Data processing

Types of data processed

The healthcare organisation is the data controller, and Concentric Health is the data processor.

The use of Concentric involves the processing of patient personal data, special category data, and clinician personal data. The healthcare organisation is the source of the patient and clinician personal data, either through manual entry or via integration. Special category data relating to the consent episode is entered by the clinician.

Patient personal data processed:

  • Title, given name(s), and family name
  • Date of birth
  • Gender
  • Hospital number and/or NHS number
  • Email address and/or mobile number

For clinical safety reasons this data (except contact details) must be displayed on-screen during clinician interactions with a patient’s record, and also appears on the consent summary PDF. Contact details are stored to allow the consent information to be shared with the patient digitally.

Special category data (health data) processed:

  • Treatment details including name, laterality, and anaesthetic choices
  • Indication for, and purpose of, treatment
  • Alternative options
  • Risks of treatment
  • Additional resources shared
  • Notes added by a clinician
  • Consent decisions including regarding any additional consents

This information forms the consent record and is required to support the consent process, and subsequently, for medicolegal and evidential purposes.

Clinician personal data processed:

  • Name and job title
  • Email address
  • GMC number (optional)

All activity within Concentric is tied to the logged in user. This is used both to show key information within the user interface, for example, the clinician present when consent was given, and for audit purposes. Recording the email address is required to allow login flows, most commonly as part of the healthcare organisation’s single sign-on (SSO) authentication.

The legal basis for processing is that of ‘direct care’. The healthcare organisation has a requirement to take and store procedural consent as part of providing direct care to an individual. The contract between the healthcare organisation and Concentric Health to deliver a digital consent platform will provide Concentric Health’s ‘direct care’ legal basis for processing.

Third party processors

The following third party processors are used, with which Concentric Health have agreed data processing and security terms:

Google Cloud Platform

Concentric’s cloud environment - the applications and internal services, and databases - is hosted on Google Cloud Platform (GCP). Further details regarding infrastructure can be seen in our hosting and network diagram.

Different deployments are used globally depending on the country of the healthcare organisations. For example, UK-based data centres are used for UK-based healthcare organisations. GCP enters data processing and security terms with Concentric Health with regards to appropriate and contracted sub-processing of data.

Details regarding GCPs compliance with GDPR requirements are outlined on their Google Cloud & the General Data Protection Regulation (GDPR) page. Our use of GCP does not involve cross-border transfers. Of note for UK-based organisations, GCP are compliant with NHS information governance requirements.

Postmark

Postmark, an ActiveCampaign product, provides an email sending service, used to send emails containing personal data but no special category data, to clinicians and patients.

Terms of service, which incorporate a Data Processing Addendum (DPA) with Standard Contractual Clauses (SCC) apply to Concentric Health’s use of Postmark services.

Details regarding Postmark’s compliance with GDPR requirements are outlined in their EU privacy resource. Our use of Postmark does involve cross-border transfer of data to the US – ActiveCampaign are certified under the ‘EU-U.S. Data Privacy Framework’ and ‘UK extension to the EU-US Data Privacy Framework’ and are therefore covered by ‘adequacy regulations’ (Article 45 GDPR) with no requirement for a transfer risk assessment. ActiveCampaign’s certification can be viewed on the International Trade Administration’s Data Privacy Framework list.

Twilio

Twilio, a Twilio Inc. product, provides an SMS sending service, used to send SMSs containing personal data but no special category data to patients.

Terms of service, which incorporate a Data Protection Addendum and Binding Corporate Rules apply to Concentric Health’s use of Twilio services.

Details regarding Twilio’s compliance with GDPR requirements are outlined in their ‘Twilio & the General Data Protection Regulation (GDPR)’ resource. Our use of Twilio does involve cross-border transfer of data to the US and EU. All cross-border transfers are covered by ‘adequacy regulations’ (Article 45 GDPR) with no requirement for a transfer risk assessment. With regard to cross-border data transfer to the US, Twilio Inc. are certified under the ‘EU-U.S. Data Privacy Framework’ and ‘UK extension to the EU-US Data Privacy Framework’ - this certification can be viewed on the International Trade Administration’s Data Privacy Framework list.

Transparency and user rights

The platform has been designed to meet the GDPR individual rights requirements by design, as requested by the data controller.

A data processing notice can be provided as part of the consent interaction with the patient. Service access requests, rectification requests, processing freeze requests, and data portability requests can be met by design.

National data opt-out

The use or disclosure of data is considered out of scope of the National data opt-out for the following reasons:

  • The national data opt-out policy does not apply to uses of information for individual patient care. For example; creation of a consent episode; sharing of interaction information to the patient; sharing completed documentation into the medical record.
  • The opt-out for research and planning purposes only applies to confidential patient information - data that includes both:
    • information that identifies or could be used to identify the patient, and
    • information about their health, care or treatment

No other use of data by Concentric Health, that falls outside use for individual patient care, meets both these conditions.

Further details regarding the National data opt-out can be found here: https://digital.nhs.uk/services/national-data-opt-out/understanding-the-national-data-opt-out

Testing considerations

All data used during application development and testing is synthetic.

Further reading

Information security

Details on the data flows, who can access the data, audit logs, hosting, data security, retention and disposal, and our security certifications.

Read

Data protection impact assessment (DPIA) template

This page is a DPIA template that can be used by organisations deploying Concentric to support the development of a local DPIA.

Read