As a network provider, X-on stores data on calls (originating number, terminating number, time and duration). This is a requirement under Ofcom regulation and is not specifically related to Patient Identifiable Data (PID).
The NHS guidelines allow for storage of PID within the cloud provided the required security standards are met, and the data is contained within the England boundary. X-on cloud storage meets these audited requirements.
Stored in the Cloud
Specific information on the security of call recordings.
X-on store information on text messages sent to patients and call recordings as detailed in the feature set of Surgery Connect. The storage of this and other data is governed by the DSP Toolkit (NHS data security standards) regulations and X-on is a registered supplier.
Some key aspects of the requirements to which we adhere:
- Call recordings and SMS Messages are encrypted at rest
- Call recordings are accessed through secure encrypted connections via password controlled access
- All data is permanently deleted after agreed retention periods
- All data is securely held in UK data centres under control of X-on
- Geographic redundancy to avoid data loss in a major disaster
An introduction to integration with clinical systems.
Clinical System Integration
With Clinical System Integration, such as EMIS and SystmOne, we temporarily store data during the identification of patients extracted from the clinical system database. This is in line with the Caldicott principles such that the minimum amount of data required to identify uniquely the patient is used, for example the calling number and month of birthday. This data is then permanently erased after use.
Cloud storage provides clear advantages over traditional on-site systems. Along with the cost benefits, there is peace of mind that comes with knowing your data is stored safely off-site, and not at the mercy of good fortune as is the case with local backups, where fire, flood, theft, accidental deletion, malware or internet attacks may result in permanent data loss.
X-on maintain geographic redundancy via dual sites to avoid data loss in any major disaster.
Access to encrypted data is restricted to authorised users with appropriately strong passwords, and meeting preset criteria. For example, call recording access can be restricted to extensions or phone numbers dialled, or to defined IP addresses or ranges, public or private.
X-on adheres to the principles of the General Data Protection Regulation (GDPR), which will become law in March 2018. As such we hold liability for a data breach if this occurs in our network. Our customers are provided with the ability to download call recordings on to client PCs (e.g. over the N3 network) and responsibility for the data passes to the client once this download is complete.
Security Compliance Standards
X-on maintains accreditations with ISO 9001 (Quality Management of Systems requirements), ISO 27001 (information security standards), ICO (data protection act compliance), DSP Toolkit (NHS data security standards), SBS CARAS2 Framework, are a Crown Commercial Service and RM1045 Supplier, and are PCI-DSS (credit card security rules) Level 1 Providers.
For more help with maintaining Patient Data Security in the cloud please call the Sales Team on 0333 332 0000.