1. Home
  2. Guidance
  3. Office 365
  4. O365 Feature Guidance
  5. Power Platform
  6. Unattended RPA with Power Automate
  7. Unattended RPA Governance and Clinical Safety Considerations
Searching...

Unattended RPA Governance and Clinical Safety Considerations

Contents

Governance pre-requisites for organisations onboarding Unattended RPA for any environment

As a user of unattended RPA, you and your organisation accept the risks associated with deploying unattended processes. Your organisation is responsible for the governance and usage of your local Power Platform environments including information governance, compliance, security and performance optimisation. Additionally, as a member of your organisation, you are responsible for ensuring that all RPA-driven workflows undergo appropriate and information governance related assessments.

Prior to onboarding Unattended RPA, the risks associated with its use must be accepted by your organisation’s Senior Information Risk Officer. Confirmation of this is required prior to onboarding the Power Automate Process licence which is needed for Unattended RPA.

Additionally, your organisation must ensure that you have the appropriate licensing to comply with Microsoft requirements. This is summarised in the unattended RPA licencing guidance.

Important Note: The NHS.net Connect team have assessed the core functionality of Power Automate, ensuring it is secure, reliable and technically sound. However, this does not include assessing the individual workflows or use cases that local organisations implement. Responsibility for these will lie with local organisations.

Clinical Safety Considerations

Unattended RPA is not intended for clinical use in its default configuration and the associated clinical safety activities have NOT been completed by NHS England. Organisations wishing to deploy Unattended RPA-driven workflows in a clinical context must complete the necessary governance and clinical assurance processes, including the production of a DCB0160-compliant Clinical Safety Case Report and Hazard Log.

Global Sensitivity Labels

Sensitivity Labels in Microsoft Purview allow users to manually classify and protect their data, while making sure their productivity and ability to collaborate is not hindered.

Important Note:

We highly recommend your organisation opts into the Global Sensitivity Label Policy before you commit to onboarding any Unattended RPA licences. If you are not already enrolled, your organisation will be automatically enrolled as part of the licence onboarding process.

For further information on Sensitivity Labels and how to enrol, please refer to Sensitivity Labels Guidance.

Information Governance (IG) Considerations

Organisations remain responsible for ensuring that all RPA-driven workflows undergo appropriate Data Protection Impact Assessments (DPIAs) and other IG measures to ensure compliance and protect personal data. The diagram below illustrates how data flows in Power Automate, representing example use cases.

  • Inform IG Team: Ensure that your IG team is informed whenever unattended RPA is used to support workflows involving personally identifiable data.
  • Conduct Local DPIA: Unattended RPA using Power Automate has been included in the NHS.net Connect DPIA . However, each organisation should complete their own DPIA to identify and mitigate potential risks associated with their use of unattended RPA. This assessment should document individuals’ rights and ensure that appropriate safeguards are in place. The deploying organisation should ensure that appropriate governance mechanisms are in place to have all new or updated RPA workflows appropriately assessed by the IG team including the impact of any automated decision-making that may affect individuals. Please refer to the guidance on Information Governance Considerations.
  • Compliant with Legislation: Organisation’s adopting unattended RPA must ensure that workflows which may result in decisions being made about individuals are compliant and align with relevant legislation. For further guidance, refer to the UK General Data Protection Regulation’s (GDPR) stance on automated decision-making and profiling as outlined by the Information Commissioner’s Office (ICO).
  • Implement Environment-Level DLP Policies: For data protection when using unattended RPA, organisations should request an ‘Advanced’ DLP policy for their Power Platform environments, this restricts access to specific connectors and ensures the Desktop Connector is enabled. The requested DLP policy from central Power Platform environment will apply to the requested Power Platform environment for each organisation, ensuring consistent data protection. For more information and guidance on requests (including requests for exceptions) refer to the DLP Policy guidance and Power Platform Connector classification.
  • Data Encryption: Power Automate Desktop secures data both at rest and in transit through a layered security model that combines encryption, access control, and governance policies:
    • At Rest: All data stored by Power Automate—such as logs, metadata, and uploaded files—is encrypted using Azure Blob Storage, Azure SQL, and Azure Table Storage. This ensures that sensitive data is protected even if storage is compromised.
    • In Transit: Data transmitted between systems (e.g. between the desktop agent and cloud services) is encrypted using HTTPS/TLS 1.2 or higher. This includes data flowing through the on-premises data gateway, which is also encrypted.
    • More information is available in the Microsoft documentation on data encryption.
  • Data Residency: Flows created in Power Automate are stored securely within the appropriate geographical boundaries to comply with data residency laws. For the NHS.net Connect, this means data is stored within the UK (in line with the Power Platform environments). For more information, refer to the Regions overview for Power Automate.
  • Adhere to Data Retention Policies: Local organisations must ensure that any data residing in M365, including personal data, is managed according to local information governance policies. Additionally, they must update transparency information to record how this data is captured and stored. Refer to the Data Retention and Information Management Policy guidance for more information. Please note that Power Automate and Power Platform do not retain any data processed during unattended RPA flows. When a Power Platform environment is deleted, flows cannot be recovered, but an environment can be recovered within 7 days.

Power Automate Desktop Flow Monitoring

Important Note: Organisations are responsible for monitoring unattended RPA to ensure that the automation performs tasks as expected. Each specific flow must be reviewed locally to ensure accuracy.

Effective monitoring of unattended RPA flows is essential to ensure safe and efficient delivery. It is essential to have robust monitoring and alerting mechanisms in place. This ensures that users are promptly alerted when flows fail, with sufficient information to facilitate manual workarounds as required. To monitor Power Automate Desktop flows on an environment level, utilise the Desktop Flow Activity page in the Power Automate portal. This provides dashboards, tables, and graphs to track desktop flows, measure effectiveness, and quickly identify issues.

When flows do not work as expected, a list of error codes is available for reference.

Last Reviewed Date 03/10/2025
Updated on 03/10/2025

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top