Skip to content
savvi-logo-colour
SAVVI
Welcome
The SAVVI Declaration
About SAVVI
The Process
Standards
Catalogue
Case Studies
Videos
News
Getting Involved
Resources
More
Share
Explore
The Process

icon picker
Find

Where the
@Lead Organisation
builds a
@Risk Index
using data provided from various
@Source Organisations
.

Building a Risk Index

The
@Lead Organisation
will need a data store to contain vulnerability attribute data, and to run a risk scoring algorithm.
We heard of a number of approaches that councils took to creating a Risk Index. SAVVI recommends some of the data structures that could be used, and the
SAVVI Catalogue
contains examples from councils.
As
@Vulnerability Attribute
data is received, it will be loaded into the
@Risk Index
.

Information Governance for the Risk Index

The
@Risk Index
is a new dataset containing personal information, so there are some routine Information Governance steps to complete.
The
@Lead Organisation
should
add the
@Risk Index
to its
Information Asset Register
perform a
Data Protection Impact Assessment
and apply any mitigation actions to reduce risk
add the
@Risk Index
to its
Record of Processing Activities
(RoPA)

Although these are not different to any other data handling scenario, SAVVI has some advice about the steps to take, and points to guidance from authoritative sources such as the Information Commissioners Office (ICO). The
SAVVI Catalogue
contains some examples.

Data Matching

Data in the Risk-Index can be matched by
@Residence
@Person
SAVVI gives
advice on how to do data matching in a Risk Index.
Data that cannot be matched could be listed so that it can be manually cleansed and linked.

Pseudonymisation

The SAVVI Process supports optional pseudonymisation steps prior to building the
@Risk Index
. This can be useful if
@Source Organisations
won’t share person-identifiable data until it has been established that a
@Household
is vulnerable.
SAVVI provides
guidance on how attribute data can be pseudonymised at the household level,
and then later re-identified for those households that are found to be vulnerable.

Finding At-Risk Groups

Some business logic is run over the
@Risk Index
to apply the rules from the
@Risk Stratification Policy
to generate
@Risk Categories
.
The
SAVVI Catalogue
contains examples where Local Authorities have generated Categories from a Risk Index.

Marking entries that are already being managed

In some cases, the
@Lead Organisation
may be aware that another organisation is already leading to support a person. For example, throughout the COVID19 pandemic, the NHS Shielding List listed people who were clinically at risk, and they led the contact strategy to find out their needs due to isolation during the lock-down.
Marking these cases on the Risk Index will avoid people being contacted unnecessarily, whilst still being able to report on how they are being supported.

Building a Case Index

For each entry on the
@Risk Index
that fall into a
@Risk Category
, the
@Lead Organisation
can raise a
@Case
so that needs can be assessed, and assistance offered where applicable.
The information that is recorded on a
@Case
does not bring forward any of the
@Vulnerability Attributes
from the
@Risk Index
, but does contain the
@Risk Category
and sufficient information to identify the
@Person
or
@Household
.
@Cases
build into a
@Case Index
, parts of which can be shared with other organisations.

Information Governance for the Case Index

The
@Case Index
is a new dataset containing personal information, so there are some routine Information Governance steps to complete.
The
@Lead Organisation
should
add the
@Case Index
to its
Information Asset Register
perform a
Data Protection Impact Assessment
and apply any mitigation actions to reduce risk
add the
@Case Index
to its
Record of Processing Activities
(RoPA)
set up a
Data Sharing Agreement
with the organisations that it intends to share parts of the Case Index with.

Although these are not different to any other data handling scenario, SAVVI has some advice about the steps to take, and points to guidance from authoritative sources such as the Information Commissioners Office (ICO). The
SAVVI Catalogue
contains some examples.

Next Page: Assess
Building a Risk Index
Information Governance for the Risk Index
Data Matching
Pseudonymisation
Finding At-Risk Groups
Marking entries that are already being managed
Building a Case Index
Information Governance for the Case Index
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.