Data Security and Protection

Principle #1: Security by design

Fertility Consent has been designed and built using the very latest Microsoft technologies, and is hosted on the Azure platform here in the UK.

Our lean data model ensures we only collect and process the minimum amount of data, and store it for the minimum amount of time needed for patients and clinics to complete the informed consent process.

As you would expect, our operation procedures and data protection policies fully conform with the The EU General Data Protection Regulation (GDPR).

Securely hosted here in the UK

Our online consent platforms and patient portals use Microsoft Azure data centres located in London and Durham.

We chose Azure as it offers the highest levels of trust for UK healthcare applications, providing built in security at all levels and complying with specific compliance standards. For example, Azure is certified to the Health Information Trust Alliance Common Security Framework via the NHS IG Toolkit; the Human Fertilisation and Embryo Authority (HFEA) also use Azure for consent submissions from clinics.

Fully compliant with UK data security standards

Microsoft Azure Security Centre provides continuous security-health monitoring and threat-mitigation practices that are essential to the strong protection of services and data. These data centres comply, and have been audited to, with the following UK standards:

  • ISO 9001:2008 is a global standard (published certificate) for managing the quality of products and services.
  • ISO 27001:2013 is a widely-adopted global security standard that outlines the requirements for information security management systems.
  • ISO 27002: 2015 which gives cloud service providers and customers secure and specific implementation guidance for ISO 27002 security controls, as well as provides additional security controls specific to cloud services.
  • ISO 27018:2014 provides additional security controls not covered in ISO 27002 to give cloud service providers security control for Personally Identifiable Information (PII).

Azure is used by the UK Government G-Cloud initiative which supports easy procurement of cloud computing services for public-sector bodies in departments of the United Kingdom Government.

Azure has also attained Cyber Essentials PLUS certification meeting the requirements of the Cyber Essentials Scheme Assurance Framework, a UK government-defined scheme to help organisations protect against common cyber-security threats.

Fully compliant with eIDAS regulations and standards

The Electronic Identification and Trust Services Regulation (eIDAS Regulation 910/2014/EC) is a single, standardised regulation that applies across all EU member states providing a consistent legal framework for accepting electronic identities and signatures. Importantly, eIDAS states that no signature can be denied legal admissibility solely because it’s in electronic form.

Are electronic signatures legally binding in the UK?

When it comes to electronically signing consent forms it is crucial to ensure that the patient or their partner cannot deny the authenticity of their signature.

eIDAS complaint electronic signatures, along with procedures for verifying patient’s identities, provide what is known as non-repudiation. Non-repudiation is a legal concept widely used in information security that refers to a service, which provides proof of the origin of data and the integrity of the data. It is the assurance that someone cannot deny the validity of something, e.g. an electronic signature.

Non-repudiation ensures that  patients electronically signing their consent forms accept the authenticity of their signature on a document, just as if they had signed it in ink.