At K.M.Medical Software, our company mission is to help build a better interaction between you and your client. We believe that the protection of our customers’ and their end users’ data is fundamental to this mission.
What is GDPR?
The General Data Protection Regulation (GDPR) is a new EU regulation which comes into effect on 25 May 2018. GDPR will update existing data protection law and will place a greater accountability on organisations when using your personal information and give you greater control over your personal information. The GDPR harmonizes data privacy laws across the EU and mandates how companies collect, store, delete, modify and otherwise process personal data of EU citizens. It applies to any company that processes personal data of EU citizens, regardless of whether such company has any physical presence in the EU, or even whether it has any EU customers.
During the development of the software, we assessed all the risks in the processing of personal data and we remediated those risks with mitigation processes together with risk control measures. This reflected in all our software.
All of our processes are documented and are capable of the audit. We adhere to the regulations and we accommodate the regulations in terms of our data processing obligations.
K.M. Medical Software Limited achieved the highest quality standard for the information security management system, ISO27001. We received this certification for all of our operations, including software development, support and transcription services.
Encryption in transit
All of our servers and data transportation mechanisms are encrypted with the highest industry standard of 256-bit encryption. This is to ensure that no one interferes with your data, the data of your patients or has access to it.
Encryption at Rest
Your data and your patients’ data will always be stored encrypted and can be accessed only using encrypted channels. This ensures that only the intended persons, who have the right encryption key, along with an appropriate password can access your data and your patient’s data.
Stored and processed in Ireland
By default, all of your data and your patients’ data is stored and processed within Ireland. We will explicitly notify you in a Data Processing Agreement if there is any offshore processing proposed.
GDPR Designed into our Software – Privacy by Design
All our software accommodates the security features that help you achieve compliance with GDPR. Our software has built-in features that ensure accountability and compliance. That includes communication, digital FAX, SMS text and email technology. All of this communication is encrypted.
When you are storing a patient’s sensitive healthcare information, you must receive consent from them regarding the purpose of getting and storing their data, sharing information and their communication preferences. We have built compliant forms for this purpose and they are available for you to use the platform. Those consent forms also include considerations for the processing of underage or children’s data.
Access to Personal Data
As per the GDPR, the patient is the owner of their data. You must provide the patient with access to their data to ensure accuracy or integrity of that data, and to enable easy, transparent sharing of the patient records if they request it. This is facilitated through our patient portal enabling secure sharing of data with patients.
Our software through authentication and authorisation features is designed to allow only the intended persons to use the software. Passwords should be changed periodically using complex character requirements.
Our software is built with an auditable logging mechanism for all transactions. We have also implemented additional features to enhance the secure use of our software. Reporting and real-time information is available advising you of when the data was accessed, from where and which user accessed it. This feature is designed to enhance monitoring and ad-hoc auditing of system activity.
Two Factor Authentication
With 2 Factor Authentication (2FA) you can protect your user account and access to our software, with something you know – your password – and something you have – your phone or a security key. 2FA can protect against unauthorized access in the event a password was stolen or compromised.
Our software and servers are limited to allow access only within Ireland. This reduces what’s termed the ‘attack vector’ by 90%. If you need to access from outside Ireland, you should contact us to discuss required access.
Backup and Restore
Managed and automated backup and restore processes reduce the stress and worry regarding your data. Our processes are secured and automated with backups stored at an offsite location, within Ireland only.
All your and your patients’ data is retriable in a portable format when required. There may be a small fee for producing this portable data. Access in this manner is to your data store only and not individual patient data sets.
Data Subject Access Requests
We have incorporated a streamlined mechanism for you to manage data access requests from your clients using our software. You can export a patient’s data and notes in a single click ensuring you can meet the 30-days regulatory requirement.
Right to be Forgotten
Data Subject has the right in certain circumstances to be forgotten. However, this is tempered and limited by the need for physicians to maintain accurate records for patients to ensure their future treatment is assisted. A correctly placed right to be forgotten request, if received from a patient can be complied with easily using our software. Patient data can be anonymised and deleted from the system, subject to our safeguards.
You are a data controller who controls and is responsible for the keeping and use of personal information on our system or on the computer or in structured manual files.
The data is collected and stored by you and responsible for the data. You are the Data controller as per the Data Protection Act and GDPR.
The processor process the personal data, but do not exercise responsibility for or control over the personal data. The data processor process the personal data on behalf of the Controller. K.M.Medical Software is a data processor who stores and processes the data on your behalf
Processing of Personal Data
As a data processor, we must only process personal data on the instructions of the Data Controller, you. These responsibilities concern the necessity to keep personal data secure from unauthorised access, disclosure, destruction as per the data controller’s wish.
Getting your practice into the Compliance
There are Several steps involved in the process which we have listed below. We compiled the details and listed them below.
Establish the project
Start implementing the Project
Download the EU GDPR full text (try here if you really want to understand)
Conduct the GDPR Readiness Assessment to help you determine the GAP to achieve the compliance
Organise a kick-off meeting with your employees.
Develop top-level policies
Establish the EU GDPR Personal Data Policy Framework.
Write the Personal Data Protection Policy.
Write the Employee Personal Data Protection Policy.
Write the Data Retention Policy.
Organise your data protection
Appoint a Data Protection Officer.
Define the Data Protection Officer’s job description.
Build up data inventory
Write the Inventory of Processing Activities.
Maintain and update the Inventory of Processing Activities.
Define the legal basis of the company to process personal data,
and whether you need consent from the data subjects.
Define data subject rights.
Define and implement data subject consent forms.
Define and implement the Data Subject Access Request
Procedure and develop a guide outlining how to deal with the requests.
Data Protection Impact Assessment (DPIA)
Define and write the Data Protection Impact Assessment Methodology (DPIA).
Maintain the DPIA Register.
Set up a DPIA review schedule.
Personal data transfers
Develop the Cross-Border Personal Data Transfer Procedure.
Identify all of your suppliers based outside the European Economic Area (EEA) that will have access to personal data.
Prepare and sign Data Transfer Agreements for all identified suppliers outside of the EEA.
Identify the suppliers that process personal data on your behalf (data processors).
Prepare and sign agreements with data processors to ensure they will act based on your instructions and will comply with EU GDPR.
Personal data protection
Identify and implement adequate security measures to protect personal data.
Test and review the implemented measures on a regular basis.
Handle data breaches
Identify the key stakeholders and establish your “Data Breach Response Team.”
Establish a process to evaluate a data breach, and to notify the Supervisory Authority and data subjects.
Establish a process to respond to a data breach.
Maintain a record of all data breaches.
Presentations and Training
Define which competencies your employees need.
List the training your employees should attend.
Develop a training plan for the next few months.
Perform periodic security awareness training for all of your employees.
How can we help?
We can help you on every stage of the GPPR compliance implementation. Please contact us to get more information.
For General Practitioners, ICGP has compiled all the resources needed for GP’s in one place. Please visit the GPIT page on the link http://www.icgp.ie/data
Your right to restriction
All the data’s are stored in our system securely and if you discontinue the services, we will give the option of getting your data back. Also, we won’t store the data that we are not in the agreement.
Data processing agreement
The data processing agreement will be accompanied by the SLA and it covers all the terms of the data processing and our processes as well as the sub-process information.
If there is any breach on our systems, we are obliged to inform you within 72 hours. You can contact our DPO regarding this information.