November 2024 update

Posted by: Sarah - Posted on:

Blogs We have published several new blogs recently on our IG Portal. Topics include secure emailing to non-NHS emails, parental responsibility flow chart, links to some MDU publications about 3rd party requests and mental capacity and Heidi AI DPIA (an AI medical scribe).

IG Introduction video We’re really pleased to say that in addition to the above, we have also produced a video (made by us at N3i) that covers the basic IG principles that new starters, or those who would like a refresher might find useful. This is available for anyone to use within the ‘blog’ section of the IG Portal.

Telephone calls in SARs We have had an increase in the number of queries about whether call recordings can be requested in a SAR. The short answer is yes. Now would be a good time to agree within your practice how long you want to keep your call recordings for, ensure that the phone provider erase calls accordingly and put it on your privacy notice (We have also written a blog about this here and a fact sheet here). The longer you keep calls, the more you will have to provide in a SAR. This also applies to CCTV.

AI We understand that there are already many practices using various AI software. As your DPO, we need to be made aware of this new processing so please let us know if you are using any form of AI.  AI software requires the completion of a DPIA if it involves a new way of processing data and it’s use will need adding to your practice privacy notice. It is up to practices to ensure that staff who are responsible for using the AI are fully trained, and aware of the potential risks involved in it’s misuse. Heidi (an AI medical scribe) is a piece of software that we have received several queries about, so we have produced a template DPIA (available on our Heidi AI DPIA blog) that is available for practices to personalise and complete if required.

Smartcard access When someone leaves your organisation, if their access rights aren’t removed on their smartcard, they will be able to access all the patient information from your organisation as soon as they get a new NHS job. This is a huge IG risk that happens too often. Please remember to remove/end date smartcard access via the Care Identity Management Portal (CIM Portal) as well as archiving them in the clinical system as soon as someone leaves your organisation (anyone with Sponsor access can do this). N3i still need to be notified of leavers (through the ‘report an issue’ link on your desktop) so they can remove email and AD account.