Merge pull request #105 from nhsx/ig-guidance-updates

Ig guidance updates

app/views/pages/key-information-and-tools/information-governance-guidance/ig-professionals.njk

@@ -39,10 +39,10 @@
     <p>Data controllers are still required to comply with relevant and appropriate data protection standards and to ensure within reason that they operate within statutory and regulatory boundaries.</p>
 
     <h3 class="nhsuk-heading-s">General Data Protection Regulation (GDPR)</h3>
-    <p>The GDPR allows information to be shared for individual care, planning and research.  Where health and care information (which would be classed as special category data) is shared for either individual care or to help tackle the disease through research and planning then the relevant Article 6 conditions (official authority, compliance with a legal obligation, public interest and on occasions vital interests) and Article 9 conditions (substantial public interest, the delivery of health and care, vital interests or for public health purposes and scientific research) should be relied on as applicable to the situation.</p>
-    <p>The <a href="https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/>principles (Article 5 of GDPR)</a> should continue to be followed. They form a framework of good information management with the key criteria enabling justification of actions taken. If you are not certain of an issue, such as a relevant retention time, then the law is flexible enough to allow you to revisit the issue once the answer becomes clearer. </p>
-    <p>If your organisation is going to process personal/confidential patient information in ways not covered by an existing Data Protection Impact Assessment (DPIA), e.g. using videoconferencing for consultations, then a short high level DPIA should be carried out. The DPIA should set out the activity being proposed; the data protection risks; whether the proposed activity is necessary and proportionate; the mitigating actions that can be put in place and a plan or confirmation that mitigation has been put in place. DPIAs are scalable, and in some instances this might not take more than a couple of pages. The ICO has produced guidance on carrying out DPIAs and a template that you can refer to.  You should also update your privacy notice where data is being processed in new ways.</p>
-
+    <p>The GDPR allows information to be shared for individual care, planning and research. Where health and care information (which would be classed as special category data) is shared for either individual care or to help tackle the disease through research and planning then the relevant Article 6 conditions (official authority, compliance with a legal obligation, public interest and on occasion vital interests) and Article 9 conditions (substantial public interest, the delivery of health and care, vital interests or for public health purposes and scientific research) should be relied on as applicable to the situation.</p>
+    <p>The <a href="https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/">principles</a> (Article 5 of GDPR) should continue to be followed. They form a framework of good information management with the key criteria enabling justification of actions taken. If you are not certain of an issue, such as a relevant retention time, then the law is flexible enough to allow you to revisit the issue once the answer becomes clearer.</p>
+    <p>If your organisation is going to process personal/confidential patient information in ways not covered by an existing Data Protection Impact Assessment (DPIA), e.g. using videoconferencing for consultations, then a short high level DPIA should be carried out. The DPIA should set out the activity being proposed; the data protection risks; whether the proposed activity is necessary and proportionate; the mitigating actions that can be put in place and a plan or confirmation that mitigation has been put in place. DPIAs are scalable, and in some instances this might not take more than a couple of pages. The ICO has produced <a href="https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/">guidance on carrying out DPIAs</a> and a template that you can refer to. You should also update your privacy notice where data is being processed in new ways.</p>
+   
     <h3 class="nhsuk-heading-s">Further information</h3>
     <p>You can direct further Information Governance questions to the <a href="mailto:england.IGPolicyTeam@nhs.net">NHSX IG team</a>.</p>