In this article:
General
The UK General Data Protection Regulation (UK GDPR) and (amended) Data Protection Act 2018 (DPA 2018) came into force at 11pm on the 31st December 2020. The UK GDPR incorporates most of the EU GDPR into UK domestic legislation (there are some differences resulting from changes made by Brexit legislation, which largely relate to law enforcement and intelligence services).
The EU General Data Protection Regulation (EU GDPR) remains in effect in the EU. There is currently an agreement in place whereby the EU and the UK have granted each other “equivalency” for data protection purposes. This means that data transfers can continue between the UK and EU without any extra steps being taken to safeguard data.
This page tells you how Semble is helping clients to manage their obligations under the UK GDPR.
Compliance
Semble wants to help clients to achieve and maintain compliance with the UK GDPR.
However, as Data Controllers, our clients remain responsible for their patient data and how they use Semble and allow access to the system.
Security
Your data is physically stored on servers which have achieved the highest level of
security certification, as used by banks and government services. Our servers are
located in London, United Kingdom. Only a very limited number of authorised staff
from Semble can access these servers.
Data is replicated continuously, with multiple copies stored between security centres to ensure immediate failover. Data in transfer is fully encrypted using the most secure cryptographic technologies available (256-bit level of encryption). This means that when you access your data via the internet the Semble server will negotiate a secure link with the end user via a process called SSL. This is the same technology used for online banking and credit card transactions and is known to be the most secure system available.
Data Controllers and Data Processors
Semble acts as a Data Processor (as defined in the UK GDPR), acting on behalf of
our clients who are the Data Controllers, in respect of the patient data stored within Semble.
For an up to date list of our Subprocessors who have access to patient data, see here.
Subject Access Requests
Data Subjects have the right under the UK GDPR to access copies of information that Data Controllers hold about them through a subject access request (SAR). Semble makes it easy for its clients to handle SARs through the system. Using the system, clients can search for the relevant information that the requestor is looking for and share it with the data subject. Our clients are responsible for managing this process as the Data Controller and ensuring that they comply with the requirements of the UK GDPR and any other legal obligations.
Where Semble receives a SAR in respect of data that an individual believes is held
within the system, Semble will advise them to contact the relevant Data Controller. Semble will not take any other action in respect of a SAR unless in accordance with specific instructions from our client.
The Right of Erasure
The UK GDPR gives data subjects the right to have their personal data erased in certain limited circumstances. Clients can delete data within the Semble system, but it will only permanently be deleted by Semble at the specific request of the client to Semble. Semble will permanently delete the data at the client’s specific written
request.
The Right to Rectification
The UK GDPR allows data subjects to have their data corrected when it is wrong. This
is easily managed by our clients within Semble as Data Controllers. Semble will not modify data other than in accordance with the specific written instructions of our client.
Third-Party Transfers
Semble only uses suppliers of services who have the highest security accreditation (e.g. AWS) to process any of the personal data stored within the Semble application. We review all of our sub-processors and hold them to the same standard required by the UK GDPR.
Unless otherwise required by law, Semble will not transfer any personal identifiable data to any third party other than in accordance with the specific instructions of our client.
The System
Semble is a web application designed for clinical management in any setting or location. Semble provides, maintains and supports the system to allow our clients to run their organisations and manage their patient records.
Semble has no control over the use of the system by our clients. It is the responsibility of our clients to ensure that they use the application in a responsible manner by:
Only allowing authorised users to access the system
Ensuring that the role-based access built into the system is used
Ensuring that users understand the implications of improper use of the
applicationWhere the system is used to communicate with patients, ensure that only
the necessary information required is sent to the patient