This page should help answer some questions about how we process personal information about patients on behalf of the data controller (usually a GP practice). This is explained in full in our Data Processing Agreement which can be found here, but some common questions have been answered below.
Where do we fit in?
Typically, the GP practice is the Data Controller. Patients are the Data Subjects. We are the Data Processor (where our services are used). This means that we process data about your patients under the terms in our Data Processing Agreement, to allow you (as a GP practice) to provide a service to your patients.
How are we ‘IG compliant’?
We have NHS Data Security and Protection Toolkit assurance (under NHS ODS code 8JT17). We also develop software under the principle of ‘Privacy by design'.
Are we Cyber Essentials Certified?
Cyber Essentials is a scheme run by the UK government and the National Centre for Cyber Security to help you know that you can trust your data with us. We have the Cyber Essentials and Cyber Essentials Plus certification.
What data do we process?
In order to send messages to your patients, we send the message text, mobile number and NHS number to our secure servers. We only process this data when you send a message.
How do we send text messages?
Does the GDPR require explicit patient consent to send SMS messages to patients?
No, providing another legal basis is used. This was confirmed by the ICO in a BBC interview (go to 7:55 in)
GDPR allows six different legal bases for processing data, of which consent is one. The Information Governance Alliance advises GP practices to process patient data for the delivery or administration of care under the following legal bases:
6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
The ICO has warned against the use of consent as a legal basis for data processing by public authorities and healthcare providers.
If your practice does choose to gather consent for other reasons, all consent codes found in a patient’s medical record are shown to the user.
How can patients opt out?
When sending an SMS, Chain SMS shows all consent codes and dissent codes found in the patient record. If a patient wishes to opt out of receiving SMS messages, you should update their ‘Notification preferences’ in the patient registration dialog.
You are using other AccuRx Chain products - how do these process patient data?
For all other Chain products currently in testing, we implement the same information governance safeguards.
How do we ensure that the right person gets the message?
In short, you can never be 100% confident, and so SMS messages shouldn’t be used for sensitive information (e.g. positive STI test result) or time-critical information (e.g. to book an urgent appointment) without the right safety net or followup.
There are a lot of steps you can take to improve the quality of your SMS database, including asking your receptionists to confirm mobile numbers on every call, and confirming a patient’s mobile number in a consultation, especially when sending an SMS at the end of the consultation.
We are developing tools to help practices improve the quality of their contact detail database.
If you have any other questions about the GDPR and how it affects our services, please get in touch 😀