NHSBSA - Freedom of Information

You are at: NHSBSA Home Page | Freedom of Information

Previous Request List - Detail

Request Reference: 9045 Request Date: 08 Feb 2020
Request: Dear Sirs Can you provide me with the following information about the MyESR App please: 1) Was the Information Governance Team/Department asked for advice on the development of the MyESR App? 2) Please provide copies of advice provided by the Information Governance Team/Department in respect of the development of the MyESR App. 3) Please provide copies of any Privacy Impact Assessment (PIA)/ Data Protection Impact Assessment (DPIA) which was conducted on the MyESR App. 4) Which stakeholders did the PIA / DPIA consult with in relation to the processing of personal data by the MyESR App? 5) Please provide a copy of the minutes which were taken during each PIA/DPIA stakeholder consultation. 6) Please provide copies of advice provided by the Data Protection Officer during the development of the MyESR App. 7) Please provide information about why it was believed to be necessary to include the following permissions for the MyESR App: a) Read Contacts b) Modify Contacts c) Record Audio d) Read the contents of the App user''s USB storage (photos / media / files / storage) e) Modify or delete the contents of the App user''s USB storage (photos / media / files / storage) f) Take pictures and videos g) Read phone status and identity h) Approximate location i) Precise location j) Change network connectivity k) Pair the user''s device with Bluetooth devices l) Access Bluetooth settings m) Read Google service configuration n) Full network access 8) Have the all of the permissions used been included in the PIA / DPIA, including a justification why each is required, what the purpose for each permission is, and the legal basis for processing that data? 9) Does the PIA / DPIA include details of trackers used (software meant to collect data about the user or their online actions), including a justification why each is required, the purpose of each and the legal basis for processing for each? 10) How was each stakeholder group consulted as part of the PIA/DPIA? 11) Why arenít the use of permissions and trackers included within the Privacy Notice linked within the Google App Store Listing for the MyESR App? 12) Has a code level security assessment been undertaken on the MyESR App? Your help in providing the information requested above is very much appreciated. Yours faithfully [name redacted]

Status: Complete
Response Date: 09 Mar 2020
Response: Please see attached response

References: