Concerns Regarding Privacy And Data Protection Within The High Intensity Network (HIN) And Serenity Integrated Mentoring (SIM)

Serenity Integrated Mentoring (SIM) and interventions associated with the High Intensity Network (HIN) are being rolled out at pace and scale across NHS England.  As we outlined in our preliminary coalition consensus statement, dated 21/04/21, SIM’s key intervention components include a co-ordinated withholding of potentially lifesaving treatment by multiple agencies (A&E, mental health, ambulance and police services)[1], and using SIM’s own words, the “coercive”[2] approach of a police officer as an interventionist.  

Following our previous statement dated 22/04/21 in relation to SIM’s evidence base, this statement will outline our concerns regarding HIN and SIM’s handling, processing and sharing[3] of service users’ personal information. We do not believe SIM is operating within General Data Protection Regulations (GDPR) as implemented in the UK in the Data Protection Act (2018)[4]. These concerns have been formally reported to the Information Commissioner’s Office (ICO).

Taking a multi-agency approach to treating ‘high intensity users’, SIM purports to improve clinical outcomes[5] through an integrated approach and consistency across agencies[6]. These multi agency teams include NHS mental health services, police departments and ambulance services[7,8]. HIN assert that sharing personal information (including medical records, police records, and the ‘special characteristics’ of the individual) within multi-agency teams and across a wider network of high intensity services across the country is integral to the design, implementation and regulation of SIM[9,10,11]. SIM police officers have access to patient’s medical records as well as being able to share information from police records with clinical teams[12,13].

Article 9 of the UK GDPR contains a special category of personal data which concerns health[14], also referred to as sensitive data. This article places strict requirements on organisations relating to the processing of health data, such as that being accessed by SIM police officers, and prohibits its processing except in very specific circumstances[15]. SIM relies on a provision that allows processing where it is considered necessary to protect the “vital interests” of the person (i.e. protecting the individual’s life)[16]. This only applies where the individual is unable to give consent[17]. We strongly believe that SIM’s reliance on this provision to justify processing of sensitive health information is inappropriate and likely unlawful, as we will discuss in detail below. 

Data protection within SIM services 

SIM, and equivalent services operating under alternative names, are required to have Data Protection Impact Assessments and Privacy Impact Assessments[18,19] in compliance with UK GDPR (Article 35)[21,21]. These documents outline the ways in which services implement the SIM model record and process service users’ personal information and the legal basis for this. It is important to note that there are inconsistencies between information and training resources provided by HIN and information provided by  the NHS trusts implementing the SIM model. This statement refers to data protection and privacy documents from Camden and Islington NHS Foundation Trust and SIM London (A collaboration between the following organisations: Oxleas NHS Foundation Trust; South London and Maudsley NHS Foundation Trust; Camden and Islington NHS Foundation Trust; South West London and St George’s Mental Health NHS Trust; The Metropolitan Police; and The London Ambulance Service)[22]. These documents are in the public domain; policies from other NHS trusts are not publically available and we will be making further Freedom of Information requests to acquire these.

These documents indicate SIM processes the following information:

Information held[23]

  • Personal information: name, date of birth, age, gender, address, postcode, NHS number
  • Sensitive information: racial or ethnic origin, religion, physical or mental health condition, criminal justice information, clinical information, financial information, sexual orientation, gender reassignment, marital status, pregnancy, GP
  • Patient’s ‘Care and Response’ plan 

Information shared[24]

  • Personal details of high intensity service users 
  • Person identifiable information: emergency department attendances, Mental Health Act assessments, hospital admissions, ambulance deployment, police incidents and Section 136 detentions (the power to detain an individual who is mentally unwell and a risk to themselves or others in a public place[25]).
  • Patient’s ‘Care and Response’ plan 

Where and when this information is processed[26]

  • To monitor the outcomes for individuals 
  • To monitor the impact of the program 

Whilst some HIN services seek explicit consent from service users for their information to be shared[27], the HIN website asserts that the personal information of ‘high intensity users’ can be shared without their consent[28]. Under UK GDPR, personal information can be disclosed if doing so is in the person’s ‘vital interests’[29]. This is extremely limited in scope and is only to be used in extreme situations such as matters of ‘life and death’, where this is the least restrictive option and the person is unable to give their consent[30]. SIM data protection and privacy assessments (Camden and Islington NHS Foundation Trust[31] and SIM London[32]) outline the use of ‘vital interests’ as the lawful basis for information sharing within the service, relying on article 6(1)(d) and 9(c) [33,34,35]. These are outlined as follows:

Article 6(1)(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;[36]

Article 9(c)processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;[37]

Recital 46 “The processing of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis…”[38]

SIM relies on the ‘vital interests’ clauses for service user’s personal information to be shared between agencies. However this is not limited to an individual crisis situation to protect the vital interests of the data subject but being  applied on an ongoing basis under the assertion that “these service users are at high risk at all time, especially when they are ‘under the radar’” (SIM London Privacy Impact Assessment)[39]. This claim is echoed in a number of HIN training and promotional resources[40,41,42]. The SIM London Operational Delivery Guide documents “it is our strong argument that all agencies involved in the network can share personal data and clinical data about the service users at any time”[43]. We are of the opinion that this statement is overly broad in scope and is not aligned with the intended use of the vital interests clause as set out in the legislation.

Furthermore, the SIM London operational delivery guide also states “this model of care is applied when the service users are NOT in crisis”[44]. Where this is the case, we do not believe this constitutes an appropriate, proportional or legal use of the ‘vital interests’ article. This appears to contradict the assertion used by SIM to justify use of the ‘vital interests article’ that “these service users are at high risk at all time”[45].

An example of a situation where this data sharing may occur is illustrated in the a day in the life of a SIM officer document[46]. An officer uses a police database to search for a patient’s personal records. They find information relating to abuse this patient experienced as a child and share this with the patient’s consultant on the basis it would be important for establishing a diagnosis of emotionally unstable personality disorder (EUPD) for the patient. In this example, this personal information is shared without the patient’s consent or knowledge. This is not lawful, appropriate or necessary.

Furthermore, SIM uses individual’s personal information and data (including the number of ambulance deployments, detentions under the Mental Health Act and police incidents) to identify potential service users for the intervention[47,48]. Access is justified under ‘vital interests’[49,50]. although we understand at the time of accessing that information, the SIM team member would have no way of reasonably knowing the mental state or current risk presented by the individual. It is our firm believe, processing information in such a way is a breach of UK GDPR.

Our concerns regarding data protection and privacy within SIM is outlined as follows:

  • SIM explicitly states service users “are NOT in crisis”[51]. To our knowledge, where this is the case it is unlawful to rely on ‘vital interests’ clause as patients cannot be said to be consistently at sufficient risk to warrant this exceptional criteria being used.
  • We believe this is an inappropriate use of ‘vital interests’ as this should not be used on a continuous basis since it is not possible for an officer to assess the individual’s level of risk while not in contact with the individual. 
  • We do not believe information sharing within the SIM model is the ‘least restrictive option’ as is required to lawfully justify the use of ‘vital interests’[52]
  • We are concerned that ‘vital interests’ is relied upon to share data far beyond what is essential to share in a ‘life or death’ situation. 
  • Our view is that having this level of highly sensitive information being shared without a person’s consent is not necessary, proportional and constitutes an infringement on the person’s right to privacy. 
  • We are deeply concerned at the level of surveillance and monitoring of vulnerable people and do not believe this is in their best interests, rather this is a breach of an individual’s right to privacy.

Digital Case Management Portal

HIN have launched a digital case management portal which is a database which stores information on each service user under SIM, or related services operating under alternative names[53]. This allows teams across the country, as well as HIN management, to access any service user’s information at any time[54]; view “highly accurate cost graphs for each patient”[55]; or search for service users across the country by search for “specific crisis behaviours”[56]. It appears this database contains personal information about service users who are under SIM as well as those who have been considered but assessed as not suitable for the service, or those who have been discharged from SIM[57]. We are concerned this is an inappropriate disclosure of personal information about individuals to be accessible even those who are not currently under the SIM service. 

There is limited public access to information regarding the Digital Case Management Portal, a video training resource[58] has recently been removed from public access. However we remain extremely concerned about the possible expansion of this database as it is our strong belief this is storing and processing service user’s personal information in a way which breaches UK GDPR and presents a significant data protection risk for these vulnerable individuals. 

Identifiable information used online and for training materials

We are aware of numerous incidences of patient’s personal information being shared in HIN training materials, webinars and reports[59,60]. Although individual names are not visible, or patients have been given pseudonyms[61], this information remains indirectly identifiable[62]. According to GDPR any information which is directly or indirectly identifiable must be treated as personal information[63,64]. Therefore, we believe, HIN’s continued sharing of service user’s personal information in resources and training materials constitutes an inappropriate disclosure of personal data and is in breach of GDPR. 

We call for all identifiable or indirectly identifiable patient information to be immediately removed from HIN and SIM promotional and training resources, in line with GDPR.

We remain extremely concerned about the data held by SIM teams (in most cases the most sensitive category of data under GDPR legislation) and the manner in which this is being processed. This statement has been forwarded to the Information Commissioner’s Office (ICO) in addition to a complaint that we previously raised. We expect HIN will respond and cooperate as required with this investigation.  

We will provide further statements in relation to evidence as necessary. We continue to analyse and collate information relating to SIM and HIN’s privacy and data protection policies. 

In solidarity,

The #StopSim Coalition

Copied to:
Information Commissioner’s Office (ICO), Sir Simon Stevens, CEO – NHS England, Lord David Prior, Chair – NHS England, Claire Murdoch, National Mental Health Director – NHS England, Martin Hewitt, Chair – National Police Chiefs’ Council, Sir Tom Winsor, Her Majesty’s Inspectorate of Constabulary and Fire and Rescue Service.

References:

  1.  SIM and High Intensity Network Business Case [Internet], p. 7. Available from https://highintensitynetwork.org/img/resources/SIM_and_High_Intensity_Network_-_Business_Case_(Commissioner)_v4.docx [accessed 25 April 2021].
  2.  Paul Jennings. What is SIM and the High Intensity Network? [Internet]. 2019 Mar 26; Daresbury Park Hotel. Slide 30 of 65. Available from: https://www.slideshare.net/InnovationNWC/paul-jennings-high-intensity-network-sim [accessed 25 April 2021].
  3. StopSIM Coalition. StopSIM Coalition Statement 22/04/21: Concerns about the evidence base relating to the High Intensity Network (HIN) and Serenity Integrated Mentoring (SIM) [Internet]. 2021. Available from: https://www.stopsim.co.uk/ 
  4. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) [Internet]. Available from: https://www.legislation.gov.uk/eur/2016/679/chapter/IV/section/3 
  5.  Privacy Impact Assessment – SIM London Implementation [Internet]. 2018. Available from: https://healthinnovationnetwork.com/wp-content/uploads/2018/06/Privacy-Impact-Assessment.pdf [accessed 25 April 2021].
  6. High Intensity Network home page [Internet]. https://highintensitynetwork.org [accessed 25 April 2021].
  7. SIM and High Intensity Network Business Case [Internet], p. 7. Available from https://highintensitynetwork.org/img/resources/SIM_and_High_Intensity_Network_-_Business_Case_(Commissioner)_v4.docx [accessed 25 April 2021]. 
  8. High Intensity Network home page [Internet]. https://highintensitynetwork.org [accessed 25 April 2021].
  9. High Intensity Network home page [Internet]. https://highintensitynetwork.org [accessed 25 April 2021].
  10.  High Intensity Network. The Training [Internet]. https://highintensitynetwork.org/the-training [accessed 25 April 2021].
  11.  Privacy Impact Assessment – SIM London Implementation [Internet]. 2018. Available from: https://healthinnovationnetwork.com/wp-content/uploads/2018/06/Privacy-Impact-Assessment.pdf [accessed 25 April 2021].
  12.  ‘A Day in the Life of a High Intensity Police Officer’ [Internet]. High Intensity Network. Available from: https://highintensitynetwork.org/resources [accessed 25 April 2021].
  13. SIM and High Intensity Network Business Case [Internet], p. 5. Available from https://highintensitynetwork.org/img/resources/SIM_and_High_Intensity_Network_-_Business_Case_(Commissioner)_v4.docx [accessed 25 April 2021]. 
  14. Official Journal of the European Union L 119, 4.5.2016, p. 38. Article 9, paragraph 2(c). Available from: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN#page=38 [accessed 25 April].
  15. Sensitive data and medical confidentiality [Internet]. University of Groningen. Available from: https://www.futurelearn.com/info/courses/protecting-health-data/0/steps/39608 [accessed 25 April 2021].
  16. Vital Interests. Information Commissioner’s Office (ICO) [Internet]. Available from: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/vital-interests/ [accessed 25 April 2021].
  17. Vital Interests. Information Commissioner’s Office (ICO) [Internet]. Available from: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/vital-interests/ [accessed 25 April 2021].
  18. from:https://www.england.nhs.uk/wp-content/uploads/2018/10/privacy-impact-assessment-sample.docx [accessed 25 April 2021].
  19. Privacy Impact Assessment – SIM London Implementation [Internet]. 2018. Available from: https://healthinnovationnetwork.com/wp-content/uploads/2018/06/Privacy-Impact-Assessment.pdf [accessed 25 April 2021].
  20. Data Protection Impact Assessments.  Information Commissioner’s Office (ICO) [Internet]. Available from: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/ [accessed 25 April 2021].
  21. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) [Internet]. Available from: https://www.legislation.gov.uk/eur/2016/679/chapter/IV/section/3 
  22. Privacy Impact Assessment – SIM London Implementation [Internet]. 2018. Available from: https://healthinnovationnetwork.com/wp-content/uploads/2018/06/Privacy-Impact-Assessment.pdf [accessed 25 April 2021].
  23. Privacy Impact Assessment – SIM London Implementation [Internet]. 2018. Available from: https://healthinnovationnetwork.com/wp-content/uploads/2018/06/Privacy-Impact-Assessment.pdf [accessed 25 April 2021].
  24.  Privacy Impact Assessment – SIM London Implementation [Internet]. 2018. Available from: https://healthinnovationnetwork.com/wp-content/uploads/2018/06/Privacy-Impact-Assessment.pdf [accessed 25 April 2021].
  25. Mental Health Act 1983 [Internet]. UK Public General Acts. 1983 c. 20. Part X. Miscellaneous provisions. Section 136. Available from: https://www.legislation.gov.uk/ukpga/1983/20/section/136 [accessed 25 April 2021]. 
  26. Privacy Impact Assessment – SIM London Implementation [Internet]. 2018. Available from: https://healthinnovationnetwork.com/wp-content/uploads/2018/06/Privacy-Impact-Assessment.pdf [accessed 25 April 2021].
  27. Setting up a High Intensity Use service: An NHS Rightcare resource pack. 2017, updated 2021. Available from: https://www.england.nhs.uk/wp-content/uploads/2019/07/setting-up-a-high-intensity-user-service-march-2021.pdf [accessed 25 April 2021].
  28. High Intensity Network. Frequently asked questions [Internet]. Q. Can SIM teams share information about a service user, even if the service user refuses consent to share? Available from: https://highintensitynetwork.org/faqs [accessed 25 April 2021]. 
  29. Vital Interests. Information Commissioner’s Office (ICO) [Internet]. Available from: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/vital-interests/ [accessed 25 April 2021].
  30. Vital Interests. Information Commissioner’s Office (ICO) [Internet]. Available from: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/vital-interests/ [accessed 25 April 2021].
  31. Privacy Impact Assessment – SIM London Implementation [Internet]. 2018. Available from: https://healthinnovationnetwork.com/wp-content/uploads/2018/06/Privacy-Impact-Assessment.pdf [accessed 25 April 2021].
  32. Privacy Impact Assessment – SIM London Implementation [Internet]. 2018. Available from: https://healthinnovationnetwork.com/wp-content/uploads/2018/06/Privacy-Impact-Assessment.pdf [accessed 25 April 2021].
  33. Privacy Impact Assessment – SIM London Implementation [Internet]. 2018. Available from: https://healthinnovationnetwork.com/wp-content/uploads/2018/06/Privacy-Impact-Assessment.pdf [accessed 25 April 2021].
  34. Privacy Impact Assessment – SIM London Implementation [Internet]. 2018. Available from: https://healthinnovationnetwork.com/wp-content/uploads/2018/06/Privacy-Impact-Assessment.pdf [accessed 25 April 2021].
  35. SIM London: South London and  & Maudsley NHS Foundation Trust Operational Delivery Guide [Internet]. 2018. Section 9(48). ‘Vital Interests of the Data Subject’. Available from:https://healthinnovationnetwork.com/wp-content/uploads/2018/06/SIM-Operational-Delivery-Guide.docx [accessed 25 April 2021].
  36. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) [Internet]. Article 6. Available from: https://www.legislation.gov.uk/eur/2016/679/article/6 [accessed 25 April 2021].
  37. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) [Internet]. Article 9.  Available from: https://www.legislation.gov.uk/eur/2016/679/article/9 [accessed 25 April 2021]. 
  38. Recital 46. ActiveMind Legal [Internet]. Available from: https://www.activemind.legal/legislation/gdpr/recital-46/ [accessed 25 April 2021].
  39. Privacy Impact Assessment – SIM London Implementation [Internet]. 2018. Available from: https://healthinnovationnetwork.com/wp-content/uploads/2018/06/Privacy-Impact-Assessment.pdf [accessed 25 April 2021].
  40. High Intensity Network. Frequently asked questions [Internet]. Q. Can SIM teams share information about a service user, even if the service user refuses consent to share? Available from: https://highintensitynetwork.org/faqs [accessed 25 April 2021].
  41. SIM London Service User Leaflet [Internet]. Available from:  https://highintensitynetwork.org/img/resources/SIM_London_Service_User_Leaflet.pdf
  42. SIM and High Intensity Network Business Case [Internet], p. 5. Available from https://highintensitynetwork.org/img/resources/SIM_and_High_Intensity_Network_-_Business_Case_(Commissioner)_v4.docx [accessed 25 April 2021]. 
  43. SIM London: South London and  & Maudsley NHS Foundation Trust Operational Delivery Guide [Internet]. 2018. Section 9(48). ‘Never Out of Crisis?’. Available from:https://healthinnovationnetwork.com/wp-content/uploads/2018/06/SIM-Operational-Delivery-Guide.docx [accessed 25 April 2021].
  44. SIM London: South London and  & Maudsley NHS Foundation Trust Operational Delivery Guide [Internet]. 2018. Section 7(30). ‘Where to locate your High Intensity Teams’. Available from:https://healthinnovationnetwork.com/wp-content/uploads/2018/06/SIM-Operational-Delivery-Guide.docx [accessed 25 April 2021].
  45. Privacy Impact Assessment – SIM London Implementation [Internet]. 2018. Available from: https://healthinnovationnetwork.com/wp-content/uploads/2018/06/Privacy-Impact-Assessment.pdf [accessed 25 April 2021].
  46. ‘A Day in the Life of a High Intensity Police Officer’ [Internet]. High Intensity Network. Available from: https://highintensitynetwork.org/resources [accessed 25 April 2021].
  47. Privacy Impact Assessment – SIM London Implementation [Internet]. 2018. Available from: https://healthinnovationnetwork.com/wp-content/uploads/2018/06/Privacy-Impact-Assessment.pdf [accessed 25 April 2021].
  48. SIM London: South London and  & Maudsley NHS Foundation Trust Operational Delivery Guide [Internet]. 2018. Section 6(18). ‘Identification and prioritisation of High Intensity Cases’. See also Sections 7(30) and 7(32). Available from:https://healthinnovationnetwork.com/wp-content/uploads/2018/06/SIM-Operational-Delivery-Guide.docx [accessed 25 April 2021]
  49. Privacy Impact Assessment – SIM London Implementation [Internet]. 2018. Available from: https://healthinnovationnetwork.com/wp-content/uploads/2018/06/Privacy-Impact-Assessment.pdf [accessed 25 April 2021].
  50. SIM London: South London and  & Maudsley NHS Foundation Trust Operational Delivery Guide [Internet]. 2018. Section Section 9(48). ‘Vital Interests of the Data Subject’. Available from:https://healthinnovationnetwork.com/wp-content/uploads/2018/06/SIM-Operational-Delivery-Guide.docx [accessed 25 April 2021]
  51. SIM London: South London and  & Maudsley NHS Foundation Trust Operational Delivery Guide [Internet]. 2018. Section 7(30). ‘Where to locate your High Intensity Teams’. Available from:https://healthinnovationnetwork.com/wp-content/uploads/2018/06/SIM-Operational-Delivery-Guide.docx [accessed 25 April 2021].
  52.  Vital Interests. Information Commissioner’s Office (ICO) [Internet]. Available from: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/vital-interests/ [accessed 25 April 2021].
  53. High Intensity Network. The Training [Internet]. https://highintensitynetwork.org/the-training [accessed 25 April 2021].
  54. High Intensity Network. World Mental Health Day 2020 [Internet]. 2020 [accessed 19 April 2021, deleted and archived].  Previously available at:  https://vimeo.com/466844237
  55. High Intensity Network. The Training [Internet]. https://highintensitynetwork.org/the-training [accessed 25 April 2021].
  56. High Intensity Network. The Training [Internet]. https://highintensitynetwork.org/the-training [accessed 25 April 2021].
  57. High Intensity Network. World Mental Health Day 2020 [Internet]. 2020 [accessed 19 April 2021, deleted and archived]. Previously available at:  https://vimeo.com/466844237
  58. High Intensity Network. World Mental Health Day 2020 [Internet]. 2020 [accessed 19 April 2021, deleted and archived]. Previously available at:  https://vimeo.com/466844237
  59. High Intensity Network. World Mental Health Day 2020 [Internet]. 2020 [accessed 19 April 2021, deleted and archived]. Previously available at:  https://vimeo.com/466844237
  60. High Intensity Network. The Training [Internet]. https://highintensitynetwork.org/the-training [accessed 25 April 2021].
  61. ‘What is Personal Data? Information Commissioner’s Office (ICO) [Internet]. Available from: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/what-is-personal-data [accessed 25 April 2021]. 
  62. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) [Internet]. Available from: https://www.legislation.gov.uk/eur/2016/679/article/2 [accessed 25 April 2021].
  63. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) [Internet]. Available from: https://www.legislation.gov.uk/eur/2016/679/article/4 
  64. ‘What is Personal Data? Information Commissioner’s Office (ICO) [Internet]. Available from: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/what-is-personal-data [accessed 25 April 2021].