On 25 May 2018, GDPR, the EU’s new regulation on data protection, comes into force. GDPR essentially supersedes the Data Protection Act, placing additional obligations on all organisations to ensure any data they hold is collected on a lawful basis, used only for the purposes for which it has been collected, and stored and processed in such a way that prevents damage or loss. The regulation also enhances the rights of individuals in terms of accessing data stored on them or requesting deletion of this data. It is expected that the UK government introduce at least equivalent controls after Brexit.
GDPR makes ‘privacy by design’ an express legal requirement, and mandates that organisations dealing with special categories of data (including health data) should introduce stringent controls to ensure this data is stored and processed securely. While the regulation is not particularly prescriptive in how this might be achieved, it will certainly be much harder to justify keeping clinical records on paper or saved locally on devices once the regulation is introduced, given their susceptibility to theft or accidental loss.
With potential fines of up to €20 million, organisations in the health and care industries simply cannot afford to be complacent. Many organisations are, quite sensibly, turning to cloud based platforms such as Qunote in order to ensure compliance.
At Qunote, we are committed to helping our clients fulfil their obligations under GDPR, providing a compliant, cost-effective and easy to implement solution for securely storing and sharing clinical records.
Records and notes can be recorded directly into the Qunote system, saving the need to keep paper records or store notes locally.
All Qunote data is stored on a dedicated server hosted in a secure UK server centre. The server centre is protected by its own compound, 24-hour manned security, CCTV and access by named personnel only. Data is backed-up daily to a separate secure server cluster also located in the UK, with back-ups held on a seven-day rolling basis, and the hosting network is protected by two high-performance firewalls working in tandem.
Communication with the server is encrypted by a 2048Bit Transport Layer Security, and we are currently working on a system update, due for release in spring, to encrypt data at rest.
Both Qunote’s server team and data centre are certified in ISO27001, the internationally recognised standard for information security and data governance.
Ensuring privacy by design within internal systems and processes is a central tenet of GDPR. Thankfully, every aspect of the Qunote system has been designed with privacy in mind.
Login is protected by a triple level entry system and user access to functionality and client data is permission driven. You have complete control over what parts of the system and client files your users have access to, and permissions can be easily amended at any point. Should you need to entirely revoke a user’s access to the system, this can be done at the click of a button.
Database logs of user activity are maintained and can be provided to you on request, helping you ensure accountability in the event of an internal data breach.
Under GDPR, it is essential that you are able to easily access, change or delete the data you hold if required.
Qunote’s comprehensive search functions make it incredibly easy to manage the data you hold, allowing you to quickly and simply find notes on a client’s file going back several years. By setting up different client groups, you can archive closed cases while retaining easy access to the data should you require it, such as in the event of a subject access request.
Data stored within Qunote also meets GDPR’s requirement of portability. The vast majority of data held (client records, notes etc.) can be exported directly from the system, and anything you can’t export directly from the system can be exported from the database and provided to you on request.
Sharing sensitive information by email, which is inherently insecure and vulnerable to interception, will be increasingly difficult to justify under GDPR.
Being cloud based, Qunote makes secure collaboration easy, saving you the need to use email to share sensitive information. When you add a note or document to a client’s file on Qunote, other members of your team with access to the client’s file will be able to see it immediately, wherever they may be.
Qunote has a robust information security management system and disaster recovery process in place, and has implemented the controls identified in ISO27002. We are mindful of the evolving nature of information security threats, vulnerabilities and impacts, and we constantly assess our use of information security controls.
For more information about Qunote, call us on 01303 863816, or email us at email@example.com
Further details on GDPR can be found on the Information Commissioner’s Office website.