Skip to main content
Privacy and Security: Patient Photos

This article talks through some questions related to security and information governance of photos and storage.

Moreen avatar
Written by Moreen
Updated over 2 weeks ago

You can request photos from patients in our EMIS, SystmOne & Vision integrated product, Accurx Desktop - see here for more details on how to do this!

Do you have a DPIA that covers patient photos?

As the data controller, when using Accurx, it is your responsibility to complete a DPIA. As a data processor, we cannot complete it for you.

However, to be as helpful as we can, we have filled in the key parts of a template DPIA for requesting patient photos using Accurx.

Should I save photos submitted by patients to record?

Use your clinical judgment to decide whether a photo should be added to the medical record.

For example, if you think a photo will help document your clinical decision or help track the progression of a wound, then you could decide to save it. Whereas if a photo is sensitive and you would prefer that colleagues don’t see it, you may decide not to save it to the record.

Am I allowed to save patient photos to the record under UK GDPR?

Yes, as with the processing of other patient data, the lawful basis for processing and saving photos submitted by the patient is the provision of health care or social care services: 9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

Where and how are photos stored?

Accurx data (including photos) is hosted on Microsoft Azure servers in their London Data Centre. All data sent is encrypted when in transit (when it is sent) and at rest (when it is stored). Accurx follows the Microsoft Azure NHS Blueprint for Platform-as-a-Service web applications, specifically designed for NHS services. Please see here for more information on Cloud Security and for further information on Azure Storage encryption, click here.

How long are photos stored?

Patient photos and files - along with other patient data - are kept in line with the Records Management Code of Practice for Health and Social Care 2023. These require us to hold records on behalf of healthcare organisations until 10 years after a patient has died. However, we would delete the data earlier than suggested by this code in the following cases:

  • We are asked by your healthcare provider to delete this data at the end of our contract with them;

  • As a response to an erasure request you’ve sent your healthcare provider in line with your individual rights under the data protection legislation, which they ask us to assist with (see more details below);

Can Accurx access patient photos?

This is not routinely possible for Accurx members of staff. As with other record systems, we are required to be able to access patient data in exceptional circumstances to fulfil our legal obligations as a data processor, such as deleting the photo or assisting the data controller in providing subject access and allowing data subjects to exercise all their other rights under the GDPR.

If such access is required, only designated Accurx staff can access the data we store on the London Microsoft Azure Data Centre servers. Extensive controls are in place, a full audit trail is kept, and no staff member would view any photos as part of this process.

Can I delete photos from Accurx?

Yes, you can delete a photo once it has been received - see here how to do delete a photo and for further explanation of photo deletion. 👍

We follow NHS Digital IG requirements, which require us to keep a photo for audit trail purposes, even if you have deleted the file in our platform. We can only physically (i.e. permanently and completely) delete a photo from the audit trail that we hold in response to 1) receiving a valid physical deletion request, or 2) relevant court orders or other legislative circumstances.

Is Accurx secure to use?

We have completed NHS England’s thorough assurance process so we can be bought/used by healthcare organisations in England. We have been assured and comply with the high data privacy/security and clinical standards set in NHS England’s Digital Care Services Catalogue.

What security credentials does Accurx have?

Accurx has successfully completed NHS Data Security and Protection Toolkit assurance (under NHS ODS code 8JT17), and both the Cyber Essentials and the Cyber Essentials Plus* certification.

We are fully compliant with DCB0129, which is for manufacturers of health IT software such as Accurx, and we have been assured by NHS Digital against this standard.

N.B. DCB0129 applies to Accurx products but DCB0160 does not.**

Is Accurx UK GDPR compliant?

We comply with GDPR and all NHS rules and regulations on IG. You can find more information here on our Security for Healthcare Professionals page and the Privacy, Information Governance & Security Centre.

If you still have any questions or concerns, feel free to chat with us using the green message bubble in the bottom right-hand corner of this page. 👉

Did this answer your question?