Oxevision has been developed in collaboration with patients, carers, doctors and nurses. It is a vision-based patient monitoring system designed specifically for mental health care and includes a regulated medical device which operates with an infrared-sensitive camera.
It is understandable that Oxevision’s use of a camera leads to questions about privacy and data security. Our objective is to increase patients' and other subjects' safety, privacy, dignity and independence and this is considered at all stages of the design and implementation of Oxevision.
Below is a summary of some of the technical and organisational measures which we have implemented to protect the personal and sensitive data generated by Oxevision and the dignity of the patients and other data subjects.
Alerts, not video streaming
Oxevision displays room statuses, alerts and data reports on handheld devices or on a screen in the nurses station and does not provide a continuous live video stream. Clinical staff can see up to 15 seconds of clear video when taking vital signs spot check, and up to 30 seconds of anonymised (blurred) video in response to a room alert.
Anonymisation of personal data
The clear video data generated by Oxevision is required by the medical device to ensure accurate vital signs measurements are taken. For other processing purposes the personal data generated by Oxevision is anonymised or pseudonymised to minimise personal data processing. E.g irreversibly blurred video images which do not identify a person.
Personal data is under customer control
All personal data generated by Oxevision or by the staff using Oxevision is under the control of the customer and Oxehealth will only ever process the data according to the service agreement between the customer and Oxehealth, or on written instruction of the customer.
The following diagram lays out the data flow of data generated by the Oxevision system.
Supporting customers with data governance and GDPR compliance
Oxehealth supports customers to comply with GDPR and other data governance requirements through the provision of data protection impact assessments, staff training and reporting.
The personal data generated by the Oxevision system is encrypted to a minimum of AES 256 standard when stored on local secure servers at the customer site.
All data transmission between local compute equipment at the customer site will take place over a secure virtual private network (VPN) which ensures communication between authenticated devices only, using secure socket layer (SSL) encryption to the AES 256 standard.
Access to all Oxehealth services is based on the principle of least privilege, and Oxehealth staff are only granted the minimum permission to conduct their role.
Oxehealth staff with access to provide support for the Oxevision system use a unique set of credentials for VPN, remote machine access and file server access. VPN access is audited and logging and pattern-based alerts are active on the VPN and firewall.
Access to Customer data on Oxehealth secure servers is limited to approved Oxehealth staff as required to perform a specific task, with fine grained access control on data permissions managed through Active Directory and audited quarterly.
All staff with access to customer data are subject to UK Government Baseline Personnel Security Standard (BPSS checks and a basic criminal record check), and sign a non-disclosure agreement as part of their employment contract.
Annual security and data protection training is completed by all staff to ensure they understand their responsibilities with regards to security and data privacy and Oxehealth employees handling customer data undergo additional training specific to their role.
Penetration testing and vulnerability monitoring
The Oxevision system is subject to a minimum of twice yearly penetration testing by Crest accredited third party experts and we carry out additional internal vulnerability monitoring of the software.
Oxehealth has attained ISO 27001:2013 certification for Information Security Management which includes data generated by the Oxevision system in its scope. We are audited against this standard by a UKAS accredited certification body.
Oxehealth holds Cyber Essential Plus certification from an IASME accredited CE+ certification body
Oxehealth has completed an NHS Data Security and Protection Toolkit (DSPT) assessment with standards exceeded: Oxehealth Limited 8K867.