Last Updated: May 18th, 2021
Under Article 28 of the UK GDPR, Data Controllers are under a responsibility to only use Data Processors providing sufficient guarantees to implement appropriate technical and organisational measures to ensure compliance with the Regulation.
The purpose of this document is to provide those guarantees to you as the Controller. We hope that this should answer any questions you may have about Dental Audio Notes and our product but if you have any further queries please just contact adam@dentalaudionotes.com.
As a Data Controller you will have a variety of responsibilities to comply with which will already be applicable to you in your day-to-day operations. We have sought to help you with those requirements applicable to you use of DAN as much as we possibly can, including:
In ensuring that your use of our solution is fully compliant you should also:
Dental Audio Notes (DAN) exists to improve clinical record keeping and make life easier so that you can concentrate on looking after your patients and continue to constantly strive for excellence in your work.
DAN acts primarily as a processor and occasionally as a controller. We are committed to protecting and respecting privacy and complying with the principles of the GDPR. We are registered with the Information Commissioner’s Office: ZA761741.
This document should be read in conjunction with our EULA, Privacy Policy and Data Protection Impact Assessment.
All the relevant details of processing of personal data by DAN on behalf of our clients can be found in our Privacy Policy.
To ensure that information is kept safe DAN apply a number of information security standards, measures and policies to our business and product. These are reflected in our Data Protection Policy and Procedures. To avoid the creation of any vulnerabilities in our operation we like to keep this policy internal, however, in order to provide you with assurances we have detailed some of our key information security policies here:
All data processed by DAN is held off site on servers provided by AWS.
This means that we benefit from the security standards of AWS infrastructure which holds ISO 270015, 270176, 270187 and 90018 certifications. For more information on the physical security standards which DAN benefits from by virtue of AWS please refer to the sub-processor section of this document.
Two key aspects of strong information management standards from a data protection perspective are the handling of breaches and subject rights requests.
In order to appropriately oversee the remediation of any data security incidents, Dental Audio Notes have implemented Data Security and Protection breach reporting policies setting out the standard to be observed when assessing, remediating, recording and communicating security incidents, as well as the processes to be followed by staff at all levels in the context of these incidents.
These processes reflect the reality that Dental Audio Notes in their relationship with clients will act as a processor and therefore will not have the legal authority to notify data subjects or the data protection authority of any relevant personal data breaches.
The process has been set against the NHS Digital Data Security Standard 6. It is yet to be deployed in context as no personal data breaches have occurred in the last 12 months, or at all.
As with breaches, Dental Audio Notes in their capacity as a data processor will have limited responsibility in respect of data subject rights requests.
However, Dental Audio Notes recognises the legal rights of those whose data it is processing. Dental Audio Notes shall ensure that appropriate policies and procedures are maintained to ensure that its employees are able to recognise information rights requests and handle them appropriately when they are exercised.
This will include a notification without undue delay to the controller where appropriate and the provision of assistance to the controller in the fulfilment of rights requests.
In particular, DAN makes available tools for clients to fulfil rights requests from patients as easily as possible.
In order to deliver our services we need to engage a small number of subcontractors.
In the context of our relationship these entities will be sub-processors, as such we ensure that our subcontractors which handle your data have been risk assessed and have entered into data processing terms which are equivalent to those in place between us.
Details of these sub-processors can be found here:
To ensure the continuity and recoverability of our critical information, applications, systems and networks, Dental Audio Notes have designed and implemented a Data Security and Protection Incident Plan in line with NHS DSP Security Standard 7. Key features of this include:
DAN engages with specialist data protection consultants to assist in ensuring the compliance of our services with applicable data protection laws and in ensuring that we can deliver the best assurance possible to our clients.
Additionally, the DAN solution has been designed in view of the NHS DSP Toolkit in order to pose minimal issues to any clients looking to implement our solution.
Finally, penetration testing has been carried out by an independent, CREST approved third party prior to the system going live with all recommendations implemented and any vulnerabilities patched. Penetration testing is then carried out every 12 months or less to ensure the continued security of the solution.