Security and Privacy of your data
We take a lot of precautions to ensure that your data is both secure and private. IT is our business and we spend a lot of time thinking about these issues and putting them at the core of our activities. Below you will see a long list of things we do to ensure privacy and security, however it is important to remember that firstly, there are a few basic precautions that you can take in your office to ensure security.
For instance, we advise that you should:
- Know you are responsible for which staff you give access to.
- Ensure that you restrict access to Civica Scheduling where possible, do not give log in details to all staff without first thinking why they would need access it.
- Ensure you do not share login details with anyone.
- Ensure you do not put your login details on a post-it note and stick it to your monitor.
- Choose secure passwords (here's some advice: http://www.wikihow.com/Choose-a-Secure-Password)
- Change password if you suspect your account has been compromised.
- Archive all staff who have left.
In return, this is our side of the bargain:
- All logins are password protected, we automatically generate high strength passwords, and once you have logged in you can change the password.
- There are different access levels for different users, so only some users can access the settings
- All connections are encrypted using HTTPS.
- We can arrange to send a full copy of your data to you on a weekly/monthly/periodic basis. You are also able to download data and reports at any time in a format that can be loaded in a spreadsheet.
- Data access for Civica Scheduling staff is restricted to the IP address of our office. There are three members of staff at Civica Scheduling and you are welcome to visit our offices at any time for auditing purposes.
- All Civica Scheduling staff have a DBS check in place. Any staff who may possibly get access to patient data also have BS7858 security vetting clearance in place.
- All Civica Scheduling employees undergo annual data security training as part of commitment to DSP toolkit and ISO 27001.
- Civica Scheduling is a hosted service with all data held in Civica Scheduling hosted by AWS across multiple availability zones within the UK.
- Data recovery: we back up your data multiple times a day and these backups are stored offsite in another server to ensure that no data is lost. In the event of a complete catastrophe we would be able to get your data back - it would never be lost.
- The Civica Scheduling software is backed up separately from the data, and again backups are stored in separate physical location to the main servers. This ensures that for business continuity, we can set up the system on a entirely new set of servers from backups in the event of multiple failures or unavailability of our providers.
- We store the IP address of the most recent login on all our accounts.
- We automatically delete data from mobile devices when their account has been closed.
- If required, we can restrict access to your account so only specific IP addresses can login. This is a chargeable service. However, this would prevent mobile users from accessing the system other than via a VPN, and would prevent home users from accessing via a VPN unless they are on a static IP address, which is unusual for domestic internet connections.
- Data segregation: There are multiple checks within the code to ensure that data being requested is only accessible to the correct account.
- We follow industry best practices and react to security advisories as soon as we are aware of them. We are aware security is a continual process, rather than a single achievement.
- We can arrange an escrow service to ensure in the unlikely event that Civica Scheduling is no longer trading by a separate organisation that holds a copy of all your data and a copy of the code that Civica Scheduling is written in. This is a chargeable service to set up and you would hold a contract with the third party escrow company. However, Civica Scheduling has been around for over 10 years - we are not a new company with a single activity.
- All pages within the app which are viewed or edited or autoschedule actions taken are recorded on an Activity Log. This is an auditable trail of activity taken by users. It is available upon request from the Civica Scheduling support team
- We are registered with the Information Governance Toolkit in order to handle NHS data. Our organisation code is 8J960
- Civica Scheduling holds potential personal data about both staff and patients. The staff personal data stored is normally:
- Employee reference
The patient personal data stored is normally:
- Telephone number
- Date of birth
- NHS Number*
- Type and frequency of interventions*
*These data points are regarded as special category data under GDPR, as they are types of health data
We are happy to discuss any further concerns you may have about data security and privacy, so please do not hesitate to get in touch if you have any questions.