Data Protection

Your data safety and concern is paramount

Working in healthcare is a privilege that we never take for granted. Our business is about understanding the patients’ experiences, journeys, and outcomes in any healthcare setting, and making sure this information gets to the right people. Whether it be clinicians, care teams, management or governments. In doing so, we aim to build more sustainable health systems with the patient at the centre.

Our overarching data protection principles

We only collect personally identifiable information, in country, that is needed to send survey invitations or provide reporting context. Any of the sensitive, identifiable data can be automatically purged at any time based on a cadence or schedule agreed with the client.

All personal data collected needs to be relevant to the communicated data collection purposes. The development of eligibility criteria will be appropriate and considered for the purposes of each program. This includes what personal data needs to be collected to ensure engagement and participation.

We always use the limitation principle and have in built tools to ensure that, even when personal data is used, we can purge and automatically clean that data as soon as it is not required.

Our disaster recovery policies and overall information management approach is there to ensure reasonable safeguards are in place to minimise risk of unauthorised access, loss, or disclosure of data.

Everything about how our programs operate, from the purposes, to the methodology, data protection, processes, and technology enablement will be always available to our clients.

Under General Data Protection Regulation (GDPR) and other related regulations, individuals have the right to enquire, at any point in time, about the information we hold on file about them. This principle can be applied to all participating countries if required.

The data controllers in our programs – the nominated parties from whom we receive data – will be given a strict specification that ensures they adhere to correct eligibility criteria, pass only data to us as the processor that limits the transmission of personal data, and works with our overall information management process.

Certified Compliance Programmes

UKAS AND ISO IEC 27001
Cyber Essentials Certified

How we think about personal health information

Cemplicity work across multiple jurisdictions that include the UK, Europe, Canada, Australia and New Zealand. In each of these territories the definitions for what constitutes personal information differ – “Personal Data”, “Health Information”, “Personal Health Information” yet the principles are interchangeable. Healthcare providers worldwide must balance their obligation to ensure the patient gets the best care possible with the patient’s right to privacy and an obligation to protect their data from being used inappropriately.

It is our responsibility as a company to help these providers to fulfil their dual obligations of improving patient quality of care whilst protecting patient privacy. 

Often, we collect personal information from our clients and then use it to contact the patients to take part in a survey. The type of data transferred can be as simple as an email and first name, but it often extends to demographics, facilities, site information, pathway data and any additional data our clients deem important. The collection of this data is often essential to add the necessary context to the programs to help providers better understand how they can improve both their systems and their care.

Given the sensitive nature of this data, privacy and security are a core part of our business. We achieve this through health-specific technology, security policies and practices. With our SaaS platform, privacy and security start from a design level. We architect to ensure security principles are kept forefront of mind and build software that is specific to the central tenet that patient health information needs to be limited, purged when not used and anonymised when possible.

This is supplemented by our Policies and Controls, which cover the full range of ISO 27001 controls that range from access control and cryptography to staff security awareness training. These policies are consistently communicated to our staff through regular training. This is managed by our Security Team through a specialised Information Security Management System (ISMS).

As an ISO 27001:2013 certified organisation we undertake annual audits from an accredited independent auditor, along with regular third-party vulnerability and penetration testing. These audits ensure that we are consistently maintaining and improving our security and privacy policies and practices.  

The image above shows a typical scenario where we might capture data from a client’s API or through a Secure FTP session. The data comes through to Cemplicity and is immediately tagged at any stage where personal health information might exist. All data is validated on entry into our system and then flags are set that allow us to automatically purge any of the sensitive data at an agreed date. This allows us to automate and put our collection limitation principle into action even while the data is live.

GDPR Commitment

Privacy Policy

Survey Policy