GDPR Frequently Asked Questions

The information provided within this document may be revised from time to time and will be updated in line with new legislative requirements and/or updated product features and additional services at the sole discretion of iPLATO.

The document is not intended for general circulation or publication; it will not be published on our website but will be provided to external organisations on a confidential basis.

This document supersedes any prior documents or written policies of iPLATO that are inconsistent with its provisions.

Questions, comments and requests regarding this document should be addressed to:

iPLATO Healthcare Ltd, One King Street, Hammersmith, London W6 9HR

info@iplato.com

 

INTRODUCTION

Handling & Processing of Patient Data

Since the initial development of Practice Messaging back in early 2003, iPLATO has ensured that the security and confidentially of patient data were at the centre of the design of the system. Accordingly, iPLATO has endeavoured to adhere to the stringently set requirements of the General Data Protection Regulation and the Data Protection Act 2018 as well as guidelines imposed by NHS Digital and client Trust Caldicott Guardians.

Additionally, iPLATO must ensure compliance with NHS Data Guardian Standards generally as well as specific requirements as mandated to maintain an approved NHS Digital Data Security and Protection Toolkit accreditation which is a mandatory requirement to support a direct connection to the NHS N3 network.

Why is IG Important?

Information Governance has four fundamental aims:

  1. To support the provision of high quality services by promoting the effective and appropriate use of information.
  2. To encourage responsible staff to work closely together, preventing duplication of effort and enabling more efficient use of resources.
  3. To develop support arrangements and provide staff with appropriate tools and support to enable them to carry out their responsibilities to consistently high standards.
  4. To enable the organisation to understand its own performance and manage improvement in a systematic and effective way.

The iPLATO Approach

iPLATO is committed to iPLATO innovation in health services to support GPs, CCGs and patients but strongly believes that this can never be at the expense of the protection of the data upon which such innovations depend. Patient safety and Information Governance is at the centre of everything we do. All of our products and services are developed to meet or exceed best practice in information governance and data protection concerns.

It is particularly important to us that how data is used is clear to everyone. We have therefore prepared this FAQ to answer the key questions around data management and compliance. iPLATO offers several different services. The way in which patient and other data is collected varies between them. We cover each separately below. A general overview that applies to both the Practice Messaging and myGP® services is set out in Section 1 – General.

 

FAQ

Section 1 – General

What are the fundamental differences between Practice Messaging and myGP® and how does this impact the Data Controller / Data Processor relationship in respect of patient data?

Practice Messaging and its associated modules is a cloud-based middleware platform securely hosted within the N3 and integrated direct to NHS approved clinical systems. It is procured and used by NHS organisations (eg GP’s, CCG’s, Public Health). It has a variety of functionalities/features that include: secure 2-way messaging with patients utilising both SMS and data.

From a data protection perspective, Practice Messaging GPs [and/or other relevant NHS stakeholder organisations eg CCG’s] remain as Data Controllers. iPLATO is a Data Processor and simply processes the personal data of patients to provide the service to the NHS organisations.

myGP® is an App developed for the exclusive use of patients. It is provided free of charge and distributed directly to patients by iPLATO through the Android and Apple App stores. Patient’s provide explicit consent to use the App and it is provided for and available to all UK registered patients. GP’s, CCG’s or other NHS bodies have no capacity to influence, restrict or control access to the App for any patient. The App is integrated directly to the patients’ medical records (via Practice Messaging and also via NHS supplied API’s). Additionally, the App contains features that collect and process patient generated data.

From a data protection perspective, iPLATO is a Data Processor in respect of GP clinical system sourced data and a Data Controller in respect of patient generated/collected data. Where patient generated/collected data is subsequently shared with the NHS organisations, iPLATO and the NHS organisations become Data Controllers in common.

How are data subjects informed / what is iPLATO’s Privacy Policy?

Please see the iPLATO Privacy Notice which is published here:

https://www.iplato.com/privacy/

This provides information to data subjects as to how iPLATO will process their personal data when they use any iPLATO website or other iPLATO products/services excluding myGP®. Users of the myGP® App are governed by the specific terms of the App Privacy Policy (see section 3 below).

What is iPLATO’s internal ‘Data Protection Policy’?

The iPLATO Data Security & Protection Strategy sets out the internal procedures that are to be followed by us when dealing with personal data (whether as part of Practice Messaging or myGP®).  The procedures are followed at all times by iPLATO, its employees, agents, contractors, or other parties working on behalf of iPLATO.

The iPLATO Data Security & Protection Strategy is maintained centrally and submitted as part of our accreditation for the NHS Digital Data Security and Protection Toolkit.

Where is personal data processed by iPLATO stored?

All personal data processed by the Practice Messaging or myGP® products is stored in the UK.

How long is personal data stored for?

With respect to Practice Messaging, personal data is stored until such time as the relevant GP surgery ceases to be a Practice Messaging customer/user. Personal data will be deleted or anonymised within 30 days of the end of the contractual relationship.

With respect to myGP® personal data is stored as long as the patient remains a registered user. Once a patient de-registers and uninstalls the App all data within the App is deleted immediately. Operational data regarding the App that is maintained centrally will be stored in accordance with company data retention policy.

Additionally, under the General Data Protection Regulation (GDPR), iPLATO will comply with any legitimate requests for erasure of Personal Data from data subjects (the so called ‘right to be forgotten). More information on GDPR is set out below.

What data erasure methodology is employed?

The method of data deletion/erasure depends upon the nature of the subject data. Where relevant data is identifiable and separable then it is deleted in accordance with the multiple overwrite protocol. Where data is inseparable (eg component of log files) then identifiable components are anonymised.

What security and confidentiality arrangements are in place to protect patient data?

iPLATO seeks to demonstrate its conformity with the concepts of Data Security & Confidentially through the following mechanisms:

  1. Implement and maintain appropriate management systems and processes.
  2. Implement and maintain appropriate internal policies and procedures.
  3. Conform to all appropriate legislation and maintain appropriate documentation / registrations.
  4. Implement and maintain appropriate technical standards and features within all deployed software products and internal technical systems.

Management Systems and Processes

Examples of steps iPLATO has taken to support the comprehensive management of confidential information, alongside required strategies and/or improvement plans, include:

  • Appointment of a Data Protection Officer.
  • Implementation of a comprehensive Data Security & Protection Strategy
  • Staff training in Data Security Awareness (via NHS e-learning)
  • Maintaining an Information Asset Register / Information Audit.
  • Maintaining Article 30 (GDPR) documentation.
  • Inclusion of key concepts into employment contracts and contractual arrangement with suppliers.

Legislation

The General Data Protection Regulation (GDPR), alongside the Data Protection Act (DPA) 2018, regulates the processing of personal data, held manually and on computer. The legislation applies to personal information generally, not just to health records. iPLATO makes every effort to comply with all aspects of the legislation, including specifically the requirements that advocate fairness and openness in the processing of personal information and respect for data subject rights.

Technical

Please see the iPLATO System Architecture document for detailed description of all technical approaches to security including both encryption and deployment within the N3. This can be provided separately upon request.

Does iPLATO have any accreditations?

iPLATO is an ‘Approved Service Recipient’ and has passed NHS Digital Data Security and Protection Toolkit as a Commercial Third Party (CTP) supplier to the NHS. This is a mandatory requirement to support a direct connection to the NHS N3 network.

Registration details as follows: NNG01

What compliance standards does iPLATO meet?

UK data protection rules and codes of practice including the National Data Guardians Standards and the guidelines imposed by NHS Digital and client Trust Caldicott Guardians.

What impact has the GDPR had on iPLATO services?

The EU General Data Protection Regulation has been adopted into UK law through the Data Protection Act 2018. Although the regulations are extensive there was no user-perceived impact to any iPLATO product or service. The requirements that affected iPLATO primarily required documentary and/or organisational change. A summary of the key impacts is provided below.

Issue:          Additional mandatory requirements imposed on Data Controllers and Processors – Under the GDPR iPLATO is required to comply with additional requirements imposed on controllers and processors of personal data.

Answer:     iPLATO has completed the required Article 30 (GDPR) documentation, updated contractual documentation and adopted/modified applicable operational processes to cover the new requirements.

Issue:          Additional information to be provided to patients who use the service on the processing of their personal data – Under the GDPR there is substantially more information in addition to that required under the previous legislation that iPLATO will need to provide to patients whose data is collected.

Answer:     The enhanced transparency requirements are reflected in modifications to the iPLATO privacy policy.

Issue:          New Patient Rights – The GDPR creates new rights and strengthens existing rights for patients. The two new rights under the GDPR are the rights of data portability and the right to be forgotten. iPLATO must be ready to action directly or assist Data Controllers in the event that these rights are exercised through the Data Controller. Additionally, for data subject rights, the time for response has been shortened to 30 days.

Answer:     The new patient rights are being communicated to patients through the iPLATO privacy policy. iPLATO has put processes in place to ensure required data can be ported or deleted where applicable, on the right being exercised by a patient, either directly with iPLATO or through the applicable data controller.

Issue:          Security measures and data security breach notification – The security requirements remain the same under GDPR, however with regards to timings for making security breach notifications to the regulator, this has been reduced. Where there is a significant breach of patients’ personal data, iPLATO is required to inform the regulator of this breach within 72 hours from first knowledge of the security breach.

Answer:     iPLATO security measures remain fit for purpose, with the three cornerstones confidentiality, integrity and availability. Processes and training are in place to ensure iPLATO can report a data breach within the newly required time.

Does iPLATO have a registration with the Information Commissioner’s Office?

Yes. Our registration number reference is ZA074488.

 

Section 2- Practice Messaging

What is Practice Messaging?

Practice Messaging and its associated modules is a cloud based middleware platform securely hosted within the N3 and integrated direct to NHS approved clinical systems. It has a variety of functionalities/features that include secure 2-way messaging with patients utilising both SMS, data.

Who is the Data Controller and who is the Data Processor?

GPs [and the relevant NHS CCG/organisation] remain Data Controllers. iPLATO is a Data Processor and simply processes the personal data of patients in order to provide the service to the GPs.

Who “owns” the data? 

GPs own all data that originates with them from an intellectual property perspective (referred to as Customer Data and Patient Data in our contract).  Patients, as data subjects, have rights in respect of their Personal Data and iPLATO and GPs have certain responsibilities in relation to such Personal Data.

What contractual commitments does iPLATO make in relation to the handling of personal data?

We have prepared and contractually commit to a data processing agreement that incorporates all of the requirements of data protection legislation including the new requirements under the General Data Protection Regulation.

Do GP’s need a Data Sharing Agreement with iPLATO to launch Practice Messaging?

Yes, this is a key requirement under the General Data Protection Regulation. We include a straightforward Data Sharing Agreement in our standard customer agreement documentation. GP’s are required to consent to all terms of the customer agreement (including data sharing) before launching Practice Messaging.

Is patient consent required for GP’s to ‘share’ patient data with iPLATO to launch Practice Messaging?

The issue of ‘Patient Consent’ to data sharing is a legal issue that affects all GP Surgeries in their capacity as Data Controllers.

The data that Practice Messaging extracts from the clinical system is ‘sensitive’ in nature. Consequently, there is a higher bar to be met regarding the 1st Principle of the Data Protection Act. Therefore, in addition to schedule 2 we need to meet at least 1 (One) condition of schedule 3. The Act prescribes a number of ‘potential’ conditions that can be relied upon. Explicit patient consent is one but another and more relevant relates to ‘medical purposes’, and remember we only need to satisfy ONE condition.

The processing is necessary for medical purposes ………………………… “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

The Act therefore is quite clear and patient consent is NOT required for a GP to ‘share’ special category patient data with iPLATO because we rely on the medical purposes condition.

What about ‘Privacy Notices’ at GP surgeries?

iPLATO provides various tools and collateral to all surgeries during the launch process that would support surgeries with their established Privacy Notices to patients. These tools include posters, leaflets, website and waiting room/patient call system videos.

What Personal Data of patients will Practice Messaging access?

Practice Messaging requires and has access to the full patient record as exists within the clinical system. This includes patient demographic information, the patient medical record as well as all appointment information regarding the specific GP surgery.

How will this Personal Data be used and who will it be shared with?

Different components of the patient record are used to provide different features of Practice Messaging. The Personal Data is NOT shared with anyone.

Do GPs and/or Commissioner organisations (eg: CCG’s) need to carry out a Data Protection Impact Assessment before using Practice Messaging?

Yes, the GDPR does require the completion of a Data Protection Impact Assessment for various specific processing activity, including where processing of special category data is undertaken on a large scale or where new technologies are implemented.

However, we have significant experience helping CCG’s with these assessments and can assist any organisations with template documentation and/or commentary on known IG risks.

Patient Communication Preferences: Can GP’s send SMS messages to patients?

YES, subject to any relevant communication preferences that may be submitted by the patient to the GP (see below) it is completely fine for GP’s to send SMS messages to patients.

  1. The use of SMS is ‘common place’, that is there is widespread adoption and use of SMS across society and in Healthcare generally.
  2. Previously the NHS England used to centrally fund SMS messaging to patients. This has been replaced by a contractual obligation on Commissioners to fund Text Messaging services for GP’s and all GP clinical systems now have inbuilt basic SMS functionality.
  3. SMS sent by GP’s to patients regarding bookings and appointments are service messages. They are not marketing messages and therefore the requirements of the Privacy and Electronic Communications Regulations on consent for SMS contact do not apply.

If GPs wish to use SMS to promote health initiatives (eg: clinics, vaccinations, etc) then Practice Messaging will support this. iPLATO always recommends a consent-based approach for this type of contact, however ultimately the GP, as Data Controller, has the freedom to decide on the appropriate legal basis for processing.

What about patients who do not wish to receive SMS messages?

Regarding patient choice of communication method: GP’s use many communication channels for patient interactions; phone calls, letters, emails, text messages, video/skype calls etc. and collect/record both the communication details (address, number, email etc) as well as the communication preferences of individual patients. In our experience, it is quite a rare occurrence to come across a GP surgery that does not have operational processes for collecting and/or modifying patient communication details and preferences.

We deal with the matter of patient communication preference as follows:

  1. During service launch we modify the launch process to take account of any recorded patient preferences that a GP surgery may have pertaining to individual patients.
  2. During service operation Practice Messaging has functionality to include/exclude patients who withdraw or modify their communication preference re SMS messaging.
  3. In those ‘rare’ occasions we come across a surgery who does not operate systems/processes to record and manage patient communication preferences, we always recommend the adoption of such processes and provide surgeries with general guidance on the topic.

Can patients opt out of Practice Messaging messages?

Yes. Practice Messaging has functionality to support patient opt-out.

 

Section 3 – my GP®  

What is the myGP® App?

myGP® is an App developed by iPLATO for the exclusive use of patients. It is provided free of charge and distributed directly to patients by iPLATO through the Android and Apple App stores. The App is integrated directly to the patient’s medical records (via Practice Messaging and also via NHS supplied API’s). Additionally, the App contains features that collect and process patient generated data.

myGP® is not a GP Practice nor a Pharmacy and does not offer medical advice. myGP® facilitates important patient interactions with the GP surgery. This includes appointment booking and cancelations, prescription requests as well as generic messaging functionality. In addition, myGP® includes helpful tools to generate timely medication reminders as well as tools to assist patients monitoring their personal health goals.

While certain information controlled, generated by, displayed within or stored in myGP® may be helpful in providing warning of certain medical or health conditions or circumstances, the App is not designed, nor may it be used as a device to detect, diagnose, treat or monitor any medical or health condition or to establish the existence or absence of any medical or health condition. The App is not monitored by medical Practitioners or other medical professionals.

Is iPLATO a Data Processor or a Data Controller with respect to myGP®? 

As regards to the myGP® App iPLATO is a Data Processor in respect of personal data that originates from a GP clinical system and a Data Controller in respect of patient derived personal data collected and/or processed by the App. Where iPLATO shares patient derived data with an NHS organisation, they will become Data Controllers in common for that information.

What data of patients will myGP® access?

myGP® requires and has access to the full patient record as exists within the clinical system. This includes patient demographic information, the patient medical record as well as all appointment information regarding the specific GP surgery. We call this information [GP Data].

Is patient consent required for GP’s to ‘share’ patient data with iPLATO to enable myGP®?

The data that myGP® extracts from the clinical system is ‘sensitive’ or ‘special category’ in nature. Consequently, there is a higher bar to be met regarding the 1st Principle of the Data Protection Act. Therefore, in addition to schedule 2 we need to meet at least 1 (One) condition of schedule 3. The Act prescribes a number of ‘potential’ conditions that can be relied upon. Explicit patient consent is one but another and more relevant relates to ‘medical purposes’, and remember we only need to satisfy ONE condition.

The processing is necessary for medical purposes ………………………… “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

The Act therefore is quite clear and patient consent is NOT required for a GP to ‘share’ special category patient data with iPLATO because we rely on the medical purposes condition.

Despite the above all myGP® users provide explicit consent as part of their Terms of Use of the App.

Will myGP® collect any other data?

Yes.  Some registered users of myGP® may choose to input information into myGP® for example when they fill in forms in the App, use certain App Cards or send us direct communications.

We may also collect certain data about users’ use of the myGP® App such as:

  1. technical information, including the type of mobile device used, a unique device identifier, mobile network information, mobile operating system, and time zone setting;
  2. information either accessed through their device or stored on their device which they have explicitly consented to sharing, and the providence of that data including the device used to collect that data, time, date; and
  • details of their use of myGP®.

Not all of this data is Personal Data. We use it to better understand the use of the services and make improvements.

Collectively we call all of this data [myGP® Data].

Who “owns” the data?

GPs own their Customer Data and Patient Data and iPLATO owns myGP® Data.

Where is the data stored?

All data is held on servers in the UK.

How long is the data stored for?

All, being both GP Data and myGP® Data, is stored as long as the Patient remains a registered user. Once a Patient de-registers all data is deleted or anonymised.

Additionally, under the General Data Protection Regulation (GDPR), iPLATO will comply with any legitimate requests for erasure of Personal Data from data subjects (the so called ‘right to be forgotten’) within the required timescale.

Will myGP® data be shared with GPs and or other 3rd parties and if so, is Patient consent required?

myGP® Data will never be sold to anyone and will only ever be shared with 3rd parties including the patient’s GP’s with the consent of the respective Patient.

There are very limited exceptions to the above rule. Full details are contained within the App Privacy Policy however in summary the only exceptions are:

  1. If we are under a duty to disclose or share personal data to comply with any legal or regulatory obligation; or
  2. To enforce or apply our Terms and other agreements or to investigate potential breaches of such Terms; or
  • To protect the rights, property or safety of iPLATO, our customers, or others.

What is myGP’s privacy policy?

Please see the myGP® user ‘Privacy Policy’ which can be viewed here:

https://www.mygp.com/privacy-policy/

Can GP’s control the use of myGP® by patients?

myGP® is an App developed for the exclusive use of Patients. It is provided free of charge and distributed directly to Patients by iPLATO through the Android and Apple App stores. myGP® is provided for and available to all UK registered Patients. GP’s, CCG’s or other NHS bodies have no capacity to influence, restrict or control access to the App for any Patient.

Can patients ‘Opt-out’ of myGP®? 

Yes, Patients can cease using and/or uninstall the App at any time.

Is myGP® a GPSoC Lot 1 Service and what does this mean?

Yes. Under the central GP Systems of Choice programme, iPLATO has a framework agreement with the Secretary of State for Health who order services on behalf of GPs (the GPSoC Contracts). The scope of provisions in the GPSoC Contracts includes accreditation, deployment and provision of services, including patient facing services.

It is important to note that inclusion of myGP® on the GPSoC Framework is not a condition precedent to the provision of the App to Patients. iPLATO has and will continue to provide the App to Patients irrespective to the existence and/or inclusion on GPSoC Lot 1 or any other concurrent or replacement NHS Framework agreement. In simple terms the inclusion on GPSoC Lot 1 provides a mechanism for iPLATO (or any other supplier organisation) to recoup operational costs of the App from the Department of Health.

No Patient or Commissioner organisation will ever be charged to download and use myGP® irrespective of the inclusion and/or assurance of the App as a GPSoC Lot 1 service.