General Data Protection Regulation (GDPR)
We have undertaken a risk assessment of our Information Management Systems and the information we process, record and store.
In all cases, we are satisfied that our internal policies and procedures provide our clients and us with a high level of mitigation against data breach and loss of data to a third party.
Our policies and controls enable us to assess and manage the risk of a potential breach or loss of an information processing asset or loss of data relating to our financial systems or data we hold on our clients and patients.
Our personnel are bound by Confidentiality and Privacy agreements. The obligations on the employees endure post end of employment.
Whilst in a public place or amongst relatives or friends our policy prohibits our personnel to discuss, voice or talk about their work; patients or relay any information which may bring the Practice into disrepute or unknowingly make confidential details public unknowingly.
Our password policy states strong passwords are required and personnel MUST NOT ever write passwords down such that they are unknowingly available to colleagues or any third party.
Regarding email, we ensure that there are enough controls to mitigate any risk of the email being accessed by a third party. We cannot guarantee the safe and confidential transmission of the content once it is transmitted over the Internet.
Our internet protocol (IP) network is a private address non-routable network and all critical systems are hard-wired to the local area network and not wireless. For wireless devices connected to the network, there is a stated level of security by way of encryption, authentication, MAC address verification and network isolation. We do not operate a Guest network.
We only use licensed software applications from recognised suppliers and do not implement or undertake any software modifications or development of applications.
Software upgrades are not implemented automatically but are released in a controlled fashion such that any negative impact can be assessed and controlled to mitigate any risk of loss of data.
We do not store or retain any data relating to our clients or patient information on our premises. The entire medical, imaging and treatment data and private individual data is hosted and stored in a secure facility in the Cloud which is inherently safe by way of anonymity of our service providers and their hosting facilities.
We are legally obliged to retain data on our clients and their treatments. In particular for imaging data for a minimum period of six months. Data on individuals relates to citizens of 18+ years. We do not hold any data or information on minors/children.
Our back up system enables us to continue to operate in case of a failure of our information processing assets. In case of a network failure, we have alternative connectivity to the Internet and thus able to continue processing information without interruption and operate the practice as usual.
Regarding physical security, our premises have CCTV recording systems and are remotely monitored for intrusion and by the emergency services. There are fire detection systems in place including smoke alarms and the entire practice is designated as a “No Smoking Zone.”
We do not have a business continuity policy in place in case of a utility failure or physical destruction of our location. In case of a utility power failure, we can operate using hand-held devices and instrumentation with little or no impact on our operational capability.
With respect to our IT applications and in particular our Patient Management systems we are currently in discussions with our providers and for them to declare to us their policy with respect to GDPR and the mitigation of any potential data breach and the safeguarding of all such data whilst being processed, stored or transiting within their IT infrastructure, networks, systems and applications. We have an assurance from our suppliers that the existing hosting environment for the service whihc they provide to us is in line with ISMS standards.
For any requests by our clients for information or change in the dataset which we hold on them, we can respond within 24 business hours of the application. Our security or policy does not allow for our clients to directly gain access to such information without our intervention. We do not charge for the provision of such a service or request.
Requests: You can contact our designated GDPR responsible person by emailing: firstname.lastname@example.org