Surgery Assist is a chargeable product. To register your interest please use our Enquiry form here
Surgery Assist is a digital assistant designed to educate and signpost patients to the correct care whilst reducing the demand for GP staff, by using locally trained AI
This document will guide you through Surgery Assist's AI, Compliance and Regulations demonstrating how we place the utmost importance on clinical safety, data privacy and cyber security
AI Explained
What is the AI Digital Assistant?
The AI-powered digital assistant is designed to help manage non-clinical healthcare queries efficiently and safely. The AI is trained locally meaning that we input all questions and answers based on the information you provide us about your Surgery
By automating responses, it helps manage high demand while ensuring that patients with urgent needs receive the attention they require. We have designed our digital assistant using the HHH approach in mind, helpful, honest and harmless
How does it work?
Talking in Your Language
The digital assistant can understand and reply in many different languages using Microsoft Translation Services, patients can type in Spanish, French or any other language and the chatbot will ensure seamless communication to help your patients
Personal Information
The digital assistant uses Microsoft PII (Personally Identifiable Information) Auto-Redaction service to automatically hide or remove personal details, keeping your patients data safe and secure
Answers from the Best Sources
The digital assistant uses a method called RAG (Retrieval Augmented Generation) to retrieve answers from trusted sources that your GP surgery has selected. This ensures that all responses are accurate and relevant, based on information which is specific to your surgery
Supervised Training
To stay up to date and improve over time, the digital assistant is manually trained on a weekly basis. If it cannot answer a question today, it will be trained to handle it in the future, so your feedback and continued use helps it improve every day
What happens to your data?
Read more on Patient Data further down - How Surgery Assist Handles Patient Data
Surgery Assist ensures your data is treated with the utmost care, read below to see how we ensure safety:
Safe and secure - All messaged are encrypted and processed within Microsoft's secure system, ensuring confidentiality
No guesswork - If the digital assistant doesn't understand a query, it won't guess. Instead it will inform the patient and escalate is necessary
No data storage - Personal details provided are not stored, keeping your patients
information private at all times
Security and GDPR Compliance
If you would like to request any supporting documents please email [email protected]
GDPR
The UK General Data Protection Regulation (GDPR) is a vital framework that mandates strict guidelines for handling personal data in the UK's healthcare sector. Healthcare organisations and health tech companies in the UK must comply with several practices, including implementing robust data protection measures, obtaining consent from patients, having effective incident response plans, facilitating patients' rights, justifying data processing on legal grounds, and complying with international data transfer regulations
Compliance with these regulations ensures ethical handling of sensitive health data, enhances patient trust and security in digital health technologies, and impacts how patient data is managed, shared, and protected
Cyber Essentials Plus
Cyber Essentials Plus is a UK government backed certification scheme that demonstrates an organisation has implemented essential cybersecurity controls and has them independently verified through a technical audit
It means we have been independently tested to prove we have strong protections in place against common cyber threats - like hacking, phishing, or data breaches. For you, it means added reassurance that:
Your data is handled securely
Our systems are regularly checked by security experts
We meet NHS and public sector cyber security expectations
CREST-approved Certification
CREST is a globally recognised accreditation and certification body that sets rigorous standards for penetration testing in the information security industry. Choosing a CREST-approved penetration tester provides several advantages such as high standards of conduct, assurance of quality, comprehensive support and guidance, and insurance protection
CREST certification is particularly valuable for organisations that need to ensure their digital assets are secure against cyber threats and supports compliance with various regulatory requirements such as ISO, GDPR, and PCI DSS
DPIA
A Data Protection Impact Assessment (DPIA) is a process to help an organisation identify and minimise the data protection risks of a project/product, especially for processing that is likely to result in a high risk to individuals
It is a formal process to ensure that personal data is handled safely, legally and with minimal risk. By carrying out a DPIA and providing it to you we:
Identify any privacy or data protection risks early
Take steps to reduce or remove those risks
Illustrate that we are meeting legal duties under GDPR and UK data protection law
View our Data Protection Impact Assessment here
Clinical Compliance
DSPT
The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool used by organisations within the NHS and social care to demonstrate their adherence to data security standards. It helps organisations measure and demonstrate their performance against the National Data Guardian's 10 data security measures
All organisations that have access to NHS patient data and systems must use the DSPT toolkit to provide assurance that they are practising good data security and that personal information is handled correctly
DTAC
The Digital Technology Assessment Criteria is a framework that was introduced by NHS England in 2021. Its primary objective is to ensure that digital health technologies meet essential standards before being used within the NHS and social care environments. The framework evaluates and approves digital health products by focusing on five core areas: clinical safety, data protection, technical security, interoperability, and usability and accessibility
DCB0129
DCB0129 is a mandatory clinical risk management standard in the NHS, specifically for manufacturers and suppliers of health IT systems intended for use in NHS settings. It requires us to demonstrate that our products are clinically safe for patients and healthcare providers to use and do not cause harm. Compliance with DCB0129 is mandatory under the Health and Social Care Act 2012
Manufacturers/suppliers must implement a robust clinical risk management system that includes appointment of a suitably qualified Clinical Safety Officer (CSO), risk analysis, mitigation strategies, and documented evidence of effective risk management
The standard requires us to:
Start the clinical risk management process early in the product development lifecycle and continue through to decommissioning.
Continuously assess and manage risks throughout the lifecycle.
Document and provide evidence of their clinical risk management system including continuous improvement and learning from incidents.
In accordance with DCB0129 we fully comply with the standard and operate a clinical risk management system that enables us to demonstrate the safety of our digital health products through:
a clinical safety case report
a hazard log
a clinical risk management plan
structured incident reporting mechanisms, enabling proactive and reactive patient safety measures, investigation, and learning
DCB0160
DCB0160 is a mandatory NHS clinical risk management standard for healthcare organisations that deploy or use digital health systems. It ensures that health IT systems are implemented and operated in a way that safeguards patient safety and supports clinical effectiveness. This standard is mandated under the Health and Social Care Act 2012
Compliance with DCB0160 means a health organisation (surgery) must:
Appoint a Clinical Safety Officer (CSO)with demonstrable oversight and ongoing involvement in the clinical safety process
Carry out a comprehensive clinical risk assessment prior to go-live and throughout the system lifecycle, including any significant system changes, updates, or decommissioning
Maintain detailed clinical safety documentation, including a Clinical Safety Case Report, Hazard Log, and Clinical Risk Management Plan
Implement structured incident reporting and investigation, ensuring continuous improvement by learning from incidents and implementing safety improvements
As part of DCB0160 you must produce both a Clinical Risk Management Plan (CRMP) and a Clinical Safety Case Report upon the deployment of a new health IT system. The CRMP outlines the planned risk management activities, while the Clinical Safety Case provides a structured, evidence-based justification that the system is safe for its intended use
Digital clinical risk management has to be a rigorous, methodical, and clearly documented process to ensure that any clinical risks have been assessed and, if required, mitigated appropriately. The purpose of a Clinical Risk Management Plan is to document and schedule the clinical risk management activities to support the safe deployment, maintenance, and decommissioning of the Health IT System. This process must be systematic, well-documented, and demonstrably support both patient safety and regulatory compliance
How Surgery Assist Handles Patient Data
Find our Full Privacy Policy for Surgery Assist (Previously EDATT) here
Summary of Key Points
What personal information do we process?
When you visit, use, or navigate our Services, we may process personal information depending on how you interact with Hanley Health Ltd. and the Services, the choices you make and the products and features you use
Do we process any sensitive personal information?
We do not process sensitive personal information
Do we receive any information from third parties?
We do not receive any information from third parties
How do we process your information?
We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent. We process your information only when we have a valid legal reason to do so
In what situations and with which types of parties do we share personal information?
We may share information in specific situations and with specific categories of third parties
How do we keep your information safe?
We have organisational and technical processes and procedures in place to protect your personal information. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorised third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information
What are your rights?
Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information
How do you exercise your rights?
The easiest way to exercise your rights is by contacting us. We will consider and act upon any request in accordance with applicable data protection laws
Disclaimer
This is provided for information purposes only and does not replace the official Instructions for Use (IFU), terms of service, or contractual documentation supplied within the product