Privacy notice (UK)

Concentric meets best practices with regard to data security and privacy principles. This privacy notice sets out why and how personal information is processed, who is responsible for how data is processed, and patients’ rights with regard to this processing.

What is Concentric?

Concentric is a digital consent to treatment application which is used by healthcare organisations to share consent information with patients and document consent to treatment. In most cases, this replaces the previous process of paper consent forms within the healthcare organisation. Concentric has been developed by a UK-based company called Concentric Health.

Read our Concentric intro for patients!

Our summary regarding personalised information, engaging with the process, and how data is kept securely.

What types of personal data are processed?

Personal data is processed by the Concentric digital consent application (Concentric) on behalf of the healthcare organisation, to facilitate the consent process (i.e is part of the delivery of direct care).

Personal data is held within Concentric, populated by either manual entry by a clinician or via an integration with another clinical system used by the healthcare organisation. This data, together with clinical information, forms the consent information about a proposed treatment, allows this to be shared with a patient, and allows consent to be documented.

The following personal data is processed: title (optional), given name, family name, date of birth, gender, patient identification number (e.g. NHS/hospital number) and contact details (optional, either or both of email address and mobile phone number). This data is required for clinical safety purposes, as (with the exception of contact details) it needs to be displayed on-screen during all clinical interactions. It is best practice to share consent information with patients, and therefore contact details may be stored to allow communication of the consent information digitally.

The following special category data (i.e. data relating to health) is also processed: name of treatment, indication and purpose of treatment, alternatives, anaesthetic options, risks discussed, clinician notes, external resources shared, and name and job title of clinicians who have been involved in providing care. This information is required as it forms part of the record of consent.

What is the lawful basis for processing?

Under the Data Protection Act 2018 (the UK’s implementation of the General Data Protection Regulation, or GDPR), organisations can only process personal data if there is a lawful basis for doing so. Whether there is a legal basis for processing personal data is determined by the data controller, and a data processor may act on behalf of the data controller with regard to that data processing. Where data processing involves health data, the completion of a DPIA (Data Protection Impact Assessment) should be considered by the data controller prior to clinical use, assessing and either approving or blocking the proposed data processing.

Where Concentric is used, the healthcare organisation (e.g NHS Trust) is the data controller, and Concentric Health is the data processor for the healthcare organisation.

The legal basis for processing is dependent on the healthcare organisation. Details regarding the legal basis in a specific circumstance can be requested from the healthcare organisation, or by contacting Concentric Health (see below for contact details). In most cases, the following apply:

Public sector healthcare organisations:

  • Art.6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Art.9(2)(h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

Private sector healthcare organisations:

  • Art.6(1)(b) - processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  • Art.9(2)(h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

In all cases, there will be a contract between the healthcare organisation and Concentric Health, which outlines the data processing agreement between the two parties.

How is data processed?

Concentric Health uses the following sub-processors in order to deliver the functionality of the Concentric digital consent application:

  • Google Cloud Platform
  • Postmark
  • Twilio

All three sub-processors have entered into data processing and security terms of service with Concentric Health with regard to appropriate and contracted sub-processing of data.

Google Cloud Platform (GCP) is used for data hosting requirements, within a data centre in the UK. GCP is compliant with healthcare information governance requirements.

Postmark provides email sending from the Concentric application. An email may be sent to a patient, with a secure link to their consent information, on behalf of and at the request of the clinician user. Postmark meets the requirements of the Data Protection Act 2018, as outlined on Postmark’s EU General Data Protection Regulation (GDPR) page.

Twilio provides SMS sending from the Concentric application. An SMS may be sent to a patient, with a secure link to their consent information, on behalf of and at the request of the clinician user. Twilio meets the requirements of the Data Protection Act 2018, as outlined in Twilio’s General Data Protection Regulation resources.

How is data protected?

All data is protected following industry best practices with regard to access controls and encryption.

Access controls: Healthcare organisations manage clinicians’ access. Patients are sent an email or SMS with a unique link to their consent information and enter their date of birth in order to verify their identity.

Encryption: All data is stored using leading encryption methods and is transferred securely.

For how long is data stored?

All data relating to consent episodes is stored for a number of years as dictated by the individual healthcare organisation as the data controller. In line with best practice, this will usually be between 8 and 25 years. After the agreed number of years, the data is reduced to a stub record containing patient details, procedure name, date, and responsible clinician.

If the healthcare organisation ceases to be a Concentric Health client then all data relating to patients of that healthcare organisation is returned to them as the data controller, and then is deleted or anonymised.

How are data subject rights met?

Under the Data Protection Act 2018, individuals have data subject rights, which are met as follows:

Right to be informed: This privacy notice states what data is collected, how it is used, whether it is shared, and how long it is kept.

Right of access: To access all the information that Concentric Health has which relates to you, a request should be made to your healthcare organisation as the data controller.

Right to rectification: If you note any information that is inaccurate or incomplete you can make a request to your healthcare organisation that this is changed.

Right to erasure: This does not apply as data is for the provision of healthcare.

Right to restrict processing: If you wish to make a request to restrict the processing of your data, you can make a request to your healthcare organisation that this is actioned.

Right to data portability: If you wish your personal data to be transmitted, you can make a request to your healthcare organisation that this is actioned.

Automated decision making and profiling: No automated decision making or profiling is done based on your data.

How are the Caldicott Principles met?

The Caldicott Principles are eight principles to ensure people’s information is kept confidential and used appropriately.

Principle 1. Justify the purpose(s) for using confidential information: The reason for recording confidential information within Concentric is that this information - such as treatment name and indication for treatment - are requirements as part of documenting consent to treatment.

Principle 2. Use confidential information only when it is necessary: All use of Concentric relates to the recording or reviewing of consent information, requiring the patient involved and treatment details to be shown at all times to ensure patient safety. Provisions are in place to ensure no patient or healthcare detail is shown unless it is requested by the clinician user.

Principle 3. Use the minimum necessary confidential information: The minimum necessary confidential information is shown at each stage of the Concentric process. Summary views are used, for example, a view for use within an operating theatre, showing only the details required at that stage to safely deliver care.

Principle 4. Access to confidential information should be on a strict need-to-know basis: Clinician access is managed by the healthcare organisation, with access only given to identified users who are involved in the consent process.

Principle 5. Everyone with access to confidential information should be aware of their responsibilities: All clinician users are provided with onboarding information regarding the appropriate use of the application, access to confidential information, and information security.

Principle 6. Comply with the law: Processing of confidential information by Concentric, and access to the information by clinician users, comply with legal requirements.

Principle 7. The duty to share information for individual care is as important as the duty to protect patient confidentiality: Access to confidential information, with appropriate authentication, is not limited to individual clinicians, allowing appropriate sharing and visibility across an organisation to support the delivery of safe healthcare.

Principle 8. Inform patients and service users about how their confidential information is used: Patients and service users are notified regarding the use of their confidential information. A link to this page is included for each patient within the patient’s consent information. Organisations are encouraged to additionally include information regarding this use of their confidential information at other points in the relevant healthcare pathways. Information from the healthcare organisation should outline the options available to the patient regarding the use of their confidential information, but in most cases, Concentric will be used as the required method for documenting consent within an organisation.

How to contact Concentric Health?

You can contact Concentric Health by email at support@concentric.health.

  • Company name: Concentric Health Ltd.
  • Registration number: 10733991.
  • Address: Concentric Health, Sbarc Spark, Maindy Road, Cardiff, CF24 4HQ

How to contact your healthcare organisation?

Should you have any queries regarding anything described in this privacy notice and would like to contact your healthcare organisation you can request the relevant contact details by emailing support@concentric.health.

Further reading

Social value policy

Social value policy covering COVID-19 recovery, tackling economic inequality, sustainability and fighting climate change, equal opportunity, and wellbeing.

Read

Accessibility statement

Our accessibility statement for the Concentric digital consent application.

Read