Security & Privacy for professionals

If you work within the health and social care environment using our digital tools, or if you are possibly considering the use of our digital tools, you will need assurance you are working securely.

Here we will explain how we keep your patients’ data safe.

The role of Health Diagnostics

Typically, the health and social care organistation using our tools are the Data Controller; Patients are the Data Subjects. We are the Data Processor as our services are used by you to provide a service to your patients. Health Diagnostics therefore process data about your patients under the terms of a data processing agreement which must be in place between our organisations.

Our data security accreditations

  • We are ISO27001:2013 accredited
  • Have completed Cyber Essentials
  • Have NHS Data Security and Protection assurance

 

What data do we process?

Health Diagnostics collect demographic and clinical information of an individual or patient including special categories of data, such as ethnic origin, in order to invite a patient to participate in a public health programme and to perform a risk assessment on behalf of the patient. Health Diagnostics also perform analysis on pseudonymised data sets in order to provide aggregate information for performance reporting to the local public health authority.

How do we invite patients into public health programmes?

Our digital service automates the sending of letters through CFH Docmail and SMS with TextLocal. 
See Docmail’s privacy policy; and the privacy policy for TextLocal.

Do we need patient consent for processing under GDPR?

As long as a Data Processing Agreement is in place between Health Diagnostics and the health and social care organisation then the explicit consent of the patient is not required under GDPR as long as another lawful basis can be used.
The lawful basis for processing under GDPR for our services is:

6(1)(e)’…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; or

9(2)(h)’…medical diagnosis, the provision of health or social care or treatment of health or social care systems…’
More information about GDPR and its relevance to Health and Social care organisations can be found here

Can a patient opt out?

If a patient has opted out of sharing their information at their GP Practice then we will not have that information shared with us for the purpose of inviting patients into the health programmes. Also, if a patient has opted out of being contacted by SMS, this is made clear to our users preventing contact via SMS.

© 2021 Health Diagnostics All Rights Reserved