Omda Fertility and GDPR

Introduction

Omda manages patient information for the benefit of the patient and clinic. The data involved is personal information of a sensitive nature and managing the information falls under the general data protection regulation (GDPR) or EU directive 95/94/EC. Omda does not store or handle any patient data and has no servers with stored data. Omda Fertility is set up locally in a secure local network provided by the clinic IT provider.

Technical details

Database

Omda Fertility is a FileMaker product and the database is a FileMaker database. The database is password protected and is stored on a server in the clinics local network. No data ever leaves the server without the explicit instruction from the clinic.

To further secure the database, Omda supports encryption of the database. The data is encrypted at rest to prevent access to databases not in use.

User profile groups

Omda Fertility supports different user groups to be set up at the clinic. The different groups can have different security settings to mask certain personal information. The user groups can have different rights to both information and functionality in Omda Fertility.

Login

Login can be managed by two methods:

- By username and password - A clinic administrator can add and manage users without knowing the passwords of users. Omda generates login credentials on request.

- By single sign on – Omda supports Active Directory login managed by the clinic IT department. When authorized to login to the computer the Omda application automatically recognizes the credentials.

Communication security

All communication between the server and client computer is done within the confines of the clinic local area network. The network is provided by the clinic IT department and is required to be a secure network.

SSL encryption is used to enhance the security within the local area network.

Backup management

Backup of the Omda database is at a minimum made daily for up to seven (7) consecutive days. Omda manages primary backup that is stored on a separate drive or in a particular folder. Secondary backup is the responsibility of the clinic IT provider and is generally made from the primary backup drive or by complete server backup.

Backups are encrypted at rest for increased security. All databases are password protected.

Tracing

All changes in the Omda database is traced and logged. An audit log is stored in a separate database but can be accessed through Omda. The log can be reviewed by Omda on request.

Traceability is also possible for record viewing. Access logs showing who viewed what record and when the record was viewed can be chosen as a component. Logging can be set up and exported for review by clinic administration. Logs are exported to the server in XML, XLS or MER format.

System log

No personal information is stored in the general system log. Only technical entries will be found in the logs.

Preparedness

Omda has a well-rehearsed routine for data restoration. Backups can be restored on the server within minutes. In the event of complete server failure, a secondary backup can be installed on a new server within hours.

GDPR rights and rules

Consent

Collecting consent to handle the patient couple’s data is the responsibility of the clinic if applicable. Omda supports storage of signed consents and ways to display that consent has been given for different process steps.

Right to information

Omda supports data exports in multiple formats including Excel. All data pertaining to the registered patient couple can be exported for review by the couple. Omda also supports printouts with information directly from the database for review.

Right to correction

All data in Omda Fertility can be edited either by the clinic personnel or by Omda. How data corrections are managed is the responsibility of the individual clinic.

Right to be forgotten

Generally patient data falls under local legislation regarding storage of medical data. In many cases such data falls under processing categories specified by the directive prohibiting data to be completely removed. Omda supports data masking of records to limit the availability of the data to others than specific clinic personnel. If deletion is applicable a record can be completely removed by Omda support staff on request. Backups containing the deleted data will be overwritten in 7 days with regards to primary backup, and secondary backup can be removed by the clinic IT department after backing up the overwritten primary backup.

Data portability

All data can be exported into several different formats. A complete patient record can easily be imported to Omda.

Breach notification

Omda will notify the clinic of any suspected breach of security detected. The notification to the individual patient is the responsibility of the clinic.

Processing agreement

The Controller (clinic) has a responsibility to arrange a processing agreement with the Processor (Omda) for processing personal data. Omda can supply prearranged processing agreements covering the support and maintenance attributable to Omda Fertility. In some cases, the clinics IT provider should also be in such a contractual relationship as the data is stored and backed up by the IT provider.

Omda Fertility and GDPR

Introduction

Omda provides the product Omda Fertility. The delivery and maintenance of the product means managing personal data of our customer’s employees and in some cases patient database. Omda manages the following types of personal data:

Type 1: Contact information for the clinic and clinic employees
Processed to enable contact and to manage support cases. Support sent to Omda is registered in a digital support management system where the requester is registered with email, organization and, if relevant, name. Storage of contact information and support cases may be carried out by subcontractors to Omda.

Type 2: Name, signature and profession for the clinic’s employees
Processed to administer login information to the products supplied, and to enable functionality such as automatic signatures and logging of data changes in the same products. Data registered is stored on the server of the clinic.

Type 3: Patient data
Processed to enable support, maintenance and in applicable cases invoicing. Patient data never leaves the server of the clinic unless explicitly instructed. The Omda does not store any patient data. Storage is the responsibility of the clinic or the clinic´s IT provider. The clinic is responsible for ensuring that potentially relevant processing agreements exists between he clinic and the IT provider. Support and maintenance are generally preformed directly by Omda but may be performed by a subcontractor or sub-consultant. If required, for processing of patient data, a personal confidentiality agreement shall be signed by the individual performing the processing.

Agreements

It is the responsibility of the individual customer to ensure that data processing agreements are in place. To help our customers, Fertsoft provides a standard data processing agreement that covers personal data in regards to business communication as well as support and maintenance.

Policies and documents

The Fertsoft information and security policy together with the statement of professional secrecy signed by each employee is the basis of our information security. Additional customer specific agreements can be and are used to supplement the in-house security procedures.

Sub-Processors

If a sub-processor is used for the management of customer data the sub processor is generally to sign a personal data sub processing agreement. The main sub processors and the data they are involved in managing is shown in the table below.

SupplierRole in processType of dataCountry/AdressSub-processing agreement
WebPages NKLTStorage of contact information to clinic staffContact information to clinic staff including name, phone number and email adressKålsängsgränd 10B
753 19 Uppsala
Sweden
Yes
ZendeskSupport platform providerContact information to clinic staff including name, phone number and email adress1019 Market St San Francisco, CA 94103
USA
www.zendesk.com
No

End user agreement towards the clinic employee
MicrosoftEmail and digital platform providerContact information to clinic staff including name, phone number and email adress. One Microsoft Way, Redmond, Washington, U.SNo

Data processing is part of general agreement and privacy statement