Commitment to Privacy & Security

Alerts, not video streaming
Oxevision displays room statuses, alerts and data reports on handheld devices or on a screen in the nurses station and does not provide a continuous live video stream. Clinical staff can see up to 15 seconds of clear video when taking vital signs spot check, and up to 30 seconds of anonymised (blurred) video in response to a room alert.

Anonymisation of personal data
The clear video data generated by Oxevision is required by the medical device to ensure accurate vital signs measurements are taken.  For other processing purposes the personal data generated by Oxevision is anonymised or pseudonymised to minimise personal data processing. E.g irreversibly blurred video images which do not identify a person.

Personal data is under customer control
All personal data generated by Oxevision or by the staff using Oxevision is under the control of the customer and Oxehealth will only ever process the data according to the service agreement between the customer and Oxehealth, or on written instruction of the customer.  

The following diagram lays out the data flow of data generated by the Oxevision system.

Supporting customers with data governance and GDPR compliance
Oxehealth supports customers to comply with GDPR and other data governance requirements through the provision of data protection impact assessments, staff training and reporting.‍

Data encryption
The personal data generated by the Oxevision system is encrypted to a minimum of AES 256 standard when stored on local secure servers at the customer site.
All data transmission between local compute equipment at the customer site will take place over a secure virtual private network (VPN) which ensures communication between authenticated devices only, using secure socket layer (SSL) encryption to the AES 256 standard.

Access control
Access to all Oxehealth services is based on the principle of least privilege, and Oxehealth staff are only granted the minimum permission to conduct their role.

Oxehealth staff with access to provide support for the Oxevision system use a unique set of credentials for VPN, remote machine access and file server access. VPN access is audited and logging and pattern-based alerts are active on the VPN and firewall.

Access to Customer data on Oxehealth secure servers is limited to approved Oxehealth staff as required to perform a specific task, with fine grained access control on data permissions managed through Active Directory and audited quarterly.

Personnel security
All staff with access to customer data are subject to UK Government Baseline Personnel Security Standard (BPSS checks and a basic criminal record check), and sign a non-disclosure agreement as part of their employment contract.

Annual security and data protection training is completed by all staff to ensure they understand their responsibilities with regards to security and data privacy and Oxehealth employees handling customer data undergo additional training specific to their role.

Penetration testing and vulnerability monitoring
The Oxevision system is subject to  a minimum of twice yearly penetration testing by Crest accredited third party experts and we carry out additional internal vulnerability monitoring of the software.