GDPR (General Data Protection Regulation)
We are regularly asked about GDPR and how it will affect healthcare practices and “whether ClinicOffice is compliant?”. This page should help to answer the most frequently asked questions.
We are regularly asked about GDPR and how it will affect healthcare practices and “whether ClinicOffice is compliant?”. This page should help to answer the most frequently asked questions.
GDPR is an EU regulation (full name: “General Data Protection Regulation EU 2016/679”) which came in to effect across Europe (including the UK) from May 25th 2018.
The EU GDPR is an EU Regulation and it no longer applies to the UK. If you operate inside the UK, you need to comply with the Data Protection Act 2018 (DPA 2018).
The GDPR is retained in domestic law as the UK GDPR. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018.
…is the wrong question to ask. ClinicOffice is a piece of software. GDPR compliance is about your working business practices.
The GOOD NEWS is that we have introduced new functionality into ClinicOffice v6 (from build 1094 onwards) to assist you in complying with GDPR, namely the Consent Manager feature which allows you to record and audit an unlimited number of ‘consent types’ for your clients and contacts.
Yes. We have reviewed our internal systems and policies and taken steps to make sure that all our business systems and working practices adhere to the guidelines recommended by the Information Commissioner’s Office (ICO).
We are also registered with the ICO as a Data Processor, registration number Z9867944.
The Information Commissioner’s Office (ICO) is the organisation responsible for enforcing GDPR (and the Data Protection Bill) in the UK. We recommend reviewing the documentation on their website and following their recommendations.
They have published a “Guide to the GDPR” document which is very helpful.
It means that we play a role in your GDPR compliance. As regards your data, you are the Data Controller and have ultimate responsibility for the personal data that you collect and store. Since you’re using the ClinicOffice platform, we (Pioneer Software) become a Data Processor in that we process the data for you.
For further information, please review the following document:
– ClinicOffice Software as a Service (SaaS) Terms & Conditions
Yes. All our servers are provided by IOMART and are hosted in highly-secure UK data centres which are ISO9001 and ISO27001 certified. Furthermore, all data is encrypted (even when in transit) and is strong-password protected on the servers.
For more information on IOMART’s certification, infrastructure and security, please see the following link :-
– IOMART Accreditations
Q. What if there’s a personal data breach?
In the (incredibly) unlikely event that an unauthorized person is able to breach the MANY layers of security that we have implemented on the hosted platform, and get access to your data, then under Article 33(2) we (as the Data Processor) must inform you without delay as soon as we become aware of this, and in turn you (as the Data Controller) would be responsible for notifying the ICO and your clients.
A more likely data breach scenario would be if one of your ClinicOffice users were to :-
(a) leave themselves logged on to an unattended computer (or device), allowing an unauthorized person to have access;
(b) use an insecure password or the same password they use for other systems, which an unauthorized person can guess; or
(c) leave the employ of your company but you forget to revoke access, thus allowing them to access data they are no longer entitled to;
…and so on and so forth.
In these situations, since we (as the Data Processor) only provide the platform for the Hosted Edition, we’re not responsible for who you (the Data Controller) allow to access the platform, hence it would be solely your responsibility under Article 33(2) to notify the ICO and your clients.
This further helps to illustrate why working practices are far more relevant to GDPR than the software you use. For more information regarding personal data breaches see this article on the ICO website.
Only if you are on our Support Plan and if you use our “PS Auto Backup” to backup your database and upload it to our servers. If that is not the case, then we do not “process” your data and have no involvement in your GDPR compliance.
It means that we play a role in your GDPR compliance. As regards your data, you are the Data Controller and have ultimate responsibility for the personal data that you collect and store. Since you upload backups of your database to us, we (Pioneer Software) become a Data Processor in that we store (or “process”) the data for you.
For further information, please review the following document:
– ClinicOffice Support Plan (COSP) Terms & Conditions
Yes. All our servers are provided by IOMART and are hosted in highly-secure UK data centres which are ISO9001 and ISO27001 certified. Furthermore, all data is encrypted (even when in transit) and is strong-password protected on the servers.
For more information on IOMART’s certification, infrastructure and security, please see the following link :-
– IOMART Accreditations
We’re not experts on UK GDPR or the Data Protection Act and we’d always recommend going to the official site of the Information Commissioner’s Office (ICO). However, if you have any questions from a ClinicOffice perspective, then please feel free to give us a call on 01205 205500 and we’ll be happy to assist you.
Click here for other ways to contact us.