Information Governance Incident Reporting Policy

Patient Online Pre-Admissions Portal Instructions

Access to University Data Policy

Pathology Bounded Code List (PBCL) Version for Primary Care Pathology Report Messages

Scottish Care Information. SCI Gateway v10.3. Sending Referrals & Receiving Discharges User Guide

HSX Clinical Data Repository (CDR) Query Portal User Guide

Promise Dreams Privacy Policy

Enviro Technology Services Ltd Data Protection Policy

What is the Northern Ireland ehealth and Care strategy?

Image Exchange Portal

Professional Engineers Ontario. canada s anti-spam. Guidelines for Chapters

INFORMATION SECURITY POLICY

Auckland District SUPPORT SERVICES Board Policy Health Board (Section 7) Manual ELECTRONIC MAIL

The General Data Protection Regulation

STCP Amendment Proposal Form

NHS e-referral Service Transition Planning WebEx May 2015

If you have established that it is not possible to refer directly from your clinical system it is still possible to refer through ers but this

Frequently Asked Questions. My life. My healthcare. MyChart.

Electronic Communications with Citizens Guidance (Updated 5 January 2015)

UKIP needs to gather and use certain information about individuals.

1.7 The Policy sets out the manner by which the University will respond to Subject Access Requests.

Virginia Commonwealth University School of Medicine Information Security Standard

Please let us know if you have any questions regarding this Policy either by to or by telephone

Beam Technologies Inc. Privacy Policy

ACT Test Accessibility and Accommodations System (TAA) User Guide

Bring Your Own Device (BYOD) Policy

EDGE: Getting Started

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Regulation P & GLBA Training

General Data Protection Regulation (GDPR)

Transcription:

Use of Synthetic Data in Live Environments Guidance Published 6 th July 2018 Version 1.0 Final Copyright 2018 NHS Digital

Contents Introduction 3 General Principles 4 Synthetic Data Naming Convention 4 Demographics (Names, addresses etc) 5 NHS e-referral Service (e-rs) 5 Contact 5 Appendix A Synthetic data Usage Agreement 6 Copyright 2018 NHS Digital 2

Introduction There are occasions where users need to perform transactions on NHS systems which are not real. These may include staff training, deployment testing of new systems/versions or perhaps as part of live incident resolution. Real patient records must never be used for these purposes, therefore NHS Digital provides synthetic data which can be used to separate these transactions from real live transactions. The use of synthetic data in systems which also handle real patient data carries risks. It is important to be aware that the risks include: Confusion between real patient and synthetic data which could result in real data being recorded against a synthetic record and vice versa. Synthetic data booked in to real clinical appointment slots reduces the number of slots available for real patients and this should therefore be avoided at all costs. Inaccurate reporting for statistics or payments. Where users have access to live and test environments they may become confused about which environment they are using at any one time. These risks can be mitigated in part through: Keeping the use of synthetic transactions in live to an absolute minimum. Regular auditing of the use of synthetic data. Following guidance (this document) on the best use of synthetic data. This document gives important guidance on the use of synthetic data in live which must be followed to reduce the risk. This guidance should be read and understood by anyone making use of synthetic data in live. Failure to follow the guidance may mean the synthetic records are revoked and could potentially lead to a live security incident. Before synthetic data is issued by NHS Digital the requestor must sign the Synthetic Data Usage Agreement (Appendix A). Copyright 2018 NHS Digital 3

General Principles Wherever possible testing or training should not be conducted in live. NHS Digital can provide access to testing and training environments which contain synthetic data and are purpose built to support NHS organisations to test in a safe, live-like environment to protect patient safety. For more details on this please see http://www.assurancesupport.digital.nhs.uk/ Where it is necessary to test or train in live, real patient records must not be used synthetic patients can be requested from testdata@nhs.net. Please provide 5 working days notice for requests to be completed. Synthetic patients must be removed from the end systems once testing is completed they should not be left for ongoing general use by live users. Failure to do so could cause an unnecessary and detrimental impact to live services. You should only use the synthetic data which has been specifically allocated to your organisation. You can check this by emailing testdata@nhs.net Data in live (including synthetic data) should only be accessed by people holding valid smartcards in their own name test user accounts are strictly forbidden in live. Anyone using synthetic data in live must read this document, and agree to the guidance, before doing so. Synthetic Data Naming Convention Synthetic patient records in live are identified by their NHS number which always starts 999 e.g. 999 123 4566. The NHS number is valid but is from a range of numbers from which real NHS numbers will never be issued. The Family Name of each record starts XXTESTPATIENT followed by random characters e.g. XXTESTPATIENT-ABDF. The address of the patients is the Test Data Manager at NHS Digital to ensure any post which is inadvertently sent does not get sent to real patients. The test patients are registered to synthetic GP practices. Copyright 2018 NHS Digital 4

Demographics (Names, addresses etc) Unless with express consent from the NHS Digital Test Data Manager (contact via testdata@nhs.net), the following demographic details must not be changed: Name Address Deceased Status Nominated Pharmacy The following details can be changed if required: Date of Birth Gender Title GP Practice only if consent is received from the GP Practice concerned and it should be reverted to the synthetic practice as soon as possible. NHS e-referral Service (e-rs) The synthetic test records may be used for e-rs deployment testing and training in live where necessary. The following guidance must be followed. DO NOT refer into live services, unless it is a dummy service and you have express consent in writing from that service OR you have express consent in writing from a live service. YOU MUST manage the referral appropriately to ensure live/dummy services are not detrimentally affected by the referral. This will avoid test patients being referred into real services and taking real appointments from actual patients. Referrals into live services are monitored by NHS Digital to avoid inappropriate use of synthetic patients. Contact If you have any questions regarding the use of synthetic data in live or any of the content in this guidance, please contact the Test Data Team (testdata@nhs.net). Copyright 2018 NHS Digital 5

Appendix A Synthetic data Usage Agreement 1. NHS Digital Reference: <Project ID> 2. Organisations This Synthetic data Usage Agreement (Agreement) is drawn up between: NHS Digital, 1 Trevelyan Square, Boar Lane, Leeds, LS1 6AE And: <NHS Organisation or Supplier>, <Address Details> 3. Period of Agreement This agreement commences on <date> until further notice. This Agreement will be subject to review on an annual basis. 4. Synthetic data Provided <Summary details of synthetic data provided e.g. 10 demographics records> 5. Purpose for which the Data are to be used <Purpose e.g. data provided to facilitate deployment testing of upcoming release of PAS> 6. Permissions This data is provided for the purposes expressly described in section 5. If the data will be used for purposes other than that described then the data requestor must seek permission from the NHS Digital Synthetic data Manager after which this agreement would be reviewed and updated as appropriate. The data must be used in accordance with the Use of Synthetic data in Live Guidance document (email testdata@nhs.net for a copy). 7. Synthetic Data Ownership and Responsibility The data requestor remains responsible for the use of the synthetic data which has been allocated even if shared and used by others at the organisation therefore a record of who the data has been shared with should be kept. The data requestor is responsible for ensuring the Use of Synthetic data in Live Guidance document is provided to users who have been given access to the synthetic data. 8. Storage of Data The data must be stored on a secure system with appropriate password protection. Transmission of this data must also be via secure means e.g. NHS Mail. 9. Breach of Conditions Notification of breach: The beneficiary agrees to report immediately to NHS Digital instances of breach of any of the terms of this Agreement. Right to terminate access: The breach of any of the terms of this Agreement may result in the immediate termination of access to the Data. 10. Changes to Terms of Agreement NHS Digital has the right to change the terms of this agreement and these will be notified to the beneficiary in writing. The beneficiary also has the right to request changes to the Copyright 2018 NHS Digital 6

agreement in writing to NHS Digital. These changes will be considered by NHS Digital and if appropriate an addendum to the agreement will be issued. If the person signing on behalf of <Receiving Organisation> should leave their post or the responsibility for this agreement changes from them, then it is incumbent on that person to arrange a new signatory to this agreement and NHS Digital informed of this requirement immediately. 11. Agreement Signatures For and on behalf of: <Receiving Organisation> Signed: Print Name: Post/Title: Date: For and on behalf of: NHS Digital Signed: Print Name: Post/Title: Date: Copyright 2018 NHS Digital 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback