The HIU Programme requires the Provider to work autonomously with the HIU cohort, otherwise efficiency and responsiveness is lost, and therefore impact for people.
As Data Controllers for the service, it is recommended that each Trust should complete a Data Protection Impact Assessment (DPIA) before entering into an agreement with a third party for the undertaking of the HIU Programme to consider the potential risks around the processing of personal data for this purpose.
Please see the Information Commissioners guidance on DPIAs (Data Protection Impact Assessments (DPIAs) | ICO)
Any arrangements with third parties for the processing of personal data (as a data processor to a Trust) in relation to the HIU programme should be underpinned by appropriate contractual controls outlining the responsibilities and liabilities of both parties.
Please see the Information Commissioners guidance on contracts (Contracts | ICO)