These steps ensure that the use of the new functionality is safe, legal and meets NHS standards.
Checklist: what you need to do
1. Accept the Data Processing Agreement (DPA)
What is it?
A legally binding contract that governs the relationship between your organisation (Data Controller) and Accurx (Data Processor), ensuring that we only process personal data on your behalf and strictly under your instructions.
Why is it important?
It is a mandatory legal requirement under data protection laws. Without a DPA, both the data controller and the data processor can be held accountable for non-compliance with the UK GDPR.
Where to find it:
This will be linked from the in-product landing page that is visible to users within your organisation when you first click on Accurx Scribe.
An approved user (that holds the power to enter into a contract on behalf of your organisation) must accept the DPA during the opt-in process to enable the functionality for your organisation.
Your organisation wont be able to access the functionality until this has been accepted.
A copy of Accurx's DPA is available on our website
You can also view Accurx's list of sub-processors
2. Review clinical risk management assessment (DCB0129)
What is it?
A document showing that the AI tool has been safely built and tested, meeting NHS safety standards (DCB0129).
Why is it important?
Demonstrates compliance with mandatory NHS digital safety requirements.
Where to find it:
Contact our User Support team at support@accurx.com or use the in-product support chat to request a copy.
3. Complete your organisation’s clinical risk management assessment (DCB0160)
What is it?
Evidence that your organisation is ensuring safe use of the AI tool in patient care.
Why is it important?
This is part of a mandatory NHS safety process (called DCB0160). It applies every time you use software that can influence patient care.
What you need to do:
Appoint a Clinical Safety Officer (e.g. a GP or senior nurse)
Run a risk assessment workshop
Create a hazard log listing potential risks and mitigations
Document procedures for staff to raise safety concerns
4. Complete a Data Protection Impact Assessment (DPIA)
What is it?
A formal process to identify, assess, and mitigate the risks that a processing activity involving personal data may pose to individuals.
Why is it important?
It is a legal requirement whenever the type of processing is likely to result in a high risk to the rights and freedoms of individuals, such as when new technologies are used to process sensitive data .
What the law says a DPIA should include:
A systematic description of the intended processing operations and the purposes of the processing.
An assessment of the necessity and proportionality of the processing operations in relation to the purposes.
An assessment of the risks to the rights and freedoms of data subjects.
The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the law.
When using Accurx, it is up to the data controller (your organisation) to complete a DPIA. As a data processor, we cannot complete it for you. However, to be as helpful as we can, we have filled in the key parts of a DPIA Template for Accurx Scribe.
If you still have any questions or concerns, feel free to chat with us using the green message bubble in the bottom right-hand corner of this page. 👉