Stoke Gifford and Conygre Medical Centres use a mailing company called Docmail to handle some mailings to patients. Typically this is for bulk mailings such as the invitations to attend the flu clinics. We also use a clinic recall system called Patient Chase that allows us to group conditions and review requirements so that we can minimize the number of times that you need to come in for your health screening. The Patient Chase generated letters are processed via Docmail.
Use of Docmail is permissible under guidance from both the Information Commissioner’s Office (ICO) and the Department of Health (DoH) subject to the provisions of the Data Protection Act.
1.1 What is Docmail? Docmail is provided by CFH Docmail Ltd; a secure print and mailing company who provide print and mailing services for Local Government, GPs, Dentists, Medical Practices, Schools, Exam Boards and Banks etc. throughout the UK. The system can be found online at www.docmail.co.uk. Access to upload our letters and addresses for printing via a secure web portal requires a secure user name and password. Mail is then dispatched to Royal Mail.
1.2 The Data Protection Act (1998) (DPA). Stoke Gifford and Conygre Road Medical Centres and Docmail are both fully compliant with the Data Protection Act.
The Information Commissioners Office issued guidance in February 2012 for organisations that outsource some of its data processing to a third party. The Data Protection Act allows outsourcing to take place but stipulates certain conditions that must be met for it to be compliant. An organisation that processes personal data is required to handle personal data in accordance with the data protection principles. A data controller may choose to use another organisation to process personal data on its behalf – a data processor.
The data controller remains responsible for ensuring its processing complies with the DPA, whether it processes in-house or engages a data processor. Where a data processor is used, the data controller must ensure that suitable security arrangements are in place in order to comply with the seventh principle of the DPA.
Schedule 1 of the Data Protection Act (1998) lists eight principles of data protection. The seventh principle is of particular importance where an organisation uses a third party to process data. The seventh data protection principle provides that:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”The Information Commissioner’s Office provides the following guidance to organisations seeking to use a third party to process data on its behalf.
“Where a data controller chooses to use a data processor, paragraphs 11 & 12 of Schedule 2, DPA introduces additional obligations on the data controller as follows:
11. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle –
a. choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
b. take reasonable steps to ensure compliance with those measures.
12. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless –
a. the processing is carried out under a contract –
- which is made or evidenced in writing, and
- under which the data processor is to act only on instructions from the data controller, and
- the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.”
Stoke Gifford and Conygre Medical Centres has strictly adhered to this guidance in setting up the partnership with Docmail. The practice remains the data controller and as such has the responsibility for ensuring compliance with the provisions of the Act. We are not able to pass on those responsibilities to Docmail whose role is that of a data processor. In addition:
a. The Terms of Service are agreed between Stoke Gifford and Conygre Medical Centres and CFH – Total Document Management Ltd (as published on the Docmail website).
b. That contract stipulates that Docmail can only act in accordance with instructions from Stoke Gifford and Conygre Medical Centre. i.e. they can only print and mail letters in accordance with data provided by us. They are not able to do anything else with that data.
c. The contract also creates a legal requirement for Docmail to act in accordance with the seventh principle of the Data Protection Act.
d. The Partners of Stoke Gifford and Conygre Medical Centres have satisfied themselves that Docmail have provided sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out.
e. The partners have taken, and will continue to take, reasonable steps to ensure that Docmail are compliant with these security measures.
f. No data will pass outside of the European Union
1.3 Connecting For Health. Docmail has achieved a 100% rating in the Department of Health’s Information Governance Toolkit Assessment for 2014-2015 and we meet with the terms and conditions of the DH Information Governance Assurance Statement. This assessment is publicly available and can be viewed at www.igt.hscic.gov.uk/
1.4 Other Approvals. Docmail is also approved by the following:
- Government Procurement Service for Hybrid Mail – which allows all government organisations to use Docmail.
- 7 Primary Care Trusts for Medical Studies have approved the use of Docmail. 500,000 medical studies packs were sent in 2011 across 200 surgeries.
- Caldicott Guardian across a number areas have approved the use of Docmail when asked
- Ethics Committees have approved the use of Docmail by surgeries for use in medical studies
1.5 Accreditations & Security Policies. In addition to the credentials listed above, I have been supplied with Docmail’s Corporate Policies and certifications as detailed below.
- ISO 27001:2005 Information Security Management System Certificate
- Information Commissioners Certificate of Registration
- CFH Information Technology Security Policy
- Information Security Policy
1.6 Process. The data file provided to Docmail will only contain enough data to enable them to fulfil the contract. This means that it will include name and address details and the medical conditions relating to the clinic recall. We will of course exercise the same discretion in writing the letters as we would if we were printing and posting them at the surgery.
The letters will be delivered to your address by Royal Mail in the normal way in envelopes that do not identify the letter as having come from a doctor’s surgery. Docmail delete the personal data 28 days after the mailing.
If you have any questions or require further information about this please ask to speak to the Business Manager.