You are the data controller of any personal data provided to us in relation to your use of our services. This means that you are responsible for determining the reason why data is being processed, how it is processed and when it is processed.
We are a data processor, which means we are processing personal data on your behalf when you are using our services. The GDPR prohibits us from conducting any processing activities that you have not authorised us to do. As a data processor we will not process any data you provide unless we have received an appropriate instruction from you.
As a data controller, the GDPR requires you to implement appropriate technical and organisational measures to ensure and demonstrate that any processing of personal data is performed in a compliant manner. The principles of the GDPR include topics such as lawfulness, fairness, transparency, purpose, data minimisation and accuracy. The GDPR also gives data subjects various rights with respect to their data, which you are required to fulfil.
We are committed to ensuring compliance with the GDPR. The GDPR requires that data controllers use data processors that carry out processing in a manner that complies with the GDPR.
Our dedicated compliance officer is Paul Chapman. Our team are responsible for ensuring compliance with security and data protection standards, regulations and legislation.
Any data that you and your users put into our systems will only be processed in accordance with your instructions.
All of our employees and contractors are required to sign a confidentiality agreement and undertake regular training.
We directly conduct most of the data processing activities needed to provide our services to you. However, we use some other third-party suppliers to assist in supporting our services. We ensure each supplier is technically capable and can deliver the required levels of security and privacy.
We will assist you in exporting or deleting customer data, if required, in line with our agreed service levels. When we receive a deletion instruction from you we will delete all relevant patient information from all of our systems within a period of no more than 180 days, unless we are obliged by law to retain such personal data for a longer period of time.
We are committed to notifying you regarding data incidents that may involve your information or patient information that we process on your behalf.
Our servers are operate our from secure data centres within the UK to keep our services running 24 hours a day, 7 days a week.