A data flow mapping exercise is undertaken to document the data that flows in, around, and out of information processing systems or services across the Trust. This has a particular focus on personal data.

“Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. – UK GDPR

UK GDPR (General Data Protection Regulation) and the Data Protection Act 2018 requires us to have full visibility of all data transactions across the Trust.  Without an understanding of what personal information is being processed, by whom and where, and who it is being shared with, there is a risk of a data breach happening that is uncontrolled or unseen. Information may be lost, misplaced or processed unlawfully. 

A data flow is anytime information is moved from one party to another. Some examples of a data flow include, but aren’t limited to;

  • a face-to-face conversation
  • a phone call
  • an email
  • a large transfer of data to another team
  • Digital Systems that “talk” to each other

If the Trust holds any data, we need to understand:

  • Where the data comes from
  • Where the data goes to
  • Where the data is stored
  • Why we hold the data
  • What is the legal justification for holding the data
  • How the data is protected
  • Who has access to the data

Mapping these data flows is critical to protecting personal information managed by the Trust.

The IG Team have developed a single template to record the data flows, but we will need Trust-wide cooperation to ensure we are capturing as many regular data flows as possible.

There is also a presentation that explores data flows and the template in more detail.

Future work will include linking the data flow map with the Information Asset Register to enable the Trust to have full visibility.