FAQBefore sending us a message check this FAQ.
Send a message
Send a Message
For support or suggestions, questions or problems please send us a message using the form below - we'll get back to you as soon as we can with an answer, usually within the same day. Remember to check any spam folder you may have for a response.
Do not include Patient Identifiable data in your message to our helpdesk. Helpdesk uses normal email which is not a secure communication method.
Lost your password?
General Data Protection Regulation
This document is being updated regularly and is subject to change. Please check this document frequently for the most up to date information.
GDPR Assurance Statement
The General Data Protection Regulation (GDPR) came into force on the 25th May 2018 and, alongside the Data Protection Bill, replaced the old Data Protection Act.
Within this statement we want to highlight to our customers the measures we have put in place to ensure compliance with the GDPR where we hold or process personal data on your behalf.
Data Protection Officer
Pinnacle has designated a Data Protection Officer (DPO): Pamela Bowes, email@example.com.
Pamela is a certified EUGDPR Practitioner and is taking full responsibility for all matters relating to data protection and GDPR compliance. The DPO will ensure that we are accountable and transparent to the supervisory authorities.
Security and Business Continuity Measures
Pinnacle works to ensure the confidentiality, integrity and availability of the personal data we store or process. We maintain appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access.
In demonstration of this, we have achieved and maintain the following standards:
- NHS IG Toolkit Level 3 (we are in the process of submitting the Data Security & Protection Toolkit)
- ISO27001:2017 certification for Information Security Management Systems
- Cyber Essential Plus
For further information please request our Technical and IG Specification from firstname.lastname@example.org.
Customer and End User Contracts
To adhere to the GDPR requirement, a data controller (our client) must appoint the data processor (Pinnacle) formally in writing, in our case, in the form of our Service Level Agreement and End User Licence Agreement.
The document must state that the personal data is processed only on documented instructions from the controller or to meet the requirements of EU or UK law. We have reviewed all of our agreements to ensure compliance. This ensures that relevant wordings are in place to cover aspects such as nature and purpose of the processing, the types of data processed and the obligations and rights of the controller.
Under GDPR, we must notify any data breach to the controller without undue delay. Pinnacle therefore has processes and procedures in place for identifying, reviewing and promptly reporting data breaches to the relevant controller and assisting with any remedial action or reporting required. We would, however, stress that we have comprehensive technical and organisational security measures in place to mitigate against a data breach.
Data Subject Rights
Under GDPR there are significant enhancements to the rights that individuals enjoy with regards their personal data. Although there is a legal requirement for health data to be recorded and for those records to be kept for regulated time periods, Pinnacle can work with Clients in order to determine how best to facilitate.
Handling Data Subject Access Requests
Pinnacle Systems allow Clients to access information to answer these requests but are also willing to assist where required.
Data is retained according to the current guidelines or the explicit instructions of the relevant Data Controller.
Please consult the detailed retention schedule (appendix 3) from NHS Digital, linked below:
Secure Erasure / Destruction of Personal Data
Pinnacle has procedures in place for the secure return/archiving/destruction of data when this is required.
Data Processing Agreements
The General Data Protection Regulation (and other data protection legislation) requires Data Controllers to formally agree the way in which third parties process personal data on their behalf and to record this in writing in a Data Processing Agreement (DPA).
All of our licence agreements have been updated to include DPA‘s, if you are a commissioner and have renewed your licence since January 2018 your licence agreement contains a DPA. You may choose to add an additional schedule with the specifics of your services if required.
If you do not licence directly from us you must have a DPA with us directly. Pinnacle have produced a template DPA for your use, please email email@example.com for a copy.
Data Sharing Agreements
Some Clinical Service Commissioners have asked Pinnacle Health Partnership to sign a Data Sharing Agreement in order to process the data.
For the avoidance of doubt, Data Sharing Agreements are intended to be used between two or more Data Controllers and are not intended to be used between a Data Controller and a Data Processor. Data Processing Agreements have specific legal requirements that must be followed. Pinnacle Health Partnership has confirmed this with the Information Commissioners Office and written guidance from the ICO is available at ICO GDPR guidance: Contracts and liabilities between controllers and processors
Data Protection Impact Assessment (DPIA)
Pinnacle has put together a DPIA using all of the FAQ‘s that we have received on this subject and the guidance from ICO.
This document contains links to the evidence of our compliance with the questions and will assist you with your own documentation. If you would like a copy of this document please email firstname.lastname@example.org