1. Purpose
This policy sets out how Prior Mindset ensures the security, confidentiality, and integrity of all technology systems used for online service delivery and patient record management. It ensures compliance with the UK GDPR, Data Protection Act 2018, and NHS Digital Information Governance standards.
2. Scope
This policy applies to:
All practitioners, staff, associates, and contractors using Prior Mindset’s systems.
All online service delivery platforms (video, audio, and documentation).
All client data, records, and communications processed or stored electronically.
3. Policy Statement
Prior Mindset will only use secure, encrypted platforms for delivering online sessions.
Clinical records will be stored within WriteUpp, a secure patient documentation system aligned with NHS data security standards.
Staff must take individual responsibility for safeguarding data by using strong passwords, secure devices, and updated software.
4. Approved Platforms
Video Conferencing: Only Microsoft Teams and Zoom (Healthcare/Enterprise licensed) are approved for sessions.
Documentation: All client records are to be entered into WriteUpp.
Communication: Email correspondence will use secure, encrypted services; sensitive information must not be sent via personal or unencrypted accounts.
5. Security Measures
Encryption & Connections
All online sessions must use encrypted connections (SSL/TLS).
Practitioners must ensure sessions are hosted in private, secure environments with no unauthorised persons present.
Access Controls
WriteUpp access is role-based and restricted to authorised staff only.
Staff must use unique usernames and strong passwords, changed regularly.
Two-factor authentication (2FA) will be enabled where available.
Device Security
All devices used for Prior Mindset work must:
Have up-to-date antivirus and firewall protection.
Install regular software/security updates.
Be password-protected and locked when unattended.
Personal devices must not be used to store client data locally.
Data Retention & Storage
Records in WriteUpp will be retained in line with NHS Records Management Code of Practice (typically 8 years for adults, or until a child’s 25th birthday + 7 years, whichever is longer).
Records are securely destroyed after the retention period expires.
6. Responsibilities
Practitioners & Staff
Ensure that only approved platforms are used.
Maintain confidentiality during all sessions.
Report any suspected data breaches immediately to the Data Protection Officer (DPO).
Management
Ensure WriteUpp is maintained and aligned with NHS and ICO requirements.
Provide staff training on data security and cyber awareness.
Conduct regular audits of access logs, platform usage, and compliance.
7. Incident Management
Any data breach or suspected cyber incident must be reported immediately to the Designated Safeguarding Lead / DPO.
Incidents will be logged, investigated, and, if necessary, reported to the ICO within 72 hours.
Clients will be notified where legally required.
8. Training
All staff will receive information governance and cyber security training at induction and at least annually thereafter.
Training will include phishing awareness, password security, and safe handling of electronic data.
9. Monitoring & Review
WriteUpp compliance with NHS data security standards will be reviewed annually.
Platform security will be reviewed in line with technology updates and legal requirements.
This policy will be reviewed annually or sooner if legislation changes.
10. Policy Ownership
Owned by: Data Protection Officer (DPO) / Senior Management Team
Applies across all Prior Mindset services and platforms.