General Data Protection Policy

Version 1.6

Introduction

Docobo are committed to data protection under the UK-GDPR. This policy sets out our understanding of and
compliance to the UK-GDPR.

Data Protection Regulation Compliance

Where Docobo process personal data, this is done in compliance with the UK-GDPRprinciples on processing of personal data. That means it is:

  • processed lawfully, fairly and in a transparent manner in relation to the data subject.
  • collected for specified, explicit and legitimate purposes
  • adequate, relevant and limited to what is necessary
  • accurate and, where necessary, kept up to date
  • kept in a form which permits identification of data subjects for no longer than is necessary
  • processed in a manner that ensures appropriate security of the personal data

Right to access requests are complied with and right to be forgotten procedures are embedded into the
telehealth server’s data retention system.

Data Portability

Although we are operating and acting as a Data Processor, we will make every reasonable effort to assist the Data Controller in meeting the UK-GDPR rules on data portability.

Privacy by Design

  • Docobo comply with the NHS Data & Security Protection (DSP) Toolkit.
  • Docobo are certified to ISO 13485 – the medical device quality standard and follow a strict design control procedure to include privacy and security from the beginning of any new project or design.
  • Docobo is Cyber Security Essentials Plus certified.
  • Docobo can provide a DCB0129 for any NHS project requiring DCB 0160.
  • Docobo are certified to ISO 27001.

Confidentiality

Docobo operate an Information Security Policy and all staff have signed a confidentiality agreement knowing that any breach will invoke disciplinary action.

Information Asset Management

Docobo maintains an asset register that specifies access controls and asset owners.

Information Security

Docobo’s Information Security Policy combined with our Risk Management procedures ensure we follow the best protocols and have clear visibility of the risks so we can mitigate against them when it is appropriate to do so.

Retention of Documents

Although we are operating and acting as a Data Processor, we will make every reasonable effort to assist the Data Controller in meeting the UK-GDPR rules on processing activities. All Docobo’s systems generate comprehensive logs of all activities on the system to assist the Data Controller meet these requirements.

Business Continuity/Disaster Recovery

Docobo’s Business Continuity Plan documents the activities that must be carried out to get the business back up and running to business as usual following any incident. The plan covers all aspects of the day to day business including phones, email, location etc. and sets out the responsibilities for communicating with customers.

Docobo have a Disaster Recovery Policy that defines the plan for the company’s recovery from disasters such as the failure of key pieces of infrastructure, fires, floods etc. at its primary IT operational site.

Staff Training

All staff at Docobo are required to pass an annual Information Governance exam with a pass mark at 80%. This exam covers all data protection and security. Staff members with access to sensitive information have had advance training that goes beyond the annual exam.