Introduction
At Hippo Labs, we take compliance and governance extremely seriously. As a technology partner working with sensitive patient data, we know how important it is to keep your practice and patient data safe and we have always aimed to follow industry and NHS best practices for data security and information governance.
The below page lays out the basics of our approach to IG, the frameworks we meet, what you need to think about as a practice and any further reading / support you might need.
đ If you have any questions at all about any of this, please talk to your Hippo Onboarding Lead or email us at [email protected]
What is IG and how do we approach it?
Information Governance or IG for short is essentially an organisational strategy for managing data and information. Our strategy allows us to ensure that weâre safely managing all the relevant data we hold (be it patient data or any other relevant practice data we might hold).
That might sound simple (and at a high level, it is!), but in practice we need to have a multifaceted approach to IG to ensure weâre doing the right things with that data and to help us comply with all the relevant laws/regulations that might apply.
IG is vitally important to us for a number of reasons.
First and foremost, it is a basic right for people to have information about them treated fairly and with respect. You wouldnât want someone abusing information about you and equally we should be respectful with the data we hold about others.
As well as treating data respectfully, itâs also an intrinsic right for people to have control over any data we hold about them. Again, if someone was holding information about you, youâd want the right to be able to ask them to change it or delete it.
If we treat the data we hold correctly, this will enable us to build trust between the people we serve (both patients and practices) and Hippo Labs as a whole. Trust is a foundational part of our relationships with each other enabling us to serve our patients or to work together as a team.
Itâs also the law! There are a number of laws and regulations that apply to us as an organisation that legally enforce our responsibilities around information governance. Our IG strategy takes into account all the relevant laws, requirements and principles as listed below.
The principles below underpin our IG strategy and informs how we build out the relevant policies, procedures and processes upon which we rely.
We acknowledge and respect the rights of anyone whose data we hold. These rights include understanding what data we hold and being able to modify or remove that data.
We will aim to always follow all the relevant laws, requirements, standards and principles and ensure that our team are trained appropriately to make the right decisions around data
We take a privacy by design and default approach - this means that everything we do is always done with privacy in mind and we start all work with a privacy-centred approach.
We use a risk-based methodology for any IG decision making and delivery - we aim to ensure the benefits of any data processing are greater than the risks that might be posed.
What frameworks we adhere to:
There are an almost unlimited number of pan-industry and NHS-specific frameworks that help companies like us to ensure that weâre meeting relevant IG and Data Security requirements.
Although weâre still quite a young company, to date weâve already completed a number of these key frameworks:
DTAC: Digital Technology Assessment Criteria. The NHSâs way of confirming a digital product is fit and safe to be used.
NHS Data Security and Protection Toolkit: an online assessment tool that allows us to measure performance against the National Data Guardianâs 10 data security standards.
Cyber Essentials: A UK government-backed certification that helps organizations guard against common cyber threats by implementing a variety of security controls.
Cyber Essentials Plus: An advanced certification level of Cyber Essentials that involves an independent, hands-on technical verification of an organizationâs cybersecurity practices.
Regular Penetration Testing: A controlled security assessment conducted by cybersecurity professionals to identify, test, and strengthen vulnerabilities in systems, applications, and networks .
NHS England IM1 programme accreditation: Certification that allows integration of external systems with NHS infrastructure, ensuring third-party solutions meet interoperability, security, and patient data safety standards in line with NHS Digital's regulations.
G-Cloud 14: A government framework of cloud based platforms.
Weâre constantly assessing our systems and security.
đ If youâd like to see a copy of any of the above certifications, please drop us an email at [email protected]
What you can do as a provider
While we canât be your DPO or replace your internal and/or local data protection processes, we can give some tips based on our experience and what we know! For most practices we normally see three main tasks carried out with regard to procuring new digital systems:
1ď¸âŁ Carry out a DPIA
1ď¸âŁ Carry out a DPIA
The first thing you may want to do is conduct a Data Protection Impact Assessment (DPIA) to identify any potential risks in bringing in a new supplier like us. This assessment helps ensure that patient data is managed safely and responsibly.
Weâve completed an example template of this below so you can grab most of the information you need for this there, but if you have any further requirements please let us know.
2ď¸âŁ Update the Privacy Policy
2ď¸âŁ Update the Privacy Policy
When implementing a new system, itâs normally advisable to review and update your privacy policy. This update ensures that it accurately reflects any changes in data collection, storage, or processing. Make sure the policy is clear and accessible to patients, outlining how their data will be managed with the new system.
Weâve attached some sample wording below on this, but youâre welcome to adjust it to your own requirements:
3ď¸âŁ Inform Patients
3ď¸âŁ Inform Patients
To maintain transparency and build trust, you may also want to notify patients about the new digital system and any changes to data management practices. Clear communication helps patients understand how their data will be used and the steps being taken to protect it.
There are various different things you can do to inform your patients of this change:
Ensure everyone in your team knows about Hippo and can answer basic questions about it
Put a banner and/or new page on your website
Put a poster up in the practice
Raise it in a newsletter or PPG or similar patient communications channels
Send a batch message to patients
You donât have to do any of these, but weâd recommend doing at least the first one to ensure that patients donât get the wrong information and are able to trust the invitations being sent.
Weâve included some sample wording below that you can use for some of these communications:
To improve our services, we have adopted a technology provider called Hippo Labs. They help us to identify if you have any healthcare needs (e.g. a yearly check, or medication review) and enable us to invite you to book in for those appointments via various messaging services (e.g. emails, text messages, WhatsApp). You will always have the option to call us directly to book your appointments. Hippo Labs are a UK-based company that follow all NHS digital standards. They will never use or sell your data to another party. To find out more, please have a read of our updated privacy policy here: [INSERT PRIVACY POLICY]