The laws on Data Protection and Privacy are changing, and from 25 May 2018 the EU’s General Data Protection Regulation (GDPR) will come into effect. To read more about the changes and the UK’s associated Data Protection Bill please visit the ICO website: www.ico.org.uk.  

iCareHealth (UK) Ltd (“iCH”) complies with its transparency obligations by providing its clients with this policy alongside an agreement between iCH and its client.  Some of the terms used in this policy are defined in the iCH standard terms and conditions of business.

iCH believe compliance is a shared responsibility and we already operate an internal Information Security and Quality Management System (ISQMS) accredited to ISO 9001 and ISO 27001 for Information Security. Our management systems ensures that our business processes and service offering is defined, documented, reviewed and externally audited.


Lawfulness, Fairness and Transparency

iCH are engaged to provide software and services for social care provision in the UK. Our software will process the personal health data of data subjects as input by clients during their care provision services. This means that our clients, the care providers, are the data controllers and should ensure they are registered as such on the ico website. iCH are the data processor, providing software and support services that enable our clients to manage sensitive personal data on behalf of individuals receiving care.

That data will not be used by iCH or disclosed for marketing purposes, all data will simply be processed to enable and support our clients to carry out care activities and manage the provision of care.

Purpose Limitation

This policy and terms of engagement with the client make clear the purposes for which data is processed – data is not processed beyond the purposes stated unless there will be any new processing activity which is compatible with those original purposes and/or where iCH is contracted to undertake further processing.

Data Minimisation and Accuracy

In accordance with the obligations that data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed, iCH only processes that data input by the controller as part of the care provision and management. The requirement for client’s data to be accurate and kept up to date is dependent upon the client inputting the data correctly and in a timely manner.

Storage Limitation

During the agreement with clients, iCH will comply with its obligations under the client agreement, including (but not limited to) maintaining social care health records in line with NHS healthcare guidance of 8 years, unless requested otherwise by our client in support of a data subject’s right to erasure of data.

As part of our Information Security and Quality Management system, iCH maintain a policy for Data Classification, Handling and Protection Policy, which is available to clients upon request.

For the duration of its retention, data is stored securely where it is subject to the policies and protections described below.

Integrity and Confidentiality

iCH’s ISQMS is accredited to ISO 9001 and ISO 27001 for Information Security and all staff are trained in, and bound by, these policies. Support and Implementation staff will be given access to data held on the clients’ software as relevant to specific activities for their relevant roles within iCH. Employees are encouraged to flag up any issues they become aware of in relation to data. Employees are required to follow safe and secure processes when handling data as defined within the policies of our ISQMS.

iCareHealth Security Measures

The relevant policies from the iCH ISQMS describe the security measures employed by iCareHealth.

Policy Includes, but not limited to
Data Protection Policy
  • iCareHealth as a Data Controller (of our staff and market contacts’ data)
  • iCareHealth as a Data Processor (of our Client’s residents’ and carers’ data)
Information Classification, Handling and Protection Policy
  • Information Classification & Labelling
  • Information Handling and Protection
  • Classification Scheme
  • Classification and Retention Matrix
IT Security Policy
  • Asset Management
  • Change Management
  • Separation of Operational, Development and Test Environments
  • Access Levels and Provisioning
  • Network Policy
  • Control of Operational Software, including development and testing in accordance with iCareHealth’s Development and Testing Procedures
  • Protection against malicious code using Anti-virus Software
  • Vulnerability and Patch Management, including network vulnerability scans, penetration testing, intrusion detection and prevention
  • Backup policy
  • System health monitoring
Access Control Policy
  • Physical Access to iCareHealth’s buildings and facilities for employees and visitors
  • Access to IT Systems including user identification, authentication, privileges and password management
Physical and Environmental Security Policy
  • Physical security and entry controls
  • Comms rooms / secure areas
  • Out of hours access and lone working
  • Equipment security, siting and protection
  • Security of information and equipment off-premises
  • Secure disposal of equipment and media
HR Security Policy
  • Prior to Employment
  • During Employment
  • Termination of Employment or role change

Application Specific Security Considerations & Data Locations

Care & Clinical, Mobile Point of Care:

Hosting Partner Microsoft Azure
Services Cloud Services, PaaS, IaaS
Hosting partner services https://azure.microsoft.com/
Hosting partner certifications Broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2
Location of Hosted Data EU (Ireland)
Data Encryption All data is encrypted in transit between our clients and our cloud servers over HTTPS and encrypted at rest utilising the azure storage service encryption, plus any mobile data stored on handsets is encrypted by the application.
Support Supported from the UK and our support team in Malaysia, governed by contract with our wholly-owned subsidiary including Model Clauses as a basis for viewing data outside the EEA.

Medication Management:

Hosting Partner Redcentric
Services IaaS
Hosting Partner Services http://www.redcentricplc.com/
Hosting Partner Certifications http://www.redcentricplc.com/about-us/accreditations-frameworks/

Redcentric are GCloud approved, part of the HSCN Access Service Framework and certified to recognised UK standards such as ISO 27001

Location of Hosted Data UK
Data Encryption All data is encrypted in transit over HTTPS and encrypted at rest utilising Redcentric’s storage encryption. Data stored on devices is encrypted by the application’s use of available local OS encryption.
Support Supported from the UK and our support team in Malaysia, governed by contract with our wholly-owned subsidiary including Model Clauses as a basis for viewing data outside the EEA.

Further technical support and maintenance conducted by our partner Med Management Technology LLC (MMT) in the US, certified to Privacy Shield: [https://www.privacyshield.gov/participant?id=a2zt0000000PBkgAAG&status=Active]

Business Manager:

Hosting Partner Either hosted at Client’s premises, or through hosted desktop with EntrustIT
Services Hosted Desktop
Hosting Partner Services http://www.entrustit.co.uk/security-2/
Hosting Partner Certifications ISO 27001
Location of Hosted Data UK
Data Encryption iCareHealth offers a cloud hosting service to host Business Manager application on behalf of the client, and these cloud services are encrypted. Where the client manages their own infrastructure, appropriate encryption remains the responsibility of the client. iCareHealth can provide a recommended encryption approach upon request.
Support Supported from the UK and our support team in Malaysia, governed by contract with our wholly-owned subsidiary including Model Clauses as a basis for viewing data outside the EEA.

Mobile Care Worker, Mobile Assessments, Mission Control, Online Care & Staff:

Hosting Partner Microsoft Azure
Services Cloud Services, PaaS, IaaS
Hosting Partner Services https://azure.microsoft.com/
Hosting Partner Certifications Broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2
Location of Hosted Data EU (Ireland)
Data Encryption All data is encrypted in transit over HTTPS and encrypted at rest utilising the azure app service storage encryption, plus any mobile data stored on handsets is encrypted by the application.
Support Supported from the UK and our support team in Malaysia, governed by contract with our wholly-owned subsidiary including Model Clauses as a basis for viewing data outside the EEA.

Learning Management:

Hosting Partner Rackspace
Services IaaS
Hosting Partner Services http://www.rackspace.com/
Hosting Partner Certifications https://www.rackspace.com/en-gb/compliance/iso

Rackspace are certified to a number of quality and information security standards including ISO 27001, ISO 9001, ISO 14001, OHSAS 18001.

Location of Hosted Data UK
Data Encryption All data is encrypted in transit over HTTPS and user passwords are encrypted within the SQL Database.
Support Supported from the UK and our support team in Malaysia, governed by contract with our wholly-owned subsidiary including Model Clauses as a basis for viewing data outside the EEA.

The application is also supported by our partner, I2D2 Ltd in the UK (www.i2d2.com).

A complete list of subprocessors for iCH is view at https://www.icarehealth.co.uk/subprocessors/.


Information Security Mechanisms

The measures referred to above enable iCH to comply with its obligations to ensure data security as required by the General Data Protection Regulations. In accordance with this policy, iCH does and will continue to comply with its obligations to notify the client and the ICO of data security breaches as and when it is required to do so. Where there is a data security breach, iCH documents its effects and any remedial action iCH has taken.