Introduction
At Hippo Labs, we take compliance and governance extremely seriously. As a technology partner working with sensitive patient data, we know how important it is to keep your practice and patient data safe and we have always aimed to follow industry and NHS best practices for data security and information governance.
The below page lays out the basics of our approach to IG, the frameworks we meet, what you need to think about as a practice and any further reading / support you might need.
If you have any questions at all about any of this, please talk to your Hippo Onboarding Lead or email us at support@hippolabs.co.uk
What is IG and how do we approach it
Information Governance or IG for short is essentially an organisational strategy for managing data and information. Our strategy allows us to ensure that we’re safely managing all the relevant data we hold (be it patient data or any other relevant practice data we might hold).
That might sound simple (and at a high level, it is!), but in practice we need to have a multifaceted approach to IG to ensure we’re doing the right things with that data and to help us comply with all the relevant laws/regulations that might apply.
IG is vitally important to us for a number of reasons.
- First and foremost, it is a basic right for people to have information about them treated fairly and with respect. You wouldn’t want someone abusing information about you and equally we should be respectful with the data we hold about others.
- As well as treating data respectfully, it’s also an intrinsic right for people to have control over any data we hold about them. Again, if someone was holding information about you, you’d want the right to be able to ask them to change it or delete it.
- If we treat the data we hold correctly, this will enable us to build trust between the people we serve (both patients and practices) and Hippo Labs as a whole. Trust is a foundational part of our relationships with each other enabling us to serve our patients or to work together as a team.
- It’s also the law! There are a number of laws and regulations that apply to us as an organisation that legally enforce our responsibilities around information governance. Our IG strategy takes into account all the relevant laws, requirements and principles as listed below.
The principles below underpin our IG strategy and informs how we build out the relevant policies, procedures and processes upon which we rely.
- We acknowledge and respect the rights of anyone whose data we hold. These rights include understanding what data we hold and being able to modify or remove that data.
- We will aim to always follow all the relevant laws, requirements, standards and principles and ensure that our team are trained appropriately to make the right decisions around data
- We take a privacy by design and default approach - this means that everything we do is always done with privacy in mind and we start all work with a privacy-centred approach.
- We use a risk-based methodology for any IG decision making and delivery - we aim to ensure the benefits of any data processing are greater than the risks that might be posed.
What frameworks we adhere to:
There are an almost unlimited number of pan-industry and NHS-specific frameworks that help companies like us to ensure that we’re meeting relevant IG and Data Security requirements.
Although we’re still quite a young company, to date we’ve already completed a number of these key frameworks:
- DTAC: Digital Technology Assessment Criteria. The NHS’s way of confirming a digital product is fit and safe to be used.
- NHS Data Security and Protection Toolkit: an online assessment tool that allows us to measure performance against the National Data Guardian’s 10 data security standards.
- Cyber Essentials: A UK government-backed certification that helps organizations guard against common cyber threats by implementing a variety of security controls.
- Cyber Essentials Plus: An advanced certification level of Cyber Essentials that involves an independent, hands-on technical verification of an organization’s cybersecurity practices.
- Regular Penetration Testing: A controlled security assessment conducted by cybersecurity professionals to identify, test, and strengthen vulnerabilities in systems, applications, and networks .
- NHS England IM1 programme accreditation: Certification that allows integration of external systems with NHS infrastructure, ensuring third-party solutions meet interoperability, security, and patient data safety standards in line with NHS Digital's regulations.
- G-Cloud 14: A government framework of cloud based platforms.
We’re constantly assessing our systems and security.
If you’d like to see a copy of any of the above certifications, please drop us an email at support@hippolabs.co.uk
What you can do as a provider
While we can’t be your DPO or replace your internal and/or local data protection processes, we can give some tips based on our experience and what we know! For most practices we normally see three main tasks carried out with regard to procuring new digital systems:
1️⃣ Carry out a DPIA
The first thing you may want to do is conduct a Data Protection Impact Assessment (DPIA) to identify any potential risks in bringing in a new supplier like us. This assessment helps ensure that patient data is managed safely and responsibly.
We’ve completed an example template of this below so you can grab most of the information you need for this there, but if you have any further requirements please let us know.
2️⃣ Update the Privacy Policy
When implementing a new system, it’s normally advisable to review and update your privacy policy. This update ensures that it accurately reflects any changes in data collection, storage, or processing. Make sure the policy is clear and accessible to patients, outlining how their data will be managed with the new system.
We’ve attached some sample wording below on this, but you’re welcome to adjust it to your own requirements.
Hippo Labs Privacy Policy additions for your website
3️⃣ Inform Patients
To maintain transparency and build trust, you may also want to notify patients about the new digital system and any changes to data management practices. Clear communication helps patients understand how their data will be used and the steps being taken to protect it.
There are various different things you can do to inform your patients of this change:
- Ensure everyone in your team knows about Hippo and can answer basic questions about it
- Put a banner and/or new page on your website
- Put a poster up in the practice
- Raise it in a newsletter or PPG or similar patient communications channels
- Send a batch message to patients
You don’t have to do any of these, but we’d recommend doing at least the first one to ensure that patients don’t get the wrong information and are able to trust the invitations being sent.
We’ve included some sample wording below that you can use for some of these communications:
To improve our services, we have adopted a technology provider called Hippo Labs. They help us to identify if you have any healthcare needs (e.g. a yearly check, or medication review) and enable us to invite you to book in for those appointments via various messaging services (e.g. emails, text messages, WhatsApp). You will always have the option to call us directly to book your appointments. Hippo Labs are a UK-based company that follow all NHS digital standards. They will never use or sell your data to another party. To find out more, please have a read of our updated privacy policy here: [INSERT PRIVACY POLICY]
Further reading
If you can’t access any of these or have any questions about them, please reach out to support@hippolabs.co.uk