Privacy notice

Dafydd Loughran
by Dafydd Loughran, Chief Executive Officer
June 2020

Concentric has been developed whilst following best practice data security and privacy prinicples. This privacy notice sets out why and how personal information is processed, how long data is stored, and patients’ rights with regard to this processing.

What types of personal data is processed?

Data is entered into the Concentric digital consent application in order to share information with patients about proposed treatments, and to document consent to treatment.

The following personal data is processed: title, given name, family name, date of birth, gender, patient identification number (e.g. NHS number) and email address. This data is required for clinical safety purposes, as (with the exception of email address) it needs to be displayed on-screen during all clinical interactions. It is best practice to share consent information with patients, and therefore an email address is stored to allow communication of the consultation.

The following special category data, i.e. data relating to health, is also processed: name of treatment, indication and purpose of treatment, alternatives and risks discussed, and name and job title of clinicians who have been involved in providing care. This information is required as it is documented on the consent form.

What is the lawful basis for processing?

Under the General Data Protection Regulation (GDPR), organisations can only process personal data if there is a lawful basis for doing so. Where Concentric is used, the healthcare organisation (e.g NHS Trust) is the data controller, and Concentric Health is the data processor for the healthcare organisation.

The legal basis for processing is that of ‘direct care’. Healthcare organisations have a requirement to receive and record procedural consent as part of providing care. The contract between the healthcare organisation and Concentric Health to deliver a digital consent platform provides Concentric Health’s ‘direct care’ legal basis for processing.

How is data processed?

Concentric Health uses Google Cloud Platform (GCP) for all hosting and data processing, within a data centre in the European Economic Area (EEA). GCP is compliant with all healthcare information governance requirements.

How is data protected?

All data is protected following industry best practice with regard to access controls and encryption.

Healthcare organisations manage clinicians’ access and password strengths rules are enforced. Patients are sent an email with a unique link, and enter their date of birth in order to verify their identity.

All data is stored using leading encryption methods and is transferred securely.

For how long is data stored?

All data relating to consent episodes is stored for a number of years as dictated by the individual healthcare organisation as the data controller. In line with best practice, this will usually be between 8 and 25 years. After the agreed number of years, the data is reduced to a stub record containing patient details, procedure name, date, and responsible clinician.

If the healthcare organisation ceases to be a Concentric Health client then all data relating to patients of that healthcare organisation is returned to them as the data controller, then is deleted or anonymised.

How are data subject rights met?

Under the GDPR, individuals have data subject rights, which are met as following:

Right to be informed: This privacy notice states what data is collected, how it is used, whether it is shared, and how long it is kept.

Right of access: To access all the information that Concentric Health has which relates to you, a request should be made to your healthcare organisation as the data controller.

Right to rectification: If you note any information that is inaccurate or incomplete you can make a request to your healthcare organisation that this is changed.

Right to erasure: This does not apply as data is for the provision of health care.

Right to restrict processing: If you wish to make a request to restrict the processing of your data, you can make a request to your healthcare organisation that this is actioned.

Right to data portability: If you wish your personal data to be transmitted, you can make a request to your healthcare organisation that this is actioned.

Automated decision making and profiling: No automated decision making or profiling is done based on your data.

How to contact Concentric Health?

You can contact Concentric Health by email (support@concentric.health) or by phone (+44 2920 103090).

Company name: Surgical Consent Ltd (trading as Concentric Health). Registration number: 10733991. Address: Unit 1.1, Tramshed Tech, Pendyris Street, Cardiff, CF11 6BH

How to contact your healthcare organisation?

Should you have any queries regarding anything described in this privacy notice and would like to contact your healthcare organisation you can request the relevant contact details by emailing support@concentric.health.