Protecting patient data.

Every day, NHS patients and healthcare professionals trust Accurx with very sensitive data. This brings an incredible responsibility - and one we don’t take lightly.
Whether you’re a frontline clinician or thinking of commissioning our software in your service, below you can find out what data we process, why we process it and how it's used.
Mobile phone made to look like padlock, with fingerprint, patient info card and separate padlock around it.

Some of the systems we integrate with...

How we protect your data

We never sell your data -
we never have and we never will.

We  encrypt data in an extremely secure data centre.

We have robust identity controls, so  only verified NHS professionals can access your data.

We only partner with safe and secure partners, who meet our high security standards.

We train all staff in data security from week one onwards.

We follow the NHS code of conduct for data driven technology.

Accurx has make my job a lot easier and provided a safe and effective way to communicate regularly with our service users.

Ashley, Health & Wellbeing Coach, Hampshire and Isle of Wight

Frequently asked questions

Accurx has a commitment to every patient whose data we store to keep it safe and secure. To find out more about how we use your data, take a look at the frequently asked questions below.

How do I know that Accurx is safe for my service to use?

We transmit and store data in encrypted form. This means nobody else can read it without the right credentials. When stored, your data is encrypted in an extremely secure UK-based Microsoft Azure data centre.

We meet the highest standards of safety and security, as set by NHS bodies and the government. We go through assurance processes for these and we regularly get outside independent experts to check our systems are secure.

Was this helpful?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Where does Accurx fit in?

Typically, the healthcare organisation is the ‘data controller. Patients are the data subjects. We are the data processor (where our services are used). This means that we process data about your patients under the terms in our Data Processing Agreement, to allow you (as a healthcare organisation) to provide a service to your patients.

Was this helpful?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
How are we 'IG compliant'?

Accurx is an accredited Type 1 Supplier on NHS Digital’s DCS Catalogue and is fully compliant with NHS Digital’s interoperability standards for primary care integrations. We are also an assured IM1 live supplier and an approved supplier on the Government’s Digital Marketplace (G-Cloud).

Our primary care integrations have proven capability and, given our understanding of the stringent assurance requirements for integrations in these settings, we take and utilise these learnings when developing all of our products in other care settings (such as our Accurx Web offering for secondary care) to ensure that our integrations attain and maintain the highest standards.

Was this helpful?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
How do we keep data secure?

Our Accurx servers are hosted in the London Microsoft Azure Data Centre. We follow best practice guidance from NHS Digital, the UK National Cyber Security Centre (NCSC) and Microsoft. See here for detailed information. All data sent is encrypted when it is sent and when it is stored.

Was this helpful?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Are we Cyber Essentials certified?

Yes, we have the Cyber Essentials and Cyber Essentials Plus certification. Cyber Essentials is a scheme run by the UK government and the National Centre for Cyber Security to help you know that you can trust your data with us.

Was this helpful?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
What data do we process?

In order to provide communication with and about patients we process patient data and healthcare staff data to our secure servers. The patient data typically includes name, identifiers, contact details, demographic data, message content (including documents and patient replies to messages either via secure surveys or two-way messaging) and other application-use related data. We only process this data when you send a communication to patients.

We also process healthcare staff data who are users of Accurx. This typically includes role, organisation, contact details, identifiers including gender and date-of-birth, messages, metadata, signatures, login and other application-use related data.

The video and audio communication of any video consultation is only visible to participants on the call, and is not recorded or stored on any server. The IP address of call participants may be stored as part of metadata stored, however no other personal information of call participants is collected or stored.

Was this helpful?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
How do we send text messages?

We use FireText,BT/EE, or Vonage to send SMS messages. You can read the Firetext privacy policy here and BT/EE privacy policy here.

Was this helpful?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Does the UK GDPR require explicit patient consent to send SMS messages to patients?

No, providing another legal basis is used. This was confirmed by the ICO in a BBC interview (go to 7:55 in).GDPR allows six different legal bases for processing data, of which consent is one. The Information Governance Alliance advises healthcare organisations to process patient data for the delivery or administration of care under the following legal bases:6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

The ICO has warned against the use of consent as a legal basis for data processing by public authorities and healthcare providers. The Information Governance Alliance has produced a range of GDPR guidance for NHS organisations, including a helpful checklist for GP practices. If your practice does choose to gather consent for other reasons, all consent codes found in a patient’s medical record are shown to the user.

Was this helpful?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
How can patients opt out?

When sending an SMS Accurx Desktop shows all consent codes and dissent codes found in the patient record. If a patient wishes to opt out of receiving SMS messages, you should update their ‘Notification preferences’ in the patient registration dialog.

Was this helpful?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
How do we ensure that the right person gets the message?

In short, you can never be 100% confident, and so SMS messages shouldn’t be used for sensitive information (e.g. positive STI test result) or time-critical information (e.g. to book an urgent appointment) without the right safety net or follow up.

There are a lot of steps you can take to improve the quality of your SMS database, including asking your receptionists to confirm mobile numbers on every call, and confirming a patient’s mobile number in a consultation, especially when sending an SMS at the end of the consultation.

Was this helpful?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
What does it mean to ‘surface’ appointment data? Is this safe?

Some of our features enable patients to self-book an appointment (Self-Book, Batch Self-Book and Patient Triage). In order for these features to work, Accurx searches for available slots in a practice's EMIS or SystmOne appointment book, and makes these visible for patients. This enables patients to book an appointment at a time and date that suits them, from a list of appointments pre-determined by the practice as ‘available’. This functionality is IG compliant, and we make sure to keep both user and patient data safe.

Was this helpful?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Find out more about security and privacy

Here, you can see all the key documents about Accurx and what we do with data.

Our information governance documents set out the promises we make about data, the agreements we have in place, and how we comply with the relevant laws and NHS rules and guidance.

Our security credentials show how we keep those promises, keep our systems secure, and keep your data safe.

Policies and Agreements

Data Privacy Impact Assessments (DPIAs)

When using Accurx, it is up to the data controller (your organisation) to complete a DPIA. As a data processor, we cannot complete it for you. However, to be as helpful as we can, we have filled in the key parts of DPIA Templates for:

Support

You can find more detailed information and support articles about the way we use data in our software in our dedicated support centre.

And articles about features of: