Privacy and information governance is the backbone of good IT systems, particularly in healthcare. We put this at the heart of what we do, not just because of our legal obligations, but because we are all patients too! We all want to experience high-quality healthcare and be in control of our data and how it is used.
This Privacy Notice explains how we handle personal information about our clients’ patients, medical and social care teams’ members plus non-medical personnel (actually or potentially) involved in purchasing or using our services. The information provided in this policy may also apply to job candidates, employees, and contractors.
accuRx operates a specialised platform that is used to manage communications and information in health care and social care systems, with the potential of linking the information across multiple health care or social care organisations. Typically, we would be a data processor for the health care or social care organisation based on a data processing agreement.
In some contexts, we may be deemed the controller of the data particularly:
where we do not have in place a data processing agreement with the organisation of the health or social care professional under whose responsibility the data is processed; or
where our systems or services support the management of health care or social care information across different organisations.
Our control of the data may be exercised jointly with health care or social care organisations. Joint controllership would only extend to the data operations within the accuRx platform, not other operations the health or social care organisation may be performing with the same data outside our platform. Where we control your data jointly with a health care or social care organisation, you can exercise your rights against either accuRx or the organisation. This Privacy Notice shall form part of our arrangement with the organisation.
This privacy notice explains how we handle personal information about our users. For a summary of how we process data about your patients, see our GDPR questions page.
This policy applies to our software, website and services. We’ve tried to make it easy to read, but if you do find anything unclear, please get in touch.
Who we are?
Our full company name is AccuRx Limited and our:
Office is at 27 Downham Road, London, N1 5AA
Company Registration Number is 10184077
ICO Registration Number is ZA202115
NHS Data Security and Protection Toolkit Organisation Code is 8JT17
You can send any questions about privacy to firstname.lastname@example.org.
Our Data Protection Officer is IG-Smart Ltd. Contact information:
Phone: (+44) (0)2038242426
What personally identifiable information do we collect about you, and why?
Upon creating an account, we collect your name, email address and phone number. For General Practice users we may further obtain or create a unique identifier such as TPP SystmOne or EMIS Web User Profile data (user name; login details; role; computer ID; national ID), and generate message delivery receipts, application related data (the user generated personal signatures for their messages; templates they've generated and saved); Windows usernames, login details for your SMS account if applicable for the application that your organisation is using. Our product also gathers your provider organisation name; gender; date of birth; and two-way messages with colleagues. These are used to provide our services that you or your organisation have requested. We may also use your contact details to tell you about other solutions that we have built for the NHS or social care services that we think you may be interested in, subject to your right to object to direct marketing.
Patient data gathered typically comprises full name, date of birth, medical teams’ correspondence with (and/or about) the patient (including patient images, documents and notes), which may include the patient’s health information and other special categories of data, plus message delivery receipts, NHS number or another identifier, mobile number and email address. Metadata may reveal the change of identity/gender based on the NHS number change, or the change in home address based on the change of the GP practice. We may gather further demographic data available through NHS PDS. Patients may be asked to respond to specific surveys.
accuRx also collects usage data, such as when you open and close our software, what product features you use and what computer you are using. This allows us to improve our software by better understanding your workflows, to provide you with usage data, to monitor the functioning of our software and to prevent fraud, cyberattacks and other dishonest behaviour.
The video consultation service is hosted by Whereby who are fully compliant with GDPR and based in the European Economic Area (EEA). A unique URL to the video consultation is generated and all participants are visible in the consultation, no third party can 'listen in'. The video and audio communication of the video consultation is only visible to participants on the call, and is not recorded or stored on any server (not accuRx’s, not Whereby’s and not on any third party's servers). All communication between the user’s browser, or the patient's browser, and Whereby’s service is transmitted over an encrypted connection (secure web traffic using HTTPS and TLS or secure websocket traffic or secure WebRTC). Furthermore, the video consultation connection prioritises ‘peer-to-peer’ connections between the clinician’s and patient’s phone over connections via their servers. In some cases, due to NAT/firewall restrictions, the encrypted data content will be relayed through Whereby’s TURN server, but never recorded or stored. In such cases, as long as both the clinician and patient are using their computer devices in the European Economic Area, it is guaranteed that any data hosted on a server is within the EEA in line with NHS best practice guidelines on health and social care cloud security.
The only data related to the call that may be stored by Whereby is metadata to provide additional context about the way their service is being used. The usage data may include call participant’s browser type and version, operating system, length of call, page views and website navigation paths, as well as information about the timing, frequency and pattern of the service use. The IP address of call participants may also be stored as part of this usage data. No other personal information of call participants is collected or stored by Whereby.
When it comes to all, including non-registered website visitors, we gather cookie information, IP address, visited web pages, chat conversations, and contact details if the visitors provides them during the support conversation. This data is gathered for analytics, fraud prevention, and cybersecurity purposes, plus sales and marketing, subject to the visitors’ right to object to such processing.
We may process corporate prospects’ contacts or past corporate clients’ contacts data, including for direct marketing purposes, subject to the right to object and any opt-out exercised. We may process job candidates’ CVs and related data as long as this may be required in relation to the selection process.
What is our legal basis for processing this data?
In the case of patient data, which includes the data pertaining to the recipients of social care, the basis for processing is the provision of health care or social care services.
Where we act as the controller of patient data, the purpose of processing of the data by accuRx is the management of health care or social care systems or services (Schedule 1, Part 1, 2(f) Data Protection Act 2018 and Schedule 2, Part 2, 15(2) Jersey Data Protection Law 2018). According to Article 9(3) GDPR and s. 11(1) Data Protection Act 2018, such processing must be by- or under the responsibility of one or more health professionals.
Our other legal bases for processing this data are to perform our contract to provide a service provided the contract is with you (GDPR Art. 6 (1)(b)), or our legitimate interests, which are listed in this Privacy Notice, provided they are not overridden by your individual interests, rights and freedoms surrounding data protection (GDPR Art. 6 (1)(f).
Do we share this data with third parties?
We use third-party data processors, such as our email, productivity, design, communications and storage providers. Your information may also be shared with other health care and social care organisations in the context of your exchange of messages through the accuRx platform.
We compile anonymised statistics about the use of our platform, such as the use of different features by our users. All personal data is removed by aggregating the data to practice level or above. We share these aggregate usage statistics with third parties. These third parties include:
national bodies including NHS Digital and NHS England;
local commissioning bodies such as CCGs;
partners of accuRx in the commercial, charity, and academic sectors.
In line with the above and to support the response to the COVID pandemic, we are sharing information at practice-level about usage of our platform with national bodies. A message from NHS England and Improvement follows:
“Under the Notice issued by the Secretary of State on 20th March 2020 made under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) which was addressed to GP Practices, NHS England and NHS Improvement are collating practice level data on the utilisation of online and video consultation systems. This is to support service delivery including implementation, resourcing, planning and research to respond appropriately during the pandemic. The information is being collected directly from online consultation and video consultation suppliers. This practice level information on the availability and use of online and video consultation services will be shared with the department of health and social care, national NHS, regional, system, CCG, PCN and practice teams.”
How long do we retain data for?
Patients’ data is generally kept in line with the Records Management Code of Practice for Health and Social Care 2016. However, we would delete the data earlier than suggested by this code if we are informed that the condition of Article 9(3) GDPR and s. 11(1) Data Protection Act 2018 no longer applies.
We retain the data pertaining to our clients’ and prospects’ medical teams’ members and to non-medical personnel actually or potentially involved in purchasing our services for as long as necessary for the purpose of providing the service, to pursue a sales transaction, or to market our services, subject to their right to object or not to be subject to direct marketing. You may also contact us (email@example.com) to request that we delete the data that we hold about you.
How do we secure personal data?
We have board-level responsibility for Information Security and Governance. We have a range of policies in place for information governance, network security, information handling, teleworking, business continuity, confidential information, incident reporting, access control and staff confidentiality. We review these policies at least annually and will update them if a product or business change necessitates. We conduct Information Governance on-boarding and training with all staff to ensure that they are up to date with our policies and processes, and to identify opportunities to improve our Information Governance.
Your rights in relation to personal data
If you want to access your personal information, request correction to your personal information, get us to delete your personal data, port your data to another provider, restrict our processing of your data, or object to the processing of your data, including for direct marketing purposes, email us at firstname.lastname@example.org.
How to contact us?
If you have questions or concerns about privacy, you can email email@example.com or write to AccuRx Ltd, 27 Downham Road, London, N1 5AA
Future updates to this Notice
This notice may change periodically and will be published on the accuRx website. Subscribers of our monthly email newsletter will also be notified of major changes in the subsequent newsletter.