As a data processor, we are aware of our responsibilities under GDPR legislation and this statement lets you know what actions we have taken to help you with your own compliance as a data controller. We do however, recommend that all businesses take their own legal advice around the GDPR so you can ensure that your company is compliant or check the ICO website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
The use of Civica Scheduling is very likely to be only one small element of the data you control. However, here's how we ensure that our relationship with you is GDPR compliant:
Security of data. All data stored on Civica Scheduling is stored on encrypted servers, based within the UK. We have a procedure for ensuring any data sent to us for importing is encrypted, the full document is available upon request. Here's a link to a support article about how to password protect documents before sending to us: https://malinko.zendesk.com/hc/en-us/articles/203563202-How-to-set-file-passwords-in-Word-Excel-and-7zip
Subject Access Requests. Under GDPR you will only have 30 days to respond to a subject access request. Civica Scheduling is likely to be only one of the places you store information. We have created a tool to give all Patient or Staff data held on Civica Scheduling in a portable format (excel file) to the customer.
Data portability. We have always regarded data held in Civica Scheduling as your data and as such have always provided exports from the software in a portable format (either xlsx or csv file). This continues to be the case.
Security Breach notification. To date, we have not had a notifiable security breach, but we are not complacent. We are ISO2001 accredited (an internationally recognised information security management system set of standards) and have a Security Incident Reporting Policy and a Data Protection Policy, both of which are available upon written request.
Data retention. You will have competing priorities in terms of how long data should be stored and we cannot make that judgement for you. However, financial records must be kept for 6 years and much of the information held on Civica Scheduling could relate to financial information. Our Data Retention Policy is available upon written request.
Right to erasure. Any data held on Civica Scheduling can be put beyond use upon receipt of a written request. We have created a tool which replaces certain fields and makes the data record less identifiable while remaining suitable for data analysis and data processing.
Data Protection Impact Assessments. You may decide that you need to conduct a data protection impact assessment, especially if you add a new module onto Civica Scheduling after 25 May. We are experienced in completing these, so please don't hesitate to ask for assistance if required.
Update to Terms and Conditions. We have added a new condition to our terms. When logged into Civica Scheduling you go to Settings -> Subscription -> click on “terms” and refer to 9. Personal Data.
Also as a supplier to the NHS, we are registered on the Information Governance Toolkit with Organisation Code 8J960. You can search for us on this NHS website: https://www.igt.hscic.gov.uk/ReportsOrganisationChooser.aspx?tk=431085843784992&lnv=3&cb=56fdc3a2-d932-4bba-b7f5-f260799460be&reptypeid=1