In January I outlined how we intended to comply with the GDPR which comes into force this coming Friday 25th May. In this post I would like to update you on progress, and on some changes that we have made to our approach during implementation. I know this isn’t the most exciting stuff around, but if you use Gooroo Planner then please read it because you may need to take action.

This post will be updated from time to time with further news – please scroll to the bottom for these updates.

New privacy policy

You are probably getting rather tired of being urged to read everyone’s new privacy policies. However it’s a GDPR requirement and I’m afraid we’re obliged to join in, so here goes: please read our privacy policy.

Purging any remaining personal data from Gooroo Planner

Our rule (since 16th February 2018) is that you are not allowed to upload any personal data to Gooroo Planner. That includes patient identifiers, consultants’ names and initials, and even clinic codes that contain consultants’ initials. [Subject to your organisation’s information governance policies, properly pseudonymised data may be uploaded. See the foot of this post for an update on pseudonymisation.]

The rule used to be different. Although you have never been allowed to upload patient identifiers, before the 16th February we did allow the uploading of consultant identifiers. We are now doing what we can to remove any of this older personal data which might still be in the system. If you use Gooroo Planner then you should read this because you may need to take action.

In the next few days we will run a script which searches for any datasets that were uploaded before 16th February (and any reports created from those datasets), and clears the contents of the Gooroo Planner data fields that are likely to contain personal data; they are the HeadCons header, various fields used by the bed, theatre and clinic visualisations, and the waiting list simulator ToolTip. We expect this script to purge nearly all the legacy personal data from Gooroo Planner, but without disturbing anything more recent which you may still be working on.

However it is possible that some loose ends might remain, and this is where you come in.

One scenario is this. Let’s say you uploaded a dataset before 16th February – call it dataset D1 – and that it contains personal data such as consultants’ names or initials. Now imagine that you made a duplicate of this dataset after 16th February – call it dataset D2.

When we run the script that purges personal data, it will work for dataset D1 because that dataset has a creation date before 16th February. However dataset D2 was created after 16th February, so it won’t be touched by the script and it will continue to contain personal data. Similarly any reports that were created from dataset D2 will not be touched by the script and will continue to contain personal data.

So if you have any datasets like dataset D2, or any reports created from them, then you should delete them and also delete them from your Trash.

The other scenario is if you inadvertently uploaded any personal data since 16th February. If you did, then you should delete those datasets and any reports created from them, and also delete them from your Trash.

Deleting inactive users and their data

We are also putting in place an automatic deletion system for inactive users. If you do not log in at all for 9 months, then we will automatically mark your account as inactive. If in the following 3 months you do not reactivate your account and login, then we will permanently delete your account details and all your datasets, reports etc (which by then will be at least 12 months old).

You are of course very welcome to return to Gooroo Planner at any time.

Originally we proposed marking unused accounts as inactive after 12 months, so that the final deletion was after 15 months of inactivity, but we have shortened those times in line with government procurement frameworks.

Deleting very old data for active users

While putting all of this in place, we discovered that our system for deleting very old data had stopped working when we migrated to a new server last year. Oops. Anyway we’re reinstating it now.

This system automatically moves any datasets and reports to the Trash when they are more than 2 years old, and permanently deletes anything that has been in the Trash for more than 3 months. As we work through the backlog of data that should have been deleted already, heavy users may notice that their lists of datasets and reports don’t go on for quite as many pages as before.

Sorry for the inconvenience

I’m afraid that implementing all of this is putting quite a load on our server, and this will continue for a few days to come. You may notice that things aren’t running quite as fast as usual, and we have even had one occasion when a particularly big job was slowing things down to the point where it started causing server errors (thankfully we were able to work with both of the affected users and get their work finished without significant delay).

If in the next few days you are experiencing problems which you think might be related to this, then please get in touch and we will gladly pause our work until you have finished everything you need to do. Your work always comes first, and our back office functions come second.

Any questions?

If you have any questions about any of this then please email us. We want these GDPR changes to go off smoothly.


Updates

25 May 2018

1) We have completed the first run of queries to purge personal data, delete inactive users, and delete very old data. However inspection of the remaining data suggests that this has not done everything we intended so we will check the code over and try again next week.

2) We emailed everyone who holds a licence to upload data to Gooroo Planner, to check that they know they are not allowed to upload personal data, and to make sure they haven’t uploaded any since 16th February (as we advised in January). If you have uploaded personal data since 16th February then it will not be cleared by the queries mentioned above and you will need to delete it.

However you may be reluctant to delete your datasets and reports because you are in the middle of some work that relies on them. Fortunately, there is a way to delete them without losing the demand and capacity planning elements.

This is what you would need to do. Before deleting anything, download the dataset from the dataset manager. You will get a zip package containing several files; most of them have a suffix like _History or _Log, and the file you want is the one without a suffix. Create a new dataset by uploading that file as statistical data. Then recreate your reports from that. That will reproduce your plans, but won’t contain any personal data (or indeed any patient-level data). When you are happy that you’ve got everything you need, you can delete the ones that do contain personal data (and also delete them from the Trash).

If you have a report which you have already edited on-screen, and you want to preserve those edits, then from the report manager you can convert it into a dataset first, and then follow the steps above.

3) The ICO are now advising that pseudonymised data remains personal data. As a consequence, pseudonymised data cannot be uploaded to Gooroo Planner, which is very disappointing. This is what we know:

The HSJ today reported that “On Thursday night [i.e. last night, 24th May], the ICO updated some GDPR guidance that made it clearer a tougher standard will apply on what information will need to be removed to mask a patient’s identity. However, it has yet to update its code of anonymisation to reflect the law change.”

Looking at the ICO website, their GDPR page on personal data now says “pseudonymised personal data remains personal data and within the scope of the GDPR”, which is the opposite of their previous advice on the matter (based on previous EU regulations) which said “There is clear legal authority for the view that where an organisation converts personal data into an anonymised form and discloses it, this will not amount to a disclosure of personal data. This is the case even though the organisation disclosing the data still holds the other data that would allow re-identification to take place.”

As far as uploading data into Gooroo Planner is concerned, the rule is that you are not allowed to upload personal data. We had hoped that pseudonymised data could be permitted (and the position may yet change as GDPR case law develops) but as things stand I am afraid the ICO’s advice is clear: pseudonymised data is personal data, which means you cannot upload it to Gooroo Planner.