Patient-Level Data
Who can see Patient Identifiable Data (PID)?
Access to PID is strictly controlled within Ardens Manager, for further information on this please see our enabling patient level data article.
Is my Patient Identifiable Data (PID) shared within Ardens Manager?
No, PID is only available for users with direct access to the Data Controllers account. Aggregated data may be shared within the site subject to a Data Sharing Agreement (DSA).
Can I export Patient Identifiable Data (PID)?
Yes, providing the correct authentication checks have been passed, users can export a list of patients. This functionality allows users to import a list of patients into EMIS Web or SystmOne for actioning, for example, a review.
How do Ardens keep our patient data safe?
At Ardens we highly value the importance of safeguarding patient data, the Ardens Manager product has been assured and approved through the following accreditations:
- NHS England IM1 integration
- Cyber Essentials Plus
- ISO 27001
- DCB 0129
- NHS Data Security and Protection Toolkit
Furthermore, a Security Operations Centre (SOC) is in operation to monitor for cyber threats.
Where is the data stored and is it encrypted?
All data is encrypted at rest in accordance with AES-GCM 256 and transmitted encrypted over Transport Layer Security (TLS). Additionally, all data is stored within the United Kingdom.
Do you provide any guidance to practices on how to use the Ardens Manager, to reduce the risks of manually uploading Patient Identifiable Data (PID) data?
Within Ardens Manager there are warning messages which are displayed at instances where a practice has the potential to manually upload any PID. However, we do also outline that it is the users responsibility to ensure that they do not send us any patient identifiable data in our Privacy Policy.
General
Do you have a Data Protection Impact Assessment (DPIA)?
As a Processor, Ardens does not have a statutory duty to complete a DPIA but we have completed an 'Ardens Manager Information Governance Review' which can be used by Controllers (i.e. GP Practices) to form their DPIA.
Is there an audit of actions taken within Ardens Manager?
Yes, audit logs are securely kept of activity undertaken within Ardens Manager.
Has Ardens Manager been penetration tested in the last 12 months?
We undertake annual penetration tests in accordance with industry standards and those set out by NHS England. Additionally, quarterly vulnerability scans are completed. If you would like more information on this please let us know.
Your Privacy Policy states 'Ardens reserves the right to share any anonymised data with third party organisations'. What is the the nature of these purposes and what third parties the data may be shared with?
The data shared will only be anonymous aggregate and for the purpose of identifying largescale healthcare trends to benefit the NHS.
No third parties currently have access to any data on Ardens Manager, nor have been planned to but if and when they do we will identify these on our Privacy Policy.
Does the benchmarking data you provide to other practices, groups (e.g. ICB) or any other third party allow other practices to be identified?
The practice has to consent to sharing their data with the other organisations before the practice can be identified.
How are my video conferencing meetings processed and stored?
Video conferencing on Ardens Manager is hosted by Jitsi and are encrypted on the network using DTLS-SRTP. Meetings are not recorded or stored by Ardens Manager or Jitsi. If a user wishes to record a meeting they can store the recording on a separate Dropbox account. All participants are notified if the meeting is recorded.
Data such as chats and speaker stats are stored for the duration of the meeting and then destroyed once the meeting ends. For more information on Jitsi Security, please see their website.
If you have any further questions at all, please contact us.