Black Pear recognises the importance of ensuring that personal information is dealt with legally, securely, efficiently and effectively, in order to allow users of our services to deliver the best possible care and to meet the Company’s legal and good practice responsibilities.
Black Pear provides software services processing personal data. These data include sensitive data or data of a highly personal nature and data concerning vulnerable data subjects. These services have been in production use since 2014; this DPIA was first undertaken as a review of pre-GDPR processing and has been updated to reflect operational and regulatory changes.
Governance
An Information Governance Board convened by the executive is responsible for management of information governance within the organisation. This board oversees compliance using an ISO27001:2013 registered Information Security Management System (19080-ISMS-001); this includes annual Information Governance training for all staff, Information Governance restrictions in staff and client contracts and regular monitoring of technical and organisational measures designed to maintain integrity and confidentiality of data. Black Pear is registered with the ICO (ZA215442) and meets the NHS Data Security and Protection Toolkit standards. In addition, Black Pear NHS Services are independently assessed via Cyber Essentials (IASME-A-05646) and subject to penetration testing and vulnerability assessment at least once a year. The Information Governance Board can be contacted via security@blackpear.com.
Black Pear process data on behalf of health and social care providers providing direct patient care who wish to record and share. Black Pear process data only on the instruction of the data controller or with appropriate legal authority as defined in the Black Pear Information Security Policy. Organisations using Black Pear services will undertake Data Privacy Impact Assessment for their specific processing prior to commencement of the service.
Black Pear Core
Purpose
The Black Pear Core product is used by Health & Social Care Organisations in the UK and overseas territories to record and share sensitive personal data about data subjects including demographic data, medical history and care preferences for the purpose of providing direct care.
The Black Pear Core product has been previously known as eSP, Core Care Plans or Core Care Record.
Data flow
Organisations use Black Pear Core to record and view sensitive personal data about data subjects. Where Black Pear Core is used in conjunction with an EHR (Electronic Health Record), Black Pear Core may also be use to view and record sensitive personal data within the EHR. Organisations using Black Pear Core may configure sharing of sensitive personal data with third parties by providing written instruction including a subscription request (e.g. for email, rest-hook) or an additional data processing instruction within the data.
Data controls
Black Pear processes Black Pear Core data within the UK only.
All contracts under which the Black Pear Core service operates have been reviewed to ensure that obligations under GDPR are met. Where necessary, clients have been offered an updated contract.
The Black Pear Core service is designed to be secure and robust, meeting NHS guidelines and best practices. Further documentation is available to describe:
- Authentication, authorisation and security
- Infrastructure scalability, resilience and disaster recovery
Data retention
Black Pear Core data are retained in accordance with NHS Records Management Code of Practice.
Core Appointments
Purpose
The Core Appointments product is used by Health & Social Care Organisations providing patient appointments on behalf of third party organisations. For example, an ambulance service may book a patient into an appointment at an urgent care centre.
Health & Social Care Organisations useCore Appointments in the role of Hub to offer patient appointments for booking by third party organisations.
Health & Social Care Organisations useCore Appointments in the role of Client to book patient appointments with third party organisations.
The Core Appointments product was previously known as eRA.
Data flow
Core Appointments Hub
Organisations usingCore Appointments in the role of Hub receive sensitive personal data about data subjects from third parties and may share sensitive personal data with third parties who have booked appointments for the data subject.
Core Appointments Client
Organisations using Core Appointments in the role of Client share sensitive personal data about data subjects with third parties and may receive sensitive personal data from third parties providing appointments for the data subject.
Data controls
Black Pear processes Core Appointments data within the UK only.
All contracts under which the Core Appointments product operates have been reviewed to ensure that obligations under GDPR are met. Where necessary, clients have been offered an updated contract.
The Core Appointments product is designed to be secure and robust, meeting NHS guidelines and best practices as described above for Core Care Plans.
Data retention
Core Appointments data are only retained in theCore Appointments cache for as long as necessary for the transaction to be completed, being deleted within 48 hours of the appointment being completed and (where configured) outcomes returned to the booker.
pyrusConnect
Purpose
The pyrusConnect product is used by Health & Social Care Organisations to share patient data with third party organisations.
Data flow
Organisations using pyrusConnect share sensitive personal data about data subjects with third parties and may receive sensitive personal data from third parties providing direct care for the data subject.
Data controls
Black Pear processes pyrusConnect data within the UK only.
All contracts under which the pyrusConnect product operates have been reviewed to ensure that obligations under GDPR are met. Where necessary, clients have been offered an updated contract.
The pyrusConnect product is designed to be secure and robust, meeting NHS guidelines and best practices as described above for Core Care Plans.
Data retention
No data are retained in pyrusConnect.
Risk register
Black Pear maintains a risk register as part of the ISMS; this may be shared on request from legitimate individuals or organisations.
0 Comments