I’m currently in the process of data mapping and risk assessing all flows of personal information (as set out in Requirement 208). How can I assess the risk of a particular flow?
The level of risk is normally established by considering the impact of a potential data loss occurring and the likelihood of a loss taking place. One method of risk assessment is detailed in Appendix 7 of the workbook. The likelihood of an incident occurring will differ depending on local circumstances, for example if a trusted member of the pharmacy team has been hand-delivering small numbers of prescriptions to a local GP surgery 100m away for many years and there has never been an incident, this would suggest that the likelihood of a data loss occurring in transit is negligible. The impact of that loss is likely to be moderate (small number of patients affected) therefore the risk is low. In another area, if there have been problems with hand-delivering prescriptions to the surgery, for example problems with the GP surgery reporting they didn’t receive the forms, this would be a higher risk and the pharmacy would have to consider options to mitigate the risk. Note this requirement h
