IG and Security: Accurx Web

A more detailed look at security and Information Governance for Accurx Web

John F avatar
Written by John F
Updated over a week ago

For more general questions about Accurx's Information Governance click here; and Security follow the link here.

Do you have a DPIA?

As the data controller, when using Accurx, it is your responsibility to complete a DPIA. As a data processor, we cannot complete it for you. However, to be as helpful as we can, we have filled in the key parts of a template DPIA for Accurx Web.

Who has access to the patient data?

Healthcare practitioners are either authenticated by being required to log in via NHSmail Single Sign-on (SSO) and having their associated organisation (in SSO) matched to an allowlist of all community and acute trusts, or Vision and Microtest practices, or they have an allowlist of Trust email address.

What data do they have access to?

Users can only access patient data via the Accurx integration with the Personal Demographic Service (PDS) if they have both the patient’s NHS number and date of birth. To ensure accuracy and data minimisation, the only data returned is the patient’s name, gender and the last three digits of the patient’s mobile. This means that the user has the minimum information to verify that this is the correct patient.

The PDS search (NHS number and DoB) must return an exact match, so a user could not put in random NHS numbers, or search for a patient by name. The only personal data returned from PDS is the name, gender, and last three digits of the mobile number. The name is used to personalise the message and to confirm that the correct patient is chosen. An individual in possession of the NHS number and DoB would also have the name and gender. Name, DoB and NHS number make up the standard set of demographics. The mobile number is obfuscated except for the last three digits so that the number can be verified with the patient or another system.

What measures are in place to protect patients and their data?

  • Users have to agree to an acceptable use policy that includes confirming that the service not be used to communicate SMS messages that are sensitive or clinically urgent.

  • Accurx scans SMSs for abusive content and flags to its Clinical Lead if any are detected.

  • Full audit trails are kept of all searches and uses of the PDS integration.

  • Patients flagged as a safeguarding risk on PDS will not be returned in the search.

  • Any video consultations are not recorded or stored.

How secure are the video consultations?

The video consultation service is hosted by Whereby, which is fully compliant with GDPR.

A unique URL to the video consultation is generated and all participants are visible in the consultation, no third party can 'listen in'. The video and audio communication is only visible to participants on the call and is not recorded or stored on any server. The connection prioritises ‘peer-to-peer’ between the clinician’s and patient’s phone and follows NHS best practice guidelines on health and social care cloud security. For a more detailed explanation of how the security around the video consultations works, follow this link here.

Are they recorded?

No. The video and audio communication is only visible to participants on the call and is not recorded or stored in any form.

How is my personal mobile number used?

Your phone number is used to send you an SMS containing the link for the video consultation. Your phone number is not shared with the patient, or linked to your Accurx account.

Can I use my personal phone for the consultation?

Yes, as no patient data is stored on the clinician's phone.

If the clinician has a webcam and headset, the video consultation can be conducted on the clinician's desktop PC.

Is it NHS approved?

Yes. We are an NHS Digital approved supplier and also specifically an NHS Digital approved video consultation supplier. Accurx has successfully completed NHS Data Security and Protection Toolkit assurance (under NHS ODS code 8JT17), and has the Cyber Essentials Plus certification.

In response to this guidance, we have built many tools to support practices responding to the COVID-19 outbreak. Further information can be found here.

If you still have any questions or concerns, feel free to chat with us using the green message bubble in the bottom right-hand corner of this page. 👉

Did this answer your question?