The EU General Data Protection Regulation (GDPR) came into force on the 25th of May 2018. The GDPR changes how personal data is handled and increases or reinforces the rights of data subjects. This page tells you how Medical Management Systems Limited (MMS) is helping clients manage GDPR.
MMS has developed the Meddbase application to help our clients become and maintain GDPR compliance. However, our clients remain responsible as data controllers for how they use Meddbase and allow access to the system. More information on how MMS assists our clients is listed below.
MMS stores client data in secure, geographically dispersed UK Data Centres. The data centres have multiple physical controls including Biometrics and dedicated key passes that only allow access to authorised parts of the datacentre.
Access to the Meddbase portal is over a secure link. There are multiple layers of intrusion protection, intrusion detection and firewalls between the internet, our application servers and the databases. Our application and database servers have no access to the internet. All access to the application is by users who have been authorised by our clients. Our clients have the option of enabling two factor authentication to add further strength to access management.
MMS internal policies only allow specified employees access to the application and database servers. All access is monitored, and any unusual access is alerted to the MMS Security Team. Unusual access by client users is also monitored and unusual events are also alerted to the MMS Security Team who will liaise with our clients to investigate that access. MMS is NHS Data Security and Protection Toolkit (DSP Toolkit) compliant, ISO27001 certified and follows the strict information handling requirements of these standards.
MMS acts as a Data Processor within the definitions GDPR, acting on behalf of our clients who are the Data Controllers in respect of the personal data stored on the Meddbase application. We cannot do any processing of this personal data without our client’s permission. This permission is given via the contract between our clients and ourselves.
Data Subjects have similar rights under the GDPR to the current law to access copies of information that data controllers hold about them through a subject access request (SAR). MMS makes it easy for its clients to handle SARs through the Meddbase application. Using the application clients can search for the relevant information that the requestor is looking for and export this in a suitable format to provide to the data subject. Our clients are responsible for managing this process as the Data Controller and ensuring that they comply with the requirements of the GDPR and any other legal obligations.
Where MMS receives an SAR in respect of data that an individual believes is held within the Meddbase application, MMS will advise them to contact the Data Controller they believe is using the application. MMS will not take any other action in respect of an SAR unless in accordance with specific instructions from our client.
The GDPR gives data subjects new rights to have data about them erased in certain limited circumstances. This is easily managed by our clients within the Meddbase application. Once permanently deleted, such data cannot be restored. The Meddbase application provides warnings when data is deleted in this way but the decisions as to when and whether to delete data is one for our clients to take as Data Controller.
MMS will not delete data other than in accordance with the specific instructions of our client.
The GDPR allows data subjects to have their data corrected when it is wrong. This is easily managed by our clients within the Meddbase application as Data Controllers. MMS will not modify data other than in accordance with the specific instructions of our client.
MMS does not use any third parties to process any of the personal data stored within the Meddbase application and, unless otherwise required by law, will not transfer any of this personal data to any third party other than in accordance with the specific instructions of our client.
Meddbase is a web application designed for clinical management in any setting or location. MMS provides, maintains and supports the Meddbase application to allow our clients to run their organisations and manage their patient records.
MMS has no control over the use of the Meddbase application by our clients. It is the responsibility of our clients to ensure that they use the application in a responsible manner by:
• Only allowing authorised users to use the system;
• Ensuring that the role based access built into the system is used;
• Ensuring that users understand the implications of improper use of the application;
• Where the Meddbase application is used to communicate with patients ensure that only the necessary information required is sent to the patient.