Dendrite Clinical Systems Ltd
Data is collected, processed and erased under the jurisdiction of the country where the data is held, and the legal basis for holding these data varies from one country to another. In the UK the data is managed under the provisions of the Data Protection Act 1998, which is independently monitored by the Information Commissioners Office (ICO).
Everyone collecting patient identifiable information must comply with the Common Law Duty of Confidentiality and it is the responsibility of these organisations to ensure that Information provided by the patients to the hospitals in confidence will only be used for the purposes explained to the patient and to which they have consented, unless there are other circumstances covered by the law.
Dendrite, as a customer of the NHS, and other health related organisations across the World, must also comply, but as contracted data processors, we are reliant upon those who collect and supply the data to us to ensure their own compliance before handing the data over to us or allowing us access to it.
Dendrite complies with the NHS Confidentiality Code of Conduct - All Dendrite staff protect patient identifiable information, and only undertake actions on the data as agreed with the customer providing the data. All data is held in accordance with the UK Data Protection Act 1998 and Information Governance guidelines.
When providing remote access support services, or working on a hosted server, if copies of data need to be made, the copy is either stored on the customer server, or, if required to be downloaded, is logged and held on a 256-bit encrypted hard disk drive until such time as there is no need to retain that data. At this time the data is deleted from the encrypted hard disk drive and closed on the log.
Reporting and data processing / analysis
If Dendrite has been contracted to undertake any reporting or data processing / analysis by a customer, Dendrite liaise with the customer to ensure that the data will be supplied and managed in a secure manner.
Once supplied, again, the Data is stored on a 256-bit encrypted hard disk drive until such time as there is no need to retain that data. At this time the data is deleted from the encrypted hard disk drive and closed in the log.
Whilst any patient identifiable data is held by Dendrite, it is kept in accordance with strict Information Governance policies and in accordance with the Data Protection Act 1998
Sharing information with other organisations
As Dendrite are only ever Data Processors, we are bound by contracts with our customers with regards to data sharing. Dendrite will therefore never provide any data to any other organisation other than the contracted customer (within the bounds of the contract under which it has been provided).
If Dendrite is requested by another person or organisation other than the customer to have access to that customer's data, they will always be referred to the customer and Dendrite will only ever release the data to the customer.
Patient rights to withdraw consent for sharing personal information
At any time patients have the right to refuse/withdraw consent to information sharing. However, as Dendrite are only Data Processors, we would always refer the patient to the Data Owner to discuss this with them. They will then explain the reason why the data is being collected and any possible consequences of their data being withheld. If directed by our customer, we would delete the patient record in accordance with their instructions.
To learn more about how patient identifiable information is used and held within Dendrite, please contact the Information Governance team at Dendrite.
Information Governance Team
The Hub, Station Road
Oxfordshire RG9 1AY