We take the privacy of data subjects, and compliance with data protection legislation and regulation, very seriously.
Below is a summary of actions taken to achieve compliance:
- Appointed Data Protection Officer, Helen Simpson, who acts as the business’s expert on data protection and the main point of contact with the regulatory data protection authorities, if required
- Created, and continually update, an Article 30 log of all processing activities that involve personal data
- Confirmed lawful basis for processing activities, carrying out Legitimate Impact Assessments where required.
- Completed comprehensive Data Protection Impact Assessment of core product.
- Other Data Protection Impact Assessments completed/ in progress where triggered (e.g. Research activities)
- Undertake risk scoring of processing activities and identify mitigations commensurate to the level of risk
- Appropriate Breach Notification policy in place
- Created/ improved protocols for responding to and monitoring information incidents, looking at root causes and learning from them. No reportable incidents to date
- Created/ improved protocols for responding to and monitoring information rights
- Regularly creating, monitoring and updating sets of Privacy Notices for different subsets of data subjects
- Induction training for new staff and contractors includes Data Protection and information security,
- Annual company-wide training on Data Protection and information security, and specific health data training compulsory for staff handling patient data and available optionally to all others
- GDPR compliant Data Processing Addendums/ agreements in place and other due diligence as part of the supplier management processes were personal data involved
- Developed standard GDPR compliant Data Sharing Agreement for contracts with other Data Controllers
- Employing other appropriate technical and organisational measures such as maintaining ISO27001 & ISO9001, Role Based Access Controls, encryption, pseudonymisation, data minimisation, retention management procedures (including deletion procedures), up to date organisational polices and timely risk assessments
- Annual preparation and submission of NHS Data Protection and Security toolkit required as Business Partner to NHS
- Documented Privacy by Default and Design at Ieso
- Transfers to third countries are restricted where possible but documented with appropriate safeguards in place where they exist
- DPO works with internal teams to develop GDPR compliant SOPs; reviews contracts for data protection compliance; is actively involved from the onset in CAPAs, new product development, cookie compliance, and trust and transparency collateral; works closely with Caldicott Guardian and Senior Information Risk Officer on ethical decision making, new patient access requests, etc; and prepares other accountability ‘decision’ documentation (e.g. on anonymisation of research data sets)
- Compliant with NHS national data opt-out service that allows patients to opt out of using their confidential information being used for research and planning.