Introduction
This below outlines the data governance, security, privacy, and compliance measures in place to ensure the safe and lawful use of the Virtual Clinical Experience (VCE) technology provided by Global Health Education Group (GHEG).
Compliance & Standards
GHEG operate in full alignment with NHS and UK regulatory requirements, including:
ICO registered - ZB337186
UK GDPR & Data Protection Act 2018
Health Insurance Portability and Accountability Act (HIPAA) legal requirements met
NHS Data Security and Protection Toolkit (DSPT) - DSPT standards exceeded certificate.pdf
DCB0129 clinical risk management in place
Cyber Essential Plus certification - Cyber Essentials Plus Certificate.pdf
Fully aligned with current NHS Digital Technology Assessment Criteria (DTAC)
A Data Protection Impact Assessment (DPIA) will be in place for any site using the VCE technology. Here is a template version we typically use - DPIA_GHEG Template.pdf
Data Processing & Responsibilities
The organisation is the Data Controller.
GHEG act as the Data Processor
Only the minimum necessary data is processed and strictly for agreed purposes.
No patient data is stored.
No data is used for marketing, profiling, or secondary purposes.
Security and privacy information
The VCE platform has strict security standards:
Encryption
Streams are encrypted to protect data from the source to the destination.
Secure authentication
Multifactor authentication and authorisation are required to verify user identity and control access.
SSL/TLS security
The platform uses RSA encryption with a 256-bit key to ensure data security during transmission.
Access control
Only invited participants can join sessions, maintaining confidentiality.
No long-term data storage
Data is briefly buffered for real-time interaction, with no long-term storage to enhance privacy.
Patient Consent
Patient consent is essential when students or trainees are invited to observe or participate in any consultation. GHEG work with clinical sites in the following ways:
Patient consent will be obtained by the participating health care organisation and updated in the patient records, as per GMC guidelines. GHEG provide a consent template form to assist - Patient Consent form template.docx
GHEG developed a patient video with input from patients and clinicians which can be provided to patients as part of the consent process - https://youtu.be/DelY6Kf3KrU?si=oSb_QjdRSt9wvVCH
Prior to the live streaming, the platform reminds the clinician to obtain patient consent; streaming will not begin until the clinician has ticked/accepted this step.
During the consultation, the patient can withdraw consent at any time by stating this to the clinician who can click a button immediately stopping the live stream.
Clinical Safety Officer (CSO)
GHEG have appointed a certified Clinical Safety Officer (per DCB0129) responsible for:
Hazard identification
Risk assessment
Safety case documentation
Ongoing clinical risk management
Assurance & Governance
Annual DSPT submission
Staff trained annually in IG, confidentiality, and cyber security
Regular internal audits and security reviews
Annual external Penetration testing