Skip to main content

Security Protocols & Data Protection

Certification, Data info and everything you need about data security

Updated over a week ago

We're REALLY into protecting practice and patient data. Our own data is stored the same way as yours.

We’re an accredited supplier particularly for the NHS

  • In Optum (formerly EMIS) Assurance process

  • In IM1 Pairing Integration with NHS Digital - Digital Services for Integrated Care process

  • GDPR Compliant

  • Cyber Essentials Certified

  • NHS DSPT Certified

  • NHS DCB0129 Certified

  • NHS DTAC Certified

  • ISO27001 certification process underway

  • ISO9001 certification process underway

  • ISO14001 certification process underway

Things for your DPO (Data Protection Officer) or IG (Information Governance) representative

  1. Practice Toolkit's Privacy Policy

  2. The DPA (Data Protection Agreement) is embedded within the Terms & Conditions (T&Cs) as 'Schedule 1'

    If they'd like any other info just ask (help widget bottom right)

  3. General Info:

    1. We are the ‘data processor' (where our services are used). Patients (and for some basic Staff info) are the 'data subjects'. You the Practice are the 'data controller'. This means that we process data about your patients under the terms in our Data Processing Agreement, to allow you (as a healthcare organisation) to provide a service to your patients.

    2. We are 'IG Compliant' - fully compliant with NHS Digital’s interoperability standards for primary care integrations.

    3. You do not need explicit patient consent to send SMS (text) messages to Patients via Practice Toolkit - the ICO (Information Commissioners Office) has confirmed this and the NHS advises healthcare organisations to process patient data for the delivery or administration of care under the following legal basis:

      • Article 6.1. (e): “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…;”

      • 9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

      If a patient wishes to opt out of receiving SMS messages, you should update their ‘Notification Preferences’ in the patient registration in your Clinical System

    4. If your Practice wants to complete or include Practice Toolkit into a DPIA, (Data Protection Impact Assessment), we as a data processor, cannot complete it for you however for Practices in Wales we've made a template you can adapt from DPIA - DHCW Template. If you need any specific info please just ask (help widget bottom right)

A few data security highlights...

...on how we go above standards to protect your Practice and Patient data;

Safely Stored

What's that actually mean? When your data is either stored or transferred (for you to read it), it's encrypted to the latest standards, which means it's secure. In addition each Practice's patent data is stored in way that removes any risk of Patient info being included in the 'wrong' Practice. This is all stored without being transferred outside the EEA.

Data Encrypted

What's that actually mean? All practice and Patient data is encrypted in transit (when uploading, processing, being accessed by your staff to view or backups) and 'at rest' (when it's being stored) - this makes it extremely secure against any cyber attack as it can't be decrypted without the unique key used to encrypt it.

Cyber Attack Tested & Certified

What's that actually mean? We've been really careful and intensive in how we've built this system - and tested that against expert 'white hat' hackers to try their best to access or take down our system. We passed with flying colours.

Identity & Access controls

What's that actually mean? Only your team will access your Practice account. We know 2-Factor Authentication (needing your phone app as well as email/password) is annoying for everyone, but it's vital to make sure it's you and your staff connecting to your Practice not anyone else. ALL staff associated to your Practice will have to be approved by your team before they can access.

Compliant

What's that actually mean? We treat the NHS Code of Conduct for data driven technology as the baseline standard, not the threshold to reach. We'll go beyond where we feel it's in your interest for Practice & Patient security. This also applies to the UK National Cyber Security Centre (NCSC) guidance.

Continuous Updates

What's that actually mean? We've some staff who really love data security, it's their passion, both in governance and infrastructure security. They keep on top of the latest info (think obscure message threads as well as formal notifications/articles) from around the world to keep us as up to date as possible.

We'll never share or sell your data

What's that actually mean for you? Other than when you tell us to (e.g. with your clinical system, or to use a Practice Toolkit tool) we guarantee we will never share or sell any Practice or Patient data.

Attachment icon
DPIA - DHCW template.docx
Related Articles
What is Practice Toolkit?
Did this answer your question?