We take the privacy of data subjects, and compliance with data protection legislation and regulation, very seriously.

‍

Below is a summary of actions taken to achieve compliance:

• Appointed Data Protection Officer, Helen Simpson, who acts as the business’s expert on data protection and the main point of contact with the regulatory data protection authorities, if required
• Created, and continually update, an Article 30 log of all processing activities that involve personal data
• Confirmed lawful basis for processing activities, carrying out Legitimate Impact Assessments where required.
• Completed comprehensive Data Protection Impact Assessment of core product.
• Other Data Protection Impact Assessments completed/ in progress where triggered (e.g. Research activities)
• Undertake risk scoring of processing activities and identify mitigations commensurate to the level of risk
• Appropriate Breach Notification policy in place
• Created/ improved protocols for responding to and monitoring information incidents, looking at root causes and learning from them. No reportable incidents to date
• Created/ improved protocols for responding to and monitoring information rights
• Regularly creating, monitoring and updating sets of Privacy Notices for different subsets of data subjects
• Induction training for new staff and contractors includes Data Protection and information security,
• Annual company-wide training on Data Protection and information security, and specific health data training compulsory for staff handling patient data and available optionally to all others
• GDPR compliant Data Processing Addendums/ agreements in place and other due diligence as part of the supplier management processes were personal data involved
• Developed standard GDPR compliant Data Sharing Agreement for contracts with other Data Controllers
• Employing other appropriate technical and organisational measures such as maintaining ISO27001 & ISO9001, Role Based Access Controls, encryption, pseudonymisation, data minimisation, retention management procedures (including deletion procedures), up to date organisational polices and timely risk assessments
• Annual preparation and submission of NHS Data Protection and Security toolkit required as Business Partner to NHS
• Documented Privacy by Default and Design at Ieso
• Transfers to third countries are restricted where possible but documented with appropriate safeguards in place where they exist
• DPO works with internal teams to develop GDPR compliant SOPs; reviews contracts for data protection compliance; is actively involved from the onset in CAPAs, new product development, cookie compliance, and trust and transparency collateral; works closely with Caldicott Guardian and Senior Information Risk Officer on ethical decision making, new patient access requests, etc; and prepares other accountability ‘decision’ documentation (e.g. on anonymisation of research data sets)
• Compliant with NHS national data opt-out service that allows patients to opt out of using their confidential information being used for research and planning.