Security & Privacy

Privacy Policy

Effective: 9th February 2021

Introduction

Privacy and information governance is the backbone of good software services, particularly in healthcare. 

This Privacy Notice explains how we handle personal information about our users in health and care organisations, and how we handle personal information about their patients.This notice also contains information applicable to job candidates, employees, and contractors.

accuRx operates a specialised platform that is used to manage communications and information in health care and social care systems, with the potential of linking the information across multiple health care or social care organisations. Typically, we are data processors for the health care or social care organisation based on our data processing agreement.

This policy applies to our software, website and services. We’ve tried to make it easy to read, but if you do find anything unclear, please get in touch.

Who are we?

Our full company name is AccuRx Limited and our:

  • Office is at 27 Downham Road, London, N1 5AA
  • Company Registration Number is 10184077
  • ICO Registration Number is ZA202115
  • NHS Data Security and Protection Toolkit Organisation Code is 8JT17

You can send any questions about privacy to support@accurx.com.

Our Data Protection Officer is IG-Smart Ltd. 

You can contact our DPO via email or by phone:
dpo [at] accurx [dot] com
(+44) (0) 203 824 2426

What personally identifiable information do we collect about you, and why?

As a health and care professional

Health and care professionals can create an accuRx account. 

When you do so, we collect the following information about you, and link them to a unique identifier in our system:

  • Name
  • Email address

Through the use of our software platforms, accuRx Desktop and accuRx Web, the following information will be collected from you when required: 

  • Affiliated organisation
  • Job role
  • The content of communications with, or about, patients sent via accuRx
  • Data about the way you have used accuRX software, such as the functions you’ve used, and the devices and software you used to connect to accuRx
  • Contact phone number

We collect this data to provide you with software services that your organisation has agreed for us to provide to them, as governed by our Terms and Conditions and any contractual relationship we have in place with them. accuRx software services are a communications platform that enable you to communicate with patients directly, or communicate with other health and care professionals.

We may also use your contact details to tell you about other solutions that we have built for the NHS or social care services that we think your organisation may be interested in, subject to your right to object to direct marketing.

 

As a patient who’s healthcare providers use accuRx software

When your health and care organisation uses our software to communicate with you, they provide us with information they hold about you so that we can make sure you receive those communications. We only ever act on their instructions and in line with our data processing agreement. You can see how we keep your data safe here

Depending on the software services used by your provider, the information we handle on their behalf will vary. At a minimum, when our software is first used in relation to any communication about you, we will safely store and use the following information about you:

  • Name
  • NHS number
  • Date of Birth 

We use the following contact information when health and care professionals communicate with you using our software:

  • Mobile phone number
  • Other contact phone numbers (if applicable)
  • Email address

We use this information to enable your health and care provider to communicate with you, either through SMS and email messages sent on our platform, or for them to call you.

We safely collect, store and transmit communications and documents sent to you, or received from you through accuRx software for health and care organisations. These communications and documents may include:

  • messages from these health and care providers (e.g. your GP)
  • communications you have sent back to health and care professionals after they asked you, including survey responses, images or information about appointments with their service (including Covid-19 vaccination appointments)
  • clinical records of your treatment created by professionals using our software
  • links to secure meeting rooms for video consultations
  • information about the devices and software you use to connect to our services.

When explicitly instructed, we use information from clinical records in other systems to which your health and care provider has access. We do this in order to make those records available to your provider or to other professionals involved in your care. 

Acting on behalf of the healthcare providers who care for you, we may also obtain data about you from the following sources:

accuRx also collects usage data, such as when you open and close our software, what product features you use and what computer you are using. This allows us to provide clear audit trails, and so that we can improve our software and maintain the clinical safety of our products and services. We also monitor the functioning of our software and to prevent fraud, cyberattacks and other dishonest behaviour.


Other groups of people who accuRx process information about

We process corporate prospects’ contacts or past corporate clients’ contacts data, including for direct marketing purposes, subject to the right to object and any opt-out exercised. 

We process job candidates’ CVs and related data as long as this may be required in relation to the selection process.

How specific accuRx software features work

Video consultations

The video consultation service is hosted by Whereby who are fully compliant with GDPR and based in the European Economic Area (EEA). A unique URL to the video consultation is generated and all participants are visible in the consultation, no third party can 'listen in'. The video and audio communication of the video consultation is only visible to participants on the call, and is not recorded or stored on any server (not accuRx’s, not Whereby’s and not on any third party's servers). All communication between the user’s browser, or the patient's browser, and Whereby’s service is transmitted over an encrypted connection (secure web traffic using HTTPS and TLS or secure websocket traffic or secure WebRTC). Furthermore, the video consultation connection prioritises ‘peer-to-peer’ connections between the clinician’s and patient’s phone over connections via their servers. In some cases, due to NAT/firewall restrictions, the encrypted data content will be relayed through Whereby’s TURN server, but never recorded or stored. In such cases, as long as both the clinician and patient are using their computer devices in the European Economic Area, it is guaranteed that any data hosted on a server is within the EEA in line with NHS best practice guidelines on health and social care cloud security.

The only data related to the call that may be stored by Whereby is metadata to provide additional context about the way their service is being used. The usage data may include call participant’s browser type and version, operating system, length of call, page views and website navigation paths, as well as information about the timing, frequency and pattern of the service use. The IP address of call participants may also be stored as part of this usage data. No other personal information of call participants is collected or stored by Whereby.

What is the legal basis for processing this data?

accuRx always acts as a data processor in relation to patients’ data that providers share with accuRx through the use of its software services. 

Health care providers’ lawful basis for processing patient data using accuRx services is expected to be:

  • Article 6(1)(e) – ‘...exercise of official authority…’;

And their processing of special categories (health) data using accuRx services, the conditions are expected to be:

  • 9(2)(h) – ‘…health or social care…’, and 
  • 9(2)(i) – ‘…public health purposes…’.

For processing special categories (ethnicity) data using accuRx services, the conditions are expected to be:

  • 9(2)(h) – ‘…health or social care…’, and 
  • 9(2)(b) – ‘…social protection law…’ (for monitoring equality of access)

Anyone using accuRx for purposes beyond those set out above are likely to be misusing the software and in breach of the terms and conditions.

Our other legal bases for processing personal data where we are data controllers are to perform our contract to provide a service, when the contract is with you (GDPR Art. 6 (1)(b)), or our legitimate interests, provided they are not overridden by your individual interests, rights and freedoms surrounding data protection GDPR Art. 6 (1)(f). 

Do we share this data with third parties?

We use third-party data processors, such as our email, productivity, design, communications and storage providers. A patient's information may also be shared with other health care and social care organisations in the context of your exchange of messages through the accuRx platform. This sharing is strictly limited to the instructions a healthcare provider gives us.

We compile anonymised statistics about the use of our platform, such as the use of different features by our users. All personal data is removed by aggregating the data to practice level or above. We share these aggregate usage statistics with third parties. These third parties include: 

  • national bodies including NHS Digital, NHS England and relevant government departments; 
  • local commissioning bodies such as CCGs; 
  • partners of accuRx in the commercial, charity, and academic sectors.

In line with the above and to support the response to the COVID pandemic, we share information at practice-level about usage of our platform with national bodies. A message from NHS England and Improvement follows:

“Under the Notice issued by the Secretary of State on 20th March 2020 made under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) which was addressed to GP Practices, NHS England and NHS Improvement are collating practice level data on the utilisation of online and video consultation systems. This is to support service delivery including implementation, resourcing, planning and research to respond appropriately during the pandemic. The information is being collected directly from online consultation and video consultation suppliers. This practice level information on the availability and use of online and video consultation services will be shared with the department of health and social care, national NHS, regional, system, CCG, PCN and practice teams.”

How long do we retain data for?

Patients’ data is generally kept in line with the Records Management Code of Practice for Health and Social Care 2016. However, we would delete the data earlier than suggested by this code if we are informed that the condition of Article 9(3) GDPR and s. 11(1) Data Protection Act 2018 no longer applies.

We retain the data pertaining to our clients’ and prospects’ medical teams’ members and to non-medical personnel actually or potentially involved in purchasing our services for as long as necessary for the purpose of providing the service, to pursue a sales transaction, or to market our services, subject to their right to object or not to be subject to direct marketing. You may also contact us (support@accurx.com) to request that we delete the data that we hold about you.

How to contact us?

If you have questions or concerns about privacy, or wish to exercise rights you have in relation to personal data we process about you, you can email support@accurx.com or write to AccuRx Ltd, 27 Downham Road, London, N1 5AA

You may always make further enquiries to our or complain to the www.ico.org.uk

 

Future updates to this Notice

This notice may change periodically and will be published on the accuRx website. Subscribers of our monthly email newsletter will also be notified of major changes in the subsequent newsletter.

 

Use of cookies

Our website uses cookies so that we can understand user behaviour and create consistency across multiple visits, for example so you can continue an online support conversation that you were having with us. Please refer to our cookies page for more detail about the use of cookies on this public website, and in our product.