Data protection and compliance
Patient safety
Care Quality Commission (CQC)
The Care Quality Commission regulates all health and social care services in England. They provide assurance to the public that health and social care services are safe, effective, compassionate and of high quality.
As a CQC registered provider, Oviva enables the CQC to examine the ability of our commitment to provide high-quality health and social care services.
NHS Digital Technology Assessment Criteria (DTAC)
Oviva is an accredited supplier according to the Digital Technology Assessment Criteria for health and social care (DTAC) which provides staff, patients, and citizens with the assurance that the digital health tools they employ adhere to NHS standards for clinical safety, data protection, technical security, interoperability, usability, and accessibility.
Data Privacy
EU General Data Protection Regulation and local legislation
Oviva strictly follows the General Data Protection Regulation (“GDPR”), the Swiss Federal Data Protection Act („FDAP“) and similar privacy laws. GDPR is the most comprehensive data protection law in the world which regulates the use of personal data of EU residents and provides individuals rights to exercise better control over their data. The GDPR does not only apply to European organisations such as Oviva and its entities, it extends to any organisation worldwide that aims its products and services at EU residents.
Above all GDPR requires us to be transparent and accountable for our use of personal data and sensitive patient data. We need to be able to demonstrate compliance with various legal requirements meant to protect our patients. Oviva’s goal is to ensure that all personally identifiable information such as health data is protected by means of strong technical and organisational measures.
As part of our internal data protection management, some of our control measures include:
- Ongoing data protection awareness trainings for all Oviva staff
- Regular exchange with and reviews by the Data Protection Team and Management
- Regular independent data protection audits (most recently in 2021 by an external consulting firm)
- Third party risk management as part of our review process of new data processing agreements
- PDCA based implementation and review of all security and control measures
- Evidence based documentation as part of GDPR’s accountability requirement
Data Protection Officer
To ensure that we maintain a high level of compliance we work with external data protection officers that advise and implement robust procedures with us and make sure that we are always in compliance with regulatory and legislative changes. So no matter where you are located, we have experts on the ground.
Contractual Framework
We take the security of your data seriously and expect the same from our subcontractors. That is why we make sure that all of our subcontractors are bound to the same standard that we maintain. We achieve this by concluding standard data processing agreements (DPA) that clearly define how your data has to be safeguarded and strictly limit the purpose for processing this data.
There is no general requirement for personal data to stay in the EU, yet transfers outside of the European Economic Area are restricted and will always receive further analysis by our Data Protection Team. When necessary, we ensure that transfers of Data are subject to additional security controls and rely on a standardized contractual framework provided by the European Commission (“standard contractual clauses“).
Audits
We walk the talk – our external partners help us to commit to our standards by conducting yearly voluntary audits. At the end of an audit, outcomes are analysed and improvements implemented. Keeping data safe is an ongoing commitment and not a one time effort.
Information Commissioners’ Office (ICO)
Oviva is registered with the Information Commissioners’ Office (ICO), which is an independent body committed to uphold information rights in the public interest and data privacy for individuals in the UK.
Data Security
ISO 27001
ISO 27001 is the leading international standard regarding information security that was developed to help organisations, of any size or any industry, to protect their information in a systematic and effective way, through the adoption of an Information Security Management System. Oviva is certified according to ISO 27001.
NHS Data Security and Protection Toolkit
The Data Security and Protection Toolkit enables organisations to measure and publish their performance against the National Data Guardian’s ten data security standards.
All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.
Cyber Essentials
Cyber Essentials is a government-backed and industry-supported scheme that helps organisations protect themselves against the growing threat of cyber attacks and provides basic controls organisations should have in place to protect themselves.
- Cyber Essentials is a foundation level certification designed to evidence the basic controls organisations should have in place to mitigate the risk from common cyber threats.
- Cyber Essentials Plus is the highest level of certification offered under the Cyber Essentials scheme. It is a more rigorous test of an organisation’s cyber security systems where cyber security experts carry out vulnerability tests to ensure that an organisation is adequately protected against hacking and phishing attacks.
Medical Device Regulation
CE Marking
The European Union (EU) requires mandatory conformity labelling for certain products i.e. medical devices sold inside the European Economic Area (EEA), which is known as the Conformitè Europenne (CE) Mark.
Oviva’s device bears the CE marking, which is a symbol indicating that it:
- complies with the requirements of relevant European product directives;
- satisfies all requirements set forth in the applicable, recognised, and harmonised performance and safety standards in Europe; and
- is appropriate for its intended use and will not jeopardise people’s safety.