At NextSupport, we are committed to protecting sensitive health information with the utmost care. As a leading UK-based AI calling service provider for business process outsourcing (BPO) firms, call centres, and industries including Healthcare, Real Estate, and E-commerce, we fully comply with the Health and Social Care Act 2012, particularly through the Data Security and Protection Toolkit. Our robust security measures and transparent practices ensure the safe handling of NHS patient data, fostering trust with our Healthcare clients and their patients.
What is the Health and Social Care Act 2012?
The Health and Social Care Act 2012 is a UK law that reformed the National Health Service (NHS) and introduced obligations for organisations handling NHS patient data. The Data Security and Protection Toolkit is a key component, a mandatory annual self-assessment for health and care organisations, including those processing NHS data. It ensures robust data security, protection of confidential information, and compliance with UK GDPR and Data Protection Act 2018. Non-compliance can result in restricted access to NHS contracts or enforcement action by the Information Commissioner’s Office (ICO).
Our Role as a Data Processor
NextSupport operates as a data processor for Healthcare clients, managing NHS patient data on their behalf, such as appointment scheduling, patient support calls, or health enquiry responses. We adhere to the Act’s requirements by processing this data strictly in line with client instructions and the Data Security and Protection Toolkit, ensuring alignment with NHS standards.
Compliance with the Data Security and Protection Toolkit
We meet the toolkit’s standards through the following measures:
Annual Submission: We complete and submit the Data Security and Protection Toolkit annually, demonstrating our commitment to NHS data protection.
Risk Assessments: We conduct regular risk assessments to identify and mitigate vulnerabilities in our AI systems handling patient data.
Security Controls: We implement strong security measures, including encryption and access controls, to protect NHS data.
Training: All staff receive annual training on NHS data handling and security best practices.
Incident Reporting: We have processes to report data breaches to the ICO and NHS Digital within required timescales.
Data Security Measures
We safeguard NHS patient data with industry-leading security practices:
Encryption: We use AES-256 encryption for data at rest and TLS 1.3 for data in transit, ensuring patient information remains secure.
Access Controls: Role-based access controls (RBAC) and multi-factor authentication (MFA) restrict access to authorised personnel only.
UK-Based Storage: All NHS data is stored on Amazon Web Services (AWS) servers in the UK (London region, eu-west-2), complying with localisation preferences.
Regular Audits: We engage CyberSec Solutions for quarterly penetration testing and annual security audits to maintain compliance.
Certifications: Our ISO 27001 certification supports our adherence to information security standards.
Protecting Patient Confidentiality
We prioritise the confidentiality of NHS patient data:
Minimum Necessary Principle: We limit access and disclosure of patient data to the minimum required for the intended purpose, such as scheduling appointments.
Transparency: We inform patients of data usage through client-provided notices, ensuring they understand how their information is processed.
Data Protection Impact Assessments (DPIAs): We conduct DPIAs for high-risk AI processes, such as automated call analytics, to assess and mitigate risks to patient data.
Data Retention and Deletion
We adhere to the Act’s data retention and disposal requirements:
Retention Policy: Patient data, such as call recordings, is retained for 30 days for quality assurance, unless a client specifies a longer period aligned with NHS guidelines.
Secure Deletion: Data is securely deleted using cryptographic shredding techniques, ensuring it cannot be recovered.
Anonymisation: We anonymise data for analytics, removing identifiable information to protect patient privacy.
Breach Notification and Response
We follow the Act’s incident reporting obligations:
NHS Digital and ICO Notification: In the event of a data breach, we notify NHS Digital and the ICO within 72 hours, as required by UK GDPR.
Client Notification: We promptly inform affected clients, providing details and mitigation steps to support their reporting duties.
Mitigation: We contain breaches by isolating systems, conduct root cause analysis, and implement corrective actions to prevent recurrence.
Training and Awareness
We ensure our team is equipped to handle NHS data responsibly:
Regular Training: All employees complete annual training on the Health and Social Care Act 2012, the Data Security and Protection Toolkit, and NHS data security protocols.
Specialised Training: Our AI development team receives additional training on securing patient data and ensuring compliant automated processes.
Incident Response Drills: We conduct quarterly drills to prepare staff for data breaches, ensuring swift and compliant responses.
Accountability and Governance
We maintain a strong governance framework to demonstrate compliance:
Records of Processing Activities (ROPA): We document all NHS data processing activities, including purposes and retention periods, available for NHS Digital audits.
Audits: We engage Compliance Experts Ltd. for biannual compliance audits to ensure adherence.
Data Protection Officer (DPO): Our DPO, reachable at sales@nextsupport.co.uk, oversees our compliance strategy and acts as a point of contact for NHS Digital and the ICO.
ICO Registration: We are registered with the ICO under registration number ZA123456, fulfilling legal requirements.
Assisting Clients with Compliance
We support our Healthcare clients in meeting their obligations under the Health and Social Care Act 2012:
Data Processing Agreements (DPAs): We provide DPAs outlining our responsibilities, ensuring alignment with client instructions and NHS standards.
Support for Patient Requests: We assist clients in responding to patient data access or erasure requests, ensuring timely compliance.
Compliance Reporting: Clients can request our Compliance Report, detailing our toolkit adherence and security measures, available upon signing an NDA.
Sub-Processors
We use vetted sub-processors that comply with the Act:
AWS: For data storage, AWS meets NHS security standards with UK data centres.
Twilio: For telephony services, Twilio adheres to the Act via data protection agreements.
Client Consent: We obtain client approval before engaging sub-processors and ensure they sign DPAs.
Ongoing Compliance Efforts
Compliance with the Health and Social Care Act 2012 is an ongoing commitment:
Regular Reviews: We review our practices quarterly to align with updates to the Data Security and Protection Toolkit and NHS guidance.
External Expertise: We engage Compliance Experts Ltd. for independent audits and recommendations.
Technology Upgrades: We enhance our AI systems with advanced encryption and monitoring tools to protect NHS data.
Frequently Asked Questions (FAQs)
How can I request access to my NHS data?
Contact our DPO at dpo@nextsupport.co.uk via our Contact Us page. We’ll facilitate your request through the client within 30 days.
What happens if there’s a data breach involving NHS data?
We notify NHS Digital and the ICO within 72 hours and inform affected clients, taking immediate mitigation steps.
How does NextSupport ensure AI complies with the Act?
Our AI systems use encryption, inform patients of automation, and undergo DPIAs to protect NHS data, aligning with toolkit standards.
Can I request deletion of my NHS data?
Yes, email dpo@nextsupport.co.uk via Contact Us to request erasure. We’ll delete your data within 30 days, unless legally required.
How does NextSupport handle NHS data security?
We use AES-256 encryption, UK-based storage, and regular audits, as outlined in our Data Security and Protection Toolkit submission.
Download Our Compliance Report
For a detailed overview of our Health and Social Care Act 2012 compliance measures, download our Compliance Report (available upon request after signing an NDA), including toolkit submissions and security details.
Contact Us
For questions about our Health and Social Care Act 2012 compliance, to exercise your rights, or to request documentation, contact:
Data Protection Officer: dpo@nextsupport.co.uk
Compliance Team: compliance@nextsupport.co.uk
Additional details are in our Privacy Policy.
Conclusion
NextSupport is dedicated to upholding the highest data protection standards under the Health and Social Care Act 2012, ensuring that NHS patient data is handled securely, transparently, and in line with the Data Security and Protection Toolkit. Our comprehensive approach provides peace of mind for our Healthcare clients, enabling them to focus on patient care while we manage their calls with integrity.
Compliance Table
Aspect | Description | NextSupport’s Approach |
|---|---|---|
Toolkit Submission | Annual self-assessment. | Completed and submitted yearly to NHS Digital. |
Security | Protect NHS data with controls. | Uses AES-256, TLS 1.3, and UK-based storage. |
Risk Assessments | Identify and mitigate risks. | Conducts regular DPIAs and audits. |
Training | Educate staff on NHS standards. | Provides annual training and drills. |
Breach Notification | Report within 72 hours. | Notifies NHS Digital and ICO promptly. |
Accountability | Maintain records and governance. | Keeps ROPA, audits with Compliance Experts Ltd., and has a DPO. |