Data processing

Types of data processed

The healthcare organisation is the data controller, and Concentric Health is the data processor.

Patient personal data used:

  • Title, given name(s), and family name
  • Date of birth
  • Gender
  • Hospital number and/or NHS number
  • Email and/or mobile number

These may be provided by the healthcare organisation via integration, or entered manually by the clinician.

Justification: For clinical safety reasons this data (except contact details) must be displayed on-screen during all clinician interactions with a patient’s records, and also appears on the patient’s consent form. Since this information forms part of a consent record, it must be stored according to the same retention schedule as those records. Best practice states that patients are given a copy of their consent form, and therefore contact details are stored to allow communication of the consent interaction and outcome data collection.

For all consent episodes discussed (which may or may not have resulted in surgical consent being given), the following special category data (all relating to the patient’s health) is used:

  • The treatment (A)
  • The responsible clinician (A)
  • The consent episode (B)
  • Other treatment options discussed (B)
  • The medical diagnosis which led to this procedure (A)
  • The intended purpose of the procedure (A)
  • The risks which the patient has been informed of (A)
  • Free text notes added by the clinician (B)
  • External resources shared (B)

Justification: Data marked (A) is a requirement for the consent form as per Department of Health guidelines, and thus must be maintained. In order to fully understand the context in which consent was discussed and taken, data marked (B) is also stored. In combination data (A) and (B) are cryptographically linked to the state of a consent episode at all points in time.

Clinician personal data used:

  • Name
  • Job title
  • GMC number (optional)
  • Email address

Justification: As part of the audit trail of the application, all activity is tied to the identity of the logged in user, and in some cases is shown to other users of the system (for example the name of the clinician taking confirmation of consent). The clinician’s email address, where applicable, is used for login, and to support use cases such as password reset, but is not disclosed to patients or other users.

The legal basis for processing is that of ‘direct care’. The healthcare organisation has a requirement to take and store procedural consent as part of providing direct care to an individual. The contract between the healthcare organisation and Concentric Health to deliver a digital consent platform will provide Concentric Health’s ‘direct care’ legal basis for processing.

Third party processors

The following third party processors are used, with which Concentric Health have agreed data processing and security terms:

Google Cloud Platform

Concentric’s cloud environment - the applications and internal services, and databases - is hosted on Google Cloud Platform (GCP). Further details regarding infrastructure can be seen in our hosting and network diagram.

Different deployments are used globally depending on the country of the healthcare organisations. For example, UK-based data centres are used for UK-based healthcare organisations. GCP enters data processing and security terms with Concentric Health with regards to appropriate and contracted sub-processing of data.

Details regarding GCPs compliance with GDPR requirements are outlined on their Google Cloud & the General Data Protection Regulation (GDPR) page. Our use of GCP does not involve cross-border transfers. Of note for UK-based organisations, GCP are compliant with NHS information governance requirements.

Postmark

Postmark, an ActiveCampaign product, provides an email sending service, used to send emails containing personal data but no special category data, to clinicians and patients.

Terms of service, which incorporate a Data Processing Addendum (DPA) with Standard Contractual Clauses (SCC) apply to Concentric Health’s use of Postmark services.

Details regarding Postmark’s compliance with GDPR requirements are outlined in their EU privacy resource. Our use of Postmark does involve cross-border transfer of data to the US – ActiveCampaign are certified under the ‘EU-U.S. Data Privacy Framework’ and ‘UK extension to the EU-US Data Privacy Framework’ and are therefore covered by ‘adequacy regulations’ (Article 45 GDPR) with no requirement for a transfer risk assessment. ActiveCampaign’s certification can be viewed on the International Trade Administration’s Data Privacy Framework list.

Twilio

Twilio, a Twilio Inc. product, provides an SMS sending service, used to send SMSs containing personal data but no special category data to patients.

Terms of service, which incorporate a Data Protection Addendum and Binding Corporate Rules apply to Concentric Health’s use of Twilio services.

Details regarding Twilio’s compliance with GDPR requirements are outlined in their ‘Twilio & the General Data Protection Regulation (GDPR)’ resource. Our use of Twilio does involve cross-border transfer of data to the US and EU. All cross-border transfers are covered by ‘adequacy regulations’ (Article 45 GDPR) with no requirement for a transfer risk assessment. With regard to cross-border data transfer to the US, Twilio Inc. are certified under the ‘EU-U.S. Data Privacy Framework’ and ‘UK extension to the EU-US Data Privacy Framework’ - this certification can be viewed on the International Trade Administration’s Data Privacy Framework list.

Transparency and user rights

The platform has been designed to meet the GDPR individual rights requirements by design, as requested by the data controller.

A data processing notice can be provided as part of the consent interaction with the patient. Service access requests, rectification requests, processing freeze requests, and data portability requests can be met by design.

National data opt-out

The use or disclosure of data is considered out of scope of the National data opt-out for the following reasons:

  • The national data opt-out policy does not apply to uses of information for individual patient care. For example; creation of a consent episode; sharing of interaction information to the patient; sharing completed documentation into the medical record.
  • The opt-out for research and planning purposes only applies to confidential patient information - data that includes both:
    • information that identifies or could be used to identify the patient, and
    • information about their health, care or treatment

No other use of data by Concentric Health, that falls outside use for individual patient care, meets both these conditions.

Further details regarding the National data opt-out can be found here: https://digital.nhs.uk/services/national-data-opt-out/understanding-the-national-data-opt-out

Testing considerations

All data used during application development and testing is synthetic.

Further reading

Information security

Details on the data flows, who can access the data, audit logs, hosting, data security, retention and disposal, and our security accreditations.

Read

Data protection impact assessment (DPIA) template

A DPIA template for use by organisations deploying Concentric.

Read