Security and Privacy - For Patients

When you dialyse away from your base centre, the DialysisAway platform facilitates the secure and efficient exchange of the required details. Our customers are the dialysis centres themselves; they use our platform to exchange data needed to organise your treatment away from base.

Your care is the responsibility of the dialysis centre treating you at all times; DialysisAway is neither a health care provider nor a travel agent.  We only interact directly with users in order to support platform use.

The DialysisAway platform is operated by a UK company called Medicalisys Ltd – you can find more out about us here.

Why do dialysis providers use DialysisAway?

It’s hard for dialysis centres to facilitate dialysis away from base for patients.  This is reflected in the current lead times for dialysis away from base, which can be up to 3 months.  The process is very time consuming to administer for stretched clinic teams. It is also difficult to govern properly, involving unfamiliar clinics and patients.  The main focus of your dialysis centre is your regular treatment. DialysisAway gives dialysis centres a more efficient and secure way to manage trips, ultimately benefitting you as patients.

Why does DialysisAway need my information?

We need to process the same information that your dialysis centre does today in order to coordinate trips for you.  Your centre uses DialysisAway to do the same tasks faster, more efficiently and more securely every time, no matter which other centre they need to coordinate with, for your benefit.

What information does DialysisAway use?

DialysisAway processes the same information exchanged in the current paper-based process, while also being a place to upload documents and communicate securely.  This comprises a mix of personal information, general medical information and dialysis specific information required for destination centres to accept travelling patients into their temporary care and then return them home.

How does DialysisAway keep my data secure?

We transmit and store data in encrypted form. This means nobody else can read it without the right credentials.  Only certain users have the right to nominate other authorised users.  We use 2-factor authentication, meaning authorised users need to provide a separate code provided by email or SMS in addition to their password each time they wish to log in.  Our servers are hosted with Amazon Web Services (AWS) located in the EU. AWS holds ISO:27001 information security certification (among others)/. All data is strongly encrypted at rest, as well as in transit.

 

We have the Cyber Essentials certification (https://www.ncsc.gov.uk/cyberessentials/overview),

a scheme run by the UK government and the National Centre for Cyber Security to help you know that you can trust your data with us.  We have NHS Data Security and Protection Toolkit assurance (NHS ODS code O4S4B).

How does DialysisAway govern data?

We work in compliance with the requirements of ISO:27001, an information governance standard.  As part of this, we systematically analyse risks and put in place appropriate safeguards and controls, be it in agreements and policies or our infrastructure itself. This helps us comply with the key laws in this area – the Data Protection Act 2018 and the General Data Protection Regulation (GDPR) – and the rules set out by the NHS on health data sharing. You can read the key documents in our Resource Centre. We sum the important points up on this page.

We act as something called a Data Processor or Sub-Processor. This means we can only do things with patient data under the instruction of Data Controllers. In this case, these are the organisations treating you – your dialysis provider, such as an NHS Trust.  Data Controllers are ultimately responsible for creating and storing information about patients and their health, such as in a patient record.

We process your information on their behalf for a purpose. The responsibilities that we and Data Controllers have with regards to sharing this information are laid out in the Terms of Service with each dialysis provider registered with our platform. Our company also has an overall approach to using data, set out in our Privacy Policies.

Does DialysisAway's platform comply with the laws about data?

We comply with our obligations and our platform is specifically designed to help our customers, dialysis centres, comply with their obligations under the laws around data.  These are known in the UK as The Data Protection Act (2018) which is the government’s implementation of the General Data Protection Regulation (GDPR).  Under the law, your dialysis provider is your typically your Data Controller and is responsible for your data. It shares your data with us under contract in order to facilitate the treatments away from base that you request. Unfortunately, the current process for coordinating temporary dialysis leaves many doubts around compliance that our platform is designed to address. For example, under the existing process, dialysis providers lack ways to securely share patient data with third party clinics.  This results in many coordinators using non-secure methods such as paper, email and telephone to transmit data, with minimal control over record keeping.

How can I access data about me and my care?

You are also able to log in yourself on DialysisAway and view the data pertaining to your current and completed trips.

 

If you need more, your Data Controller (typically your dialysis provider), will be responsible for handling any request in relation to your data. You should contact your dialysis provider in the first instance if you wish to see the information we hold about you.  This could be a request to access, delete or amend the data and is known as a ‘Subject Access Request’.  Ask your dialysis centre for more information about how to do this; we are able to correct, delete or extract any data relating to patients on request.

 

DialysisAway can assist with all these requests to ensure dialysis centres are meeting their obligations in responding to such requests under GDPR or relevant local data protection legislation. Such requests should be addressed to: [email protected].

Who sees my data?

Authorised staff in your home dialysis centre and the destination centre can see your details.  In addition, a senior manager not in the centre can see a summary of all trips, but none of your details other than your name, trip dates, clinic names and status.

 

Our employees may need to see patient data that we store for strictly limited purposes.  For example, this data may need to be accessed to investigate technical problems with our services. These occasions are very rare and only happen when absolutely necessary.  Any access to patient information is time-limited and governed by our Terms of Service with our customers.  Every single person undergoes training about what is appropriate in these circumstances.  Data is deleted when investigations are complete.

Can I use the NHS National Data opt-out to stop DialysisAway receiving my data?

The NHS national data opt-out only applies to NHS organisations and sharing your information for research or planning. Because we process data for organisations who provide your individual care, this opt-out does not apply to the data they share with us. We do not use that data for research.

Does DialysisAway sell my data?

No. We are in the business of helping our customers, dialysis centres, to coordinate temporary dialysis for you.