Offboarding plan

This page describes the process for offboarding from the Concentric digital consent application, including the operational, data governance, and technical considerations.

Triggers

The offboarding plan applies when a large organisation:

a) States an intention to offboard by a given date at or before contract end,
b) Is four weeks before the end of a contract for services, with no confirmed plan to renew, or
c) Has given notice to terminate the contract prematurely (30-day notice usually applies).

Governance

An exit plan is created shortly after offboarding is triggered, based on the principles outlined in this document, detailing activities, responsibilities, dependencies, and timeframes. Communication is managed primarily via email between the key contact for each party, supplemented by offboarding calls as required.

Offboarding steps

We describe two phases of offboarding: a ‘preparation and communication’ phase, and an ‘operational transition’ phase. As a digital consent application, two key considerations guide the appropriate approach to offboarding:

  • The consent process involves multiple steps, often spread across different dates, and relates to a critical step in the clinical workflow. For these reasons, an operational transition phase is advised, differing from other systems where a ‘turn-off’ date may be preferred.
  • Documentation of the consent process may be needed for medicolegal purposes, potentially years following the clinical interaction. For this reason, maintaining full access to the consent episode details and audit trail is recommended even after a healthcare organisation stops using Concentric as an active clinical system. The options are outlined in the ‘data retention approach’ section below.

Preparation and communication

This phase starts at a trigger point (as defined above). It involves the collaborative preparation of the exit plan, usually with representation from clinical leadership, information governance, contracts, and technical. The exit plan details the agreed process, approaches and key dates. Once agreed, the exit plan is communicated to the relevant stakeholders and staff.

Ideally, six weeks is allowed for this phase to allow appropriate communication of the plan and discussion with each clinical team regarding the change to the clinical workflow. In trigger scenarios ‘b’ and ‘c’, this phase may need to be completed in 2 weeks.

Operational transition

Following communication of the plan, the operational transition phase involves moving away from using Concentric as the default mechanism for recording consent and transitioning to the replacement process.

Given the two-stage nature of many consent episodes, the recommendation in most scenarios is to stop the creation of new consent episodes within Concentric within this phase, but allow the completion of consent episodes started prior (e.g. confirmation of consent for a consent episode where consent was given remotely prior to the offboarding process starting). This is an operational, not a technical, restriction.

Ideally, six weeks are allowed for this phase to ensure a reasonable number of consent episodes started before the transition period reach completion within Concentric. Depending on the replacement process, it may also be helpful to stagger the transition by specialty or department, to allow appropriate support to be provided to clinical teams. In trigger scenarios ‘b’ and ‘c’, this phase may need to be completed in 2 weeks.

At the end of this phase, access to Concentric becomes read-only for clinicians and patients.

Data retention approach

When a healthcare organisation stops using Concentric as an active clinical system, two data retention approaches are available. A decision on the preferred approach should be reached during the preparation and communication phase.

Option 1: Continued retention under a legacy data processing agreement

We strongly recommend this approach, rather than option 2, for medicolegal and/or evidential reasons.

Under this arrangement:

  • We continue to store the organisation’s data and make it accessible within the Concentric application, in accordance with the same retention principles outlined in the general data retention approach section of our data retention policy, under a legacy data processing agreement.
  • Access becomes read-only for clinicians and patients. Admin users can continue user management, for example, to disable clinician accounts.

This approach:

  • Preserves access to the complete consent record, including lay descriptions and audit trail, at no cost.
  • Supports the transition to a new system or consent process.
  • Maintains patient access to their consent information for as long as the controller retains the record.

Data deletion requests operate exactly as during an active contract, as outlined within the deletion of specific records held in Concentric section of our data retention policy.

Option 2: Secure data return and deletion

Alternatively, the controller may request that we return the data securely and delete the tenant-level data. This option is not recommended due to the operational limitations it imposes and the potential medicolegal and/or evidential implications.

Where a data return and deletion process continues beyond the paid contractual agreement, no additional charge is applied, but an amendment to the data processing agreement covering the requirements and extending the term beyond the stated contractual dates may be required.

This option involves the following:

  1. Secure return of tenant-level data, consisting of:

    • A raw database extract containing the tenant-specific data (including audit trail).

    • Final consent summary PDF for each episode in which a consent event has occurred.

  2. Option for the organisation to manually export and securely retain any other information they wish to maintain access to from within the Concentric user interface, such as consult view’s print stylesheet for each episode.

  3. Following completion of points 1 and 2, permanent deletion of the tenant-level data from our systems and disabling of all accounts.

When considering point 2, please note that the assets returned under point 1 do not themselves replicate what a patient saw in Concentric, nor do they present audit data in a format that is easily understandable to the end user. Instead, it contains the data required to understand each consent episode and to recreate the consent information prepared, if required (e.g., for a complaint or legal case), with our support, under a separate commissioned agreement.

At the point of deletion:

  • We do not retain any copy of the returned data.
  • The controller becomes the sole custodian of the transferred assets.
  • The controller assumes responsibility for any medicolegal and/or evidential implications arising from the deletion of the record from Concentric, as we cannot recreate the record or supply audit information without a separate commissioned agreement.

Please note that naturally expiring backups and logs are not included in the data export and are not deleted as part of this process. Instead, they naturally expire as they do outside of an offboarding scenario. Specifically:

  • Database backups are retained for 28 days, then naturally expire.
  • Application logs, such as API and integration call details, naturally expire at 90 days (these do not contain personal or special-category data)
  • SMS and email delivery logs naturally expire at 45 days (these contain the minimum data required for delivery and do not contain special-category data)

Additional details relating to data retention can be viewed in our data retention policy, including audit logging and communication of deletion events, considerations around notifications to patient users, and definitions of what information is presented within the consent summary PDF, consult view’s print stylesheet, and audit trail.

Integration decommissioning

Technical and integration infrastructure may need to be decommissioned as part of an offboarding process, following the operational transition phase. The approach will depend on the data retention approach and the local integration setup. In many cases, when data retention option 1 is followed, the integration infrastructure remains in place to keep demographic records accurate. In other cases, decommissioning activities may include disabling bespoke integrations and deletion of integration keys and secrets.

Business records

We will retain operational correspondence (e.g., support tickets and email threads) as part of our business records. These records are maintained to meet contractual, legal, audit, and regulatory obligations, including the ability to respond to historic enquiries or complaints. Such correspondence is access-restricted and operated in accordance with our information security policy, and reviewed as part of our Information Asset Register reviews.

Further reading

Data retention policy

Our data retention policy explains the principles followed by Concentric Health relating to retention and deletion of data within Concentric.

Read