Completing your Data Privacy Impact Assessment when connecting your application to the Safe Secure Cloud

Introduction šŸ”—ļøŽ click to copy

This is a briefing for Subscriber organisations when preparing to connect to the Mydex Safe Secure Cloud. This is designed to support internal activities relating to Information Governance and the legal basis of using the Mydex Safe Secure Cloud. The Mydex Safe Secure Cloud operates under the Mydex Trust Framework that has a charter, defined terms for Subscribers (Organisations) and our Members (Citizens) and a GDPR Compliant Data Sharing and Services Agreement between Subscribers and Members. Mydex as the Safe Secure Cloud provider enforces these terms and the Data Sharing and Services Agreements between them automatically.

It is useful for third party integrators such as application software vendors, public services providers and their own internal applications and their in-house or third party support teams to understand the context for connection to the Mydex SSC. The Mydex Safe Secure Cloud has universal applicability to public, third and independent sector Service Providers as well as academic research, public health, policy development and service Improvement programmes.

It may be particularly useful when considering how existing DPIAs for services and systems might need to be updated to reflect this new Mydex Safe Secure Cloud (SSC) capability. It works in the context of GDPR as the basis for two way data and event exchange between servicesā€™ systems and the citizens who use their services. With SSC, citizens have their own cloud based personal data store, where their data is independently held by them for their own use and for sharing with others under GDPR Compliant Data Sharing and Services Agreements (DSSA).

Mydex CIC is an asset and mission locked organisation that serves citizens who we call Members.

Members have free use and access to the Mydex SSC for life. They are totally in control over their data and how it is used under Data Sharing and Services Agreements presented to them by Service Providers They can review and modify these terms where there are optional choices and approve them online. Service providers can present DSSAs to their citizen service users at the start of a service engagement or participation in a local cluster of service providers working together to support the same cohort of citizens.

Approval is in the form of an online authorisation step using something called a Private Key that only the Citizen knows. It is their digital signature of agreement when used either to agree to a Data Sharing and Services Agreement and if and when the DSSA needs to be modified, for example when the range and nature of services being provided needs to adapt to changing needs. Citizens can also revoke access at any time exercising their rights under GDPR and their right to be forgotten.

GDPR powering Innovation, Seamless Service Integration and Transformation

Since the inception of the Data Protection Act and later the General Data Protection Regulations supporting citizens exercising their rights has been seen as a compliance obligation on organisations.

GDPR is an innovation enabler for seamless service integration. With SSC it can solve many complex systemic issues and barriers effortlessly to deliver dramatic improvements in productivity, speed of access, inclusion and improved experience and outcomes for citizens and front line teams within service providers.

The Mydex Safe Secure Cloud can eradicate what we call FERC. Friction, Effort, Risk and Cost from peoplesā€™ and organisationsā€™ lives, improving security, quality, and enabling the delivery of seamless joined up services across multiple service providers. It also enables citizens to activate their own personal networks to be part of the integrated experience.

Data Protection GDPR roles

  • Service Provider using a business application that stores personal data is classified as Data Controller under GDPR
  • The Application Vendor if they provide their offering as a Cloud hosted application may be considered a Data Processor and or a Data Controller depending on the arrangements in their DPIA and contract with their customer, the Service Provider.
  • Citizens with a Personal Data Store running in the Mydex Safe Secure Cloud are in reality their own independent ā€œdata controllerā€ for the personal data and events recorded in data throughout their life exercising their GDPR Right of Personal Use Exemption, and exercising their rights to Data Portability, Informed consent, Data Minimisation and Transparency.
  • Mydex CIC provides an App to its Members (think of it as a personal digital front door to the citizens' own life and the data and events that underpin it). The Membersā€™ People Apps are cloud based web applications which places them in complete control of their personal data store. They allow citizens to use their own data, curate their own data, interact with third party service providers and also create and manage their own personal networks which we call Circles of Support.
  • Circles of Support enable a Citizen to create a personal network with delegated access for others to view, and update their Personal Data Store and who can be authorised to perform actions on their behalf. Typically this is informal carers such as friends and family. This enables them to work collaboratively with the person needing support and their Service Providers. Circles of Support Eradicate the friction, effort, risk and cost of supporting someone and improves understanding and quality of support that can be enabled. Circles of Support replace the paper based, in person, telephone call, and Whats App-type informal networks with one that is fully secure and under the individual's control. Circles provide a full audit trail of all such interactions and transparency to ensure evidence of interactions with their circles and service providers. This audit trail is captured throughout their interactions forever in an immutable log stored in their own PDS
  • Mydex CIC acts as a Data Processor for Citizens who are signed up to the Safe Secure cloud operating under GDPR Compliant Data and Services Agreement under informed consent.
  • Mydex has no access or rights to Membersā€™ personal data. We just execute their instructions as a processor.
  • Mydex operates a Personal Data eXchange to enforce individual Membersā€™ approved Data Sharing and Services Agreements, to manage receipt of data for deposit in the Members PDS, and to respond to requests from subscribers to their PDS for Data.
  • Mydex also enables citizens (Members) to set up their own personal networks as well as connect with their service providers.
  • Mydex CIC is also a Data Processor for any organisation using the Mydex SSC ready Service Provider web app

Data and events sharing and access

  • All Data Sharing and events exchange are uniquely encrypted end to end between an individual (Member with a PDS) and their service provider (Data Controller).
  • GDPR provides the Data Portability Right to citizens and Obligations on organisations. This is the legal basis for exchanging personal data and events between them seamlessly over secure two way APIs
  • Exchange and sharing can be a combination of personal data as well as event data e.g. secure messages, referrals, calendar invites as well as sharing different elements of information about them through specific modules and subsections of their life and the data stored in their PDS.
  • /All Data and event Sharing is undertaken via a GDPR Compliant Data Sharing and Services Agreement which the individual approves under GDPR informed consent rights and meets compliance obligations for Data Controllers (Service Providers) and Data processors (Application Vendors offering Cloud SaaS or a Managed Service)
  • The Individual has complete transparency and audit trail of their own to understand the flow of data into and out of their PDS. This sets out the legal basis for this activity. GDPR right of Transparency is powered by the Data Sharing and Services Agreement that the Data Controller completes when getting connected. It outlines the use cases, makes a formal GDPR compliance declaration and identifies the personal data and API event services they wish to use.
  • Individuals who approve Data Sharing Agreements use what we call their Private Key (which only the Member knows). Not even Mydex CIC knows their Private Key. A private Key can be thought of as a pass phrase that can be up to 128 Characters in Length. Members only need to use it when they approve a Data Sharing and Services Agreement or decide to disconnect or modify the Data Sharing and Services Agreement e.g. to add in new datapoints or change the scope.
  • Mydex SSC serves up the Data Sharing and Services Agreement and the Private Key approval field to the individual within an existing service journey as is the norm when using digital services where information needs to be shared. We have just added an extra security layer plus full transparency for the Data Sharing and Services Agreements.
  • Third party integrators can trigger a connection to the SSC as part of a normal service journey. If necessary this includes the Registration for a MydexID and provisioning of a Personal Data Store, or simply the approval of the Data Sharing and Services Agreement.

Circles of support extend access to friends and family

Circles of support operate outside the boundaries of an organisationā€™s information governance and compliance regime such as GDPR. They operate under citizen rights under GDPR namely Personal Use Exemption.

Circles of Support simplify and make more secure what is happening every day today via insecure channels including post, paper, phone, email, chat channels on commercial platforms like WhatsApp, Apple iMessage etc.

  • Citizens can create Circles of Support which enables them to make information available about themselves and their journey through life with friends and family.
  • Friends and Family Members are invited to one or more Circles of Support and use exactly the same People App as the person they are supporting. Mydex provides this People App entirely free of charge for life to our Members.
  • Members in Circles of Support can only view the information the individual chooses to share with the circle of support and are only able to take actions as approved by the individual who set up the Circle of Support.
  • Service Providers have the confidence and knowledge to know that a person in a Circle of Support is acting for another within defined boundaries approved by the Member and their service user.
  • A full audit trail of all interactions by people in Circles of Support are stored in the Memberā€™s own PDS as well as the PDS of the individual who they invited them to a Circle of Support
  • Citizens can have as many Circles of Support as they want to reflect the different aspects of their life. This is scalable and adaptable either on a long term care basis or a short lived life event where support is needed e.g. discharge from hospital, recovery from a fall etc.

Mydex ISO27001 Independently Certified Information Security Management System

Security is in the very DNA of Mydex and all we have designed, built, and maintain. We protect and operate the Safe Secure Cloud 365 days a year and 24 hours a day.

Mydex is independently certified under ISO27001:2022 and FairData for its Safe Secure Cloud services. We have been certified for over 12 years without incident.

Our Certification is for the whole company, not just the Mydex Safe Secure Cloud.

The Mydex Safe Secure Cloud is operated on a resilient high availability infrastructure with all data storage and processing undertaken in the UK.

  • All data is encrypted at rest uniquely to the individual citizen, they are always in Control
  • All data transmitted between the Individual and their service providers is encrypted uniquely in transit.

ISO 27001:2022 is an internationally recognised standard for Information Security Management Systems (ISMS).

It provides a framework for managing sensitive information securely. If you're an application software vendor or a public, third, and independent sector service provider needing to conduct a Data Privacy Impact Assessment (DPIA) ā€” especially when integrating with a third-party like the Mydex Safe Secure Cloud platform for GDPR-compliant data and event sharing.

The key information you may find useful about ISO27001:2022 and GDPR to feed into a Data Privacy Impact Assessment is summarised below:

Key Elements of an ISO 27001 Information Security Management System (ISMS)

  1. Risk-Based Approach to Security
    • Identifies, assesses, and mitigates risks to information security.
    • Ensures appropriate security controls are in place to protect personal data, especially in third-party integrations.
  2. Information Security Policies and Procedures
    • Defines how your organisation protects information, including data and events shared with external platforms.
    • Covers access control, data encryption, incident response, and compliance with GDPR.
  3. Roles and Responsibilities
    • Assigns accountability for data security within your organisation.
    • Ensures staff handling citizen data are trained in security best practices.
  4. Technical and Organisational Security Controls
    • Technical measures: encryption, multi-factor authentication, secure APIs, firewalls, code scanning, automated testing, security testing and traffic protection via a range of measures.
    • Organisational measures: staff training, supplier security assessments, security audits.
  5. Supply Chain and Third-Party Management
    • Ensures external platforms handling citizen data meet the same security standards.
    • Requires contracts and agreements covering data protection responsibilities.
  6. Incident Management and Business Continuity
    • Defines how your organisation responds to data breaches and cyber incidents.
    • Ensures continuity of services even if a security incident occurs.
  7. Compliance with GDPR and Other Legal Requirements
    • Aligns security controls with GDPR principles, especially around data minimisation, access controls, and consent management.
    • Helps demonstrate compliance in Data Privacy Impact Assessments (DPIAs).

Why this matters for your DPIA and Mydex Safe Secure Cloud Integration

If your service connects to a third-party cloud that enables GDPR compliant data sharing, ISO 27001:2022 ensures:

  • Your own security policies align with the secure cloud provider's standards.
  • Risks related to personal data processing and sharing are identified and mitigated.
  • You can demonstrate compliance with GDPR and other legal requirements.

Please see a Data Privacy Impact Assessment (DPIA) Template below aligned with ISO27001:2022 and GDPR, specifically for organisations integrating with a third-party safe secure cloud for personal data and event sharing like Mydex Safe, Secure Cloud.

Data Privacy Impact Assessment (DPIA) Template

Please note we have struck through and turned text red which do not apply in the context of using the Mydex Safe Secure Cloud

For Applications and Services Connecting to Mydex Safe Secure Cloud

Section 1: Project Overview

  • Project Name: [Name of Application/Service]
  • Organisation Name: [Your Organisation]
  • Date: [DD/MM/YYYY]
  • DPIA Lead: [Name and Contact]
  • Stakeholders Involved: [Teams/Individuals Responsible]
  • Purpose of Processing: [Why is this data being processed?]
  • Third-Party Platform Name: Mydex Safe Secure Cloud
  • Data Sharing Justification: Direct data and event sharing with citizens who have a personal data store so we can streamline operational service referrals, delivery and ensure improved data quality and timely updates to service information and exchanges with citizen service users. This will also automatically meet our GDPR Obligations to our citizen service users.

Section 2: Description of Data Processing

  1. What personal data will be processed? (examples below)
    • Name
    • Contact details
    • National ID / Government ID / CHI Number
    • About Me Data relating to the citizen
    • Health information
    • Financial information
    • Other (describe)
    • Service Event Data, secure messages, referrals, calendar invites and responses, alerts and notifications to streamline and make secure channels of communication.
  2. Who are the data subjects?
    • Citizens
    • Service users
    • Employees front line delivery teams within the organisation if the Safe Secure Cloud is used to support them as employees, volunteers or contract staff.
    • Other (describe)
  3. Where will the data be processed?
    • On-premise - Not relevant in this context Cloud based
    • Secure Cloud Provider Mydex Data Services Community Interest Company in the United Kingdom
    • Hybrid - Includes your own internal applications e.g. case management or professional interface and Mydex as Safe Secure Cloud Provider
  4. Who will have access to the data?
    • Citizens who are the subject of the data and events being shared and used
    • Internal staff using your own applications in house or provided as Software as a Service by an Application Vendor or their delivery partner
    • Third-party providers - Not relevant to Mydex Safe, Secure Cloud as outside scope of the Organisations own Information Governance and GDPR Obligations.
      • UNLESS organisationsā€™ applications are integrated directly into third party service providers own back office systems under an organisation to organisation data sharing agreement and information governance framework
    • Government agencies e.g. regulatory and compliance reporting
  5. How will the data be transferred between systems
    • Secure uniquely Encrypted two way API data payloads
    • Encrypted file transfer
    • Secure email
    • Other (describe)

Section 3: Risk Assessment (Aligned with ISO 27001)

Risk Likelihood (L/M/H) Impact (L/M/H) Mitigation Measures
Unauthorised access to personal data Low High

End to end unique encryption between individual's PDS and the Service provider

GDPR compliant Data Sharing Agreements

Multi-factor authentication (MFA), role-based access controls (RBAC) for Circles of Support
Data breach during transfer Low High

End-to-end encryption, secure APIs
Third-party platform security failure Low High

Extensive threat vector protection at multiple layers from the infrastructure through to the application layer

ISO 27001:2022 independently certified provider, regular internal security audits and annual cycle of independent external audits and full recertification every three years
Non-compliance with GDPR Low High

GDPR informed consent management, Data Portability, Transparency, Data Minimisation, Data retention policies

Section 4: Security Controls (ISO 27001:2022 Alignment)

  • Access Controls: Role-based access, MFA, least privilege principle.
  • Data Encryption: In transit and at rest (AES-256, TLS 1.2+).
  • Incident Response Plan: Defined breach notification process.
  • Supplier Security Assessment: Verification of third-party platform compliance with ISO 27001:2022 & GDPR.
  • User Consent Management: GDPR-compliant consent collection and logging.

Section 5: Compliance and Approval

  1. Does this processing align with GDPR principles?
    • Yes
    • No (if no, explain why)
  2. Does the third-party cloud provider comply with ISO 27001:2022 and GDPR?
    • Yes
    • No (if no, explain risks and mitigations)
  3. Has a contract or Data Processing Agreement (DPA) been signed?
    • Yes - Mydex Trust Framework as the contractual basis for terms of service for organisations to use the Myex Safe, Secure Cloud and to operate under citizen approved GDPR compliant Data Sharing Agreements
    • No
  4. Final Approval:
    • DPO Name & Signature: [Name] [Signature]
    • Date: [DD/MM/YYYY]

Back: Data Sharing and Services Agreements Next: Mydex Template System