Date: 2023-02-24

Status

Accepted

Context

Storing personal identifiable information (PII) comes with a range of requirements - the more PII you store, the more onerous the requirements are. As far as NHS organisations are concerned, the less PII that you store or process, the better it is. Storing less data is always in tension with the usability of the service.

We have two fundamental needs for PII:

1. Our emails we send to care providers will contain name and date of birth.
2. We need to match received messages from NEMS (or another pub-sub system) to care providers using NHS Numbers as a unique identifier.

We need to decide how much of this we want to store, and make available in plain text in the management database.

If we store name and date of birth in plain text we will be able to more easily allow ourselves to choose who to delete from the system in the future if we need to. Storing NHS Number in plain text is dangerous as a unique identifier - if compromised it could allow access to healthcare data (when used alongside name and DOB).

Decision

• We will not store name or date of birth
• We will store the NHS Number in a secure, hashed form in the database so that it is effectively “pseudonymised”
• We will store a reference for each care recipient, chosen by the Care Provider, so they can choose who to delete from the system in the future

Consequences

This will allow us to more easily navigate information governance processes within the NHS as our new system will store very little PII data.

However, it will make it harder for administrators to choose who to remove from the system when care recipients should no longer be subscribed to. They will need to search on the care provider reference only.

We will need to use the contents of the message we receive from NEMS (or any other messaging service) to generate the email as this message will either contain name and date of birth, or allow us to look it up on the Personal Demographics Service (PDS).