About patient data
Patient data used in Accurx products is protected with the same high security standards we use for all data. We build the platform in line with NHS Digital Information Governance Standards that require us to keep records following the Records Management Code of Practice for Health and Social Care and retain an audit trail of all data that passes through our communication platform (specifically GP-IG-11-3 and GP-IG-11-4). This audit trail includes patient data.
Practices remain in control of this data in the audit trail. It's there so that you can 're-constitute' the information that was in there previously, to aid you with investigations etc.
We will physically (i.e. permanently and completely) delete patient data in this way in response to:
A valid physical deletion request from the provider itself, or
Court orders or other legislative requirements.
Deleting Photos in Accurx Desktop
Desktop users can delete a photo once it has been received, so that it is not visible to colleagues viewing the patient’s communication record. However, an audit trail will remain (see below for further information).
You can do this by clicking the delete icon (highlighted in red) next to a photo you've received into your inbox 👇
How do we ensure the request to delete data from audit trails is valid?
Accurx acts as a data processor, and so we have to be sure that we're taking our instructions from someone with authority at the data controller. This is especially important with regard to the audit trail. The NHS Digital IG standard sets out how we should do this.
This must take the form of a specifically authenticated and validated written request from an organisation’s Caldicott Guardian or Privacy Officer, co-signed by a senior clinical representative.
It's best to include as much evidence as you can of these people's status, such as your Caldicott Guardian registration, or public evidence of the senior clinician's status at the organisation (e.g. staff page on the website).
You can send this request to firstname.lastname@example.org. They may ask you for more information to make sure the request can be validated and carried out. Our Information Governance team will task a senior engineer with securely delete the data. A record of this action and the written request for it are retained in a secure log by Accurx.
Making a valid request
Making a request for a copy of patients data and/or deletion
Accurx is a Data Processor and so, we cannot delete patient data or supply patients with a copy of the data we hold on them unless this comes directly from the Data Controller. This is as per UK GDPR.
Your registered primary healthcare provider will need to request a copy/deletion of data on behalf of the patient.
An example template on how this needs to be submitted by the registered primary healthcare provider can be found below.
Example template requesting data deletion
You can find an example template Word document to complete and send to us for these types of requests you may receive.
Please note: The request MUST be contain two separate signatures. One of which must be a Senior Clinician and the other, the practice's Caldicott Guardian. If this not supplied, then the request will be returned and will not be completed.