Will you be sharing the data? If yes, with whom and why. Consider principle of transparency and if you require a data sharing agreement.
Data is not shared with any external organisations. Patient demographic information is synchronised from the clinical systems (EMIS/TPP) and stored in the GP-Billing database. GP-Billing can write back to the care record in the clinical system. All integration is accredited with IM1.
Will other organisations be involved in the processing of the data? If yes, state who and why?
Data is stored in our internally managed AWS data centre - no other organisations have access to the information or are involved in processing data.
What processes will be in place to delete the data?
30 days after termination of the contract, the GP-Billing database and all backups for the practice is deleted.
Are you signed up to an approved code of conduct or certification scheme?
We are IS-27001 certified, on the GPITF framework and all integration is accredited with IM1.
Will you be using a Data Processing Agreement? If yes, give full details of why and what steps you had to take to ensure protection of data to include a contract with the processor.
Provide details of how the personal data will be kept secure:
a) IT Software security provisions
- Login to the application is synchronised with the clinical system and provided using single sign-on.
- Full annual penetration testing of application and infrastructure.
b) Audit trails of user activity
- All system and user activity is audited as per GPITF requirements and available through the user interface.
c) Encryption
- Data is transmitted via 128bit SSL encrypted connections.
- Data is stored in an encrypted SQL database.
- All media is encrypted.
d) Backup
- Daily backup is automatically performed and retained for 30 days.
e) Secure cabinets
- N/A - AWS cloud.
f) Business continuity plans
- 24x7 high availability resilience has been implemented across multiple zones.
- Dual load balanced HSCN network connectivity.
- Multiple load balanced application servers.
- Realtime data mirroring between production and disaster recovery database servers.
- SIP based phone systems and cloud based helpdesk allowing support teams to work from any location.
- Full BCP plan tested every year.
g) Cyber security measures
- Full monitoring and security has been implemented as set out in the cloud security good practice guide.
h) Cyber essentials
- We have Cyber Essentials and ISO-27001.