We heard of a number of approaches that councils took to creating a Risk Index. SAVVI recommends some of the data structures that could be used, and the

SAVVI Catalogue⁠

contains examples from councils.

@Vulnerability Attribute⁠

data is received, it will be loaded into the

@Risk Index⁠

Information Governance for the Risk Index

The

@Risk Index⁠

is a new dataset containing personal information, so there are some routine Information Governance steps to complete.

The

@Lead Organisation⁠

should

add the

@Risk Index⁠

to its

Information Asset Register⁠

⁠

perform a

Data Protection Impact Assessment⁠

and apply any mitigation actions to reduce risk

add the

@Risk Index⁠

to its

Record of Processing Activities⁠

(RoPA)

Although these are not different to any other data handling scenario, SAVVI has some advice about the steps to take, and points to guidance from authoritative sources such as the Information Commissioners Office (ICO). The

SAVVI Catalogue⁠

contains some examples.

Data Matching

Data in the Risk-Index can be matched by

⁠

@Residence⁠

⁠

@Person⁠

SAVVI gives

advice on how to do data matching in a Risk Index.⁠

⁠

Data that cannot be matched could be listed so that it can be manually cleansed and linked.

Pseudonymisation

The SAVVI Process supports optional pseudonymisation steps prior to building the

@Risk Index⁠

. This can be useful if

@Source Organisations⁠

won’t share person-identifiable data until it has been established that a

@Household⁠

is vulnerable.

SAVVI provides

guidance on how attribute data can be pseudonymised at the household level,⁠

and then later re-identified for those households that are found to be vulnerable.

Finding At-Risk Groups

Some business logic is run over the

@Risk Index⁠

to apply the rules from the

@Risk Stratification Policy⁠

to generate

@Risk Categories⁠

The

SAVVI Catalogue⁠

contains examples where Local Authorities have generated Categories from a Risk Index.

Marking entries that are already being managed

In some cases, the

@Lead Organisation⁠

may be aware that another organisation is already leading to support a person. For example, throughout the COVID19 pandemic, the NHS Shielding List listed people who were clinically at risk, and they led the contact strategy to find out their needs due to isolation during the lock-down.

Marking these cases on the Risk Index will avoid people being contacted unnecessarily, whilst still being able to report on how they are being supported.

Building a Case Index

For each entry on the

@Risk Index⁠

that fall into a

@Risk Category⁠

, the

@Lead Organisation⁠

can raise a

@Case⁠

so that needs can be assessed, and assistance offered where applicable.

The information that is recorded on a

@Case⁠

does not bring forward any of the

@Vulnerability Attributes⁠

from the

@Risk Index⁠

, but does contain the

@Risk Category⁠

and sufficient information to identify the

@Person⁠

@Household⁠

⁠

@Cases⁠

build into a

@Case Index⁠

, parts of which can be shared with other organisations.

Information Governance for the Case Index

The

@Case Index⁠

is a new dataset containing personal information, so there are some routine Information Governance steps to complete.

The

@Lead Organisation⁠

should

add the

@Case Index⁠

to its

Information Asset Register⁠

⁠

perform a

Data Protection Impact Assessment⁠

and apply any mitigation actions to reduce risk

add the

@Case Index⁠

to its

Record of Processing Activities⁠

(RoPA)

set up a

Data Sharing Agreement⁠

with the organisations that it intends to share parts of the Case Index with.

SAVVI Catalogue⁠

contains some examples.

⁠

Next Page: Assess⁠

⁠

Building a Risk Index

Information Governance for the Risk Index

Data Matching

Pseudonymisation

Finding At-Risk Groups

Marking entries that are already being managed

Building a Case Index

Information Governance for the Case Index

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.