Working in healthcare privacy and clinical safety are the building blocks for everything we do. As a company, we will never sell patient data and will always strive to build products which are clinically sound and tested to a strict and rigorous standard. Our company was founded by working NHS clinicians and we carry their ethos over into anything we do.
eConsult Health Ltd (eConsult) takes the security and protection of personal data very seriously. We are committed to providing a compliant approach to data protection. We have always had a robust data protection and information security program in place which complies with existing law and abides by the data protection principles. We reviewed this program to ensure that it met the requirements of the EU General Data Protection Regulation (“GDPR”) which came into force on 25 May 2018 and reviewed it once again when the UK left the EU.
The EU GDPR is an EU Regulation, and, as such, it no longer applies to the UK. eConsult operates inside the UK, hence needs to comply with the Data Protection Act 2018 (DPA 2018).
When we process any personal data, we will do so according to the data processing principles of the GDPR defined in this legislation.
The eConsult Health Ltd GDPR and Data Protection and Information Security Compliance Statement provides further details about how we are committed to ensuring the security and protection of the personal information that we process and the technical and organisational measures that are in place to protect it.
Our Clinical Governance Board comprises of consultants or equivalent seniority NHS GPs, clinicians and specialists. The Board meets regularly to undertake content reviews and ensure that eConsult always adheres to the latest guidance and the highest safety standards.
Our Clinical Governance Lead and Information Governance Lead meet monthly to maintain our hazard logs and safety case and identify any new potential risks or Data Protection Impact Assessment (DPIA) requirements.
We have followed the MHRA guidance on medical devices and have appointed a Clinical Safety Officer, and applied the standards defined in DCB0129/DCB0160 and will continue to do so.
Our clinical governance team are award-winning having been finalists in the 2019 patient Safety awards for clinical governance and winners in 2018.
Award winning Clinical Governance
eConsult is safe. eConsult always alerts patients who report a serious symptom or a medical emergency. Our red flag system immediately directs patients to seek the most appropriate care.
Following the MHRA guidance on medical devices, we have appointed a Medical Safety Officer, and applied the standards defined in DCB0129/DCB0160 and will continue to do so.
We are proud winners and finalists of several Patient Safety Awards.
Data is kept secure at all times
- We encrypt patient details for their entire journey into your practice
- We do store patient data in line with Records Code of Management as per our DPIA
- Built on top of a secure framework, our platform has protection against typical website attacks (e.g. XSS, SQL and HTML injections)
- We score highly on regular pen tests with independent, external providers
- CISSP-certified architect configured infrastructure
- All interactions with the website are via a secure connection, using up-to-date encryption techniques (TLS v1.2, strong key exchange and strong cypher)
We’re always fully compliant
- You can read our GDPR compliance and security statement here
- The privacy notice for patients is written in plain English, and makes the legal rights of the patient clear. You can read it here
- We have appointed a Data Protection Officer, in line with our responsibilities for handling sensitive data who can be contacted at email@example.com
- We take every precaution to ensure we are compliant
- eConsult Health Ltd has submitted DSP Toolkit to Standards Exceeded under OJS Code 8JJ28
- We comply with the National Data Guardian recommendations
- Our platform is hosted in a Tier 3, ISO 27001 Data Centre, behind HSCN
- We are ITK compliant and certified to send data to the GPSoC providers over MESH
- We have ISO 27001 accreditation
Medical Indemnity and Guidance
The Clinical Negligence Scheme for General Practice (CNSGP) covers activities which are commissioned under a GMS, PMS or APMS contract (or related enhanced primary care elements under an NHS Standard Contract), and where a provider provides services directly or under a sub-contract.
The scheme coverage extends to nurses/ANPs and other practice staff who are carrying out activities in connection with the delivery of primary medical services. The location of the services being provided and whether they are digital or face-to-face will not affect the cover.
The services/consultations must be being provided via a GMS/PMS/APMS contract and the consultations themselves must be connected to the diagnosis, care or treatment of a patient.
Guidance on features
eConsult will always support you and listen to feedback about how to improve our product both for you and for your patients. For example, during COVID-19, with the increasing use of photo uploads, we strengthened the information provided to patients about who views optional photo uploads, what happens with photos that are uploaded, and which types of photos are not appropriate to upload (see our guide for practices).
Guidance of relevance from other bodies:
We hold ourselves to high standards of excellence
ISO/IEC 27001 is a specification for an information security management system (ISMS), which is a framework for an organization’s information risk management processes.
This certification (Cert No. 20623) covers the provision of software developed medical and digital health products including the company-wide IT security management processes for operations, development and support services offered through implementation in accordance with SOA Version 1, dated 3/12/2021 in the following locations:
- London, England
- Brighton, England
To request a specific certification for an audit, please contact Security@econsult.health
Cyber Essentials Plus
Cyber Essentials is an effective, Government backed scheme that assesses companies in the following areas for security measures.
Boundary firewalls and Internet Gateways, Secure Configuration, Device Locking, Security Update management, User access controls, Administrative accounts, Password-Based Authentication and Malware protection.
eConsult has demonstrated compliance with these requirements and is certified with a CE+