The EU General Data Protection Regulation (GDPR) was introduced on 25th May 2018 bringing with it the most significant changes to data protection law in two decades.
GDPR is designed to protect us all in a world where technology is used extensively and there is a considerable increase in the processing of our personal data across geographical borders. It will make it more straightforward for us all to access and control the personal information held about us, and it will be clearer for the companies we deal with to understand what they can and cannot do with our personal data.
Tree View Designs is committed to ensuring the protection and security of all the personal information that we process. That means the personal information pertaining to our clients, and the data that we process on behalf of our clients (i.e. patient information).
We are also dedicated to providing a consistent and compliant approach to data protection. Our data protection policy has always fallen in line with prevailing data protection law but we have of course recognised the importance of updating what we do so that we meet the requirements of the GDPR.
Our approach to GDPR compliance is summarised in the following statement which includes the policies, procedures, measures and controls we have put in place to ensure the data we process is properly safeguarded and the rights of the owners of the data upheld.
As a client of Tree View Designs, you remain the data controller in terms of patient data. This means that any data you provide to us in the process of using our services remains under your control and that you are responsible for defining the reason as to why it is being processed; how it is being processed and when it is processed.
As a data controller, you must, under the GDPR, have in place appropriate measures to ensure all the data processing you undertake is compliant with the Regulation and that you fulfil all the rights people now have in terms of their personal data.
Tree View Designs is a data processor. This means that whilst you are making use of our services, we process personal data on your behalf.
We will only, under the terms of the GDPR, process data in accordance with your instructions.
We will only ever process the data you enter into our systems in line with your instructions.
Before they are allowed to process our clients' data, we ask all of our personnel and any outside contractors we use to sign a confidentiality and non-disclosure agreement. We also make sure all of our personnel and contractors are given adequate and ongoing training.
The majority of our data processing is undertaken by us in-house. However, we do from time to time use third party suppliers to help us provide our services to you. Rest assured we carry out due diligence to ensure all of our suppliers are able to provide the levels of privacy and security required under the GDPR and that all third parties we use meet and understand their own and our GDPR obligations. We regularly review the services we outsource, and the necessity of the data processing connected with them.
The following table summarises the services we supply and examples of the third parties we may share your data with in order to assist us in supplying these services:
|Technical Services||Web Hosting
|Communication Services||Email Providers
Customer Support Services
If you need us to delete data of any nature then we will work with you to ensure your instructions are fulfilled. Once you send us an instruction to delete data, we will ensure it is removed from all of our systems within a maximum of 180 days, unless we have a legal obligation to retain the personal data in question for longer. We will confirm the deletion to you in writing.
If an incident arises whereby your personal information or any other data we process on your behalf is put at risk then we will notify you in writing within a maximum 24 hours of the incident arising.
Under the GDPR we must, as data processors, have sufficient security measures in place to ensure all data is adequately safeguarded against unauthorised access, disclosure, alteration or destruction. These may include digital (firewall, antivirus, etc.) and physical security measures. Please do not hesitate to ask us for a copy of our data security policy for further details about how we safeguard the data we process.
Our systems operate from secure cloud servers located in the UK and managed by Digital Ocean which is compliant to ISO 27001.
All the patient information processed through our systems is encrypted to the standards set down by the NHS.
We have a compliance officer who is dedicated to ensuring our business and all our personnel are all compliant with data protection and security under the GDPR. The name of our compliance officer is Paul Chapman (firstname.lastname@example.org).