Patient Data, Privacy and Compliance

Purpose of This Article

This article explains how QuantumLoopAi handles patient data, what compliance standards and certifications are in place, and what your surgery is responsible for as the data controller.

How Patient Data Is Handled

All patient data processed by QuantumLoopAi is handled in line with NHS information governance requirements and GDPR. Data is encrypted in transit using TLS 1.2 and at rest using AES-256-bit encryption. All data is stored exclusively within NHS-approved, UK-based secure cloud environments.

QuantumLoopAi operates as a data processor on behalf of your surgery. Your surgery remains the data controller. This means your surgery is responsible for the decisions around what data is processed and why, while QuantumLoopAi is responsible for processing it securely and in accordance with your instructions.

Will We Need to Update Our Privacy Notice?

Your practice's privacy notice should be updated to reflect the use of EMMA and the processing of patient data by QuantumLoopAi as a data processor. QuantumLoopAi can provide guidance on suitable wording if needed.

Is Patient Data Used to Train AI Models?

No. Patient data is never used to train general AI models. This is explicitly stated in the Data Processing Agreement (DPA). All subprocessors are contractually prohibited from using data from the service to train their own general AI models.

QuantumLoopAi's Compliance Certifications

QuantumLoopAi holds the following certifications and registrations:

• DTAC - Digital Technology Assessment Criteria, fully completed
• DCB0129 - Clinical safety standard for health IT systems, compliant with a live Clinical Safety Case Report and Hazard Log
• DCB0160 - Deploying organisation clinical safety assessment, supported with documentation for practices to complete their own assessment
• MHRA - Registered as a Class I Medical Device under UK Medical Devices Regulations 2002
• Cyber Essentials PLUS - Certified, covering all health and care data processing
• DSPT - Data Security and Protection Toolkit, completed annually
• ISO 27001 - Accredited systems used for managing data securely
• Annual penetration testing - Conducted by a CREST-accredited supplier
• ICO registration - Registration number ZB801672
• CCS RM6200 - Listed on the Crown Commercial Service RM6200 AI framework

Subprocessors

All subprocessors used by QuantumLoopAi are listed in the Data Processing Agreement. Each subprocessor has a Data Processing Agreement in place and is contractually prohibited from using data from the service to train general AI models.

A full subprocessor list and DPA summaries can be provided on request.

What Your Surgery Needs to Do

As the data controller, your surgery has its own governance obligations when using EMMA. QuantumLoopAi recommends the following actions:

1. Complete or update your practice's controller DPIA for the EMMA service. QuantumLoopAi provides a substantially pre-populated template and full support for this process.
2. Complete or update your practice's DCB0160 deploying organisation clinical risk assessment. QuantumLoopAi provides its DCB0129 documentation to support this.
3. Update your practice's privacy notice to reflect the use of EMMA and the processing of patient data by QuantumLoopAi.
4. Place the QuantumLoopAi assurance documentation on file as part of your governance record.
5. Ensure alternative access channels remain available to patients, including your online consultation tool and in-person access.
6. Test your business continuity failover arrangement during or shortly after implementation.

QuantumLoopAi is committed to supporting every practice through the assurance process. If you need help with any of these steps, contact the team at support@quantumloopai.com.

Requesting Assurance Documentation

The following documents are available to practices on request:

• DTAC Assessment
• Clinical Safety Case Report (DCB0129)
• Hazard Log (DCB0129)
• Data Protection Impact Assessment (Supplier DPIA)
• Data Processing Agreement
• Cyber Essentials PLUS Certificate
• DSPT Status
• Penetration Test Summary
• ICO Registration Certificate
• Subprocessor List and DPA Summaries
• Business Continuity and Failover Documentation
• Controller DPIA Support template

To request any of these documents, contact: support@quantumloopai.com

Troubleshooting

Our DPO has concerns about the patient list upload. The patient list upload is optional. EMMA will operate normally using live PDS validation without it. If your DPO requires additional reassurance, QuantumLoopAi can provide the relevant data governance documentation and arrange a call to walk through the process in detail.

We are not sure how to complete our controller DPIA. QuantumLoopAi provides a substantially pre-populated DPIA template to make this process as straightforward as possible. Contact support@quantumloopai.com to request the template.

Our ICB or commissioner is asking for assurance documentation. Contact QuantumLoopAi and we will provide the relevant documentation promptly. QuantumLoopAi welcomes engagement from ICBs and NHS England assurance teams.

FAQs

Does QuantumLoopAi hold DTAC certification? Yes. QuantumLoopAi has completed a full DTAC assessment. Documentation is available on request.

Is EMMA registered as a medical device? Yes. EMMA is registered with the MHRA as a Class I Medical Device under the UK Medical Devices Regulations 2002.

Where is patient data stored? All patient data is stored exclusively within NHS-approved Microsoft Azure UK data centres. Data does not leave the UK.

What happens to data when our contract ends? Contact QuantumLoopAi to discuss data retention and deletion arrangements at the end of your contract. This is covered within the Data Processing Agreement.

Can we share QuantumLoopAi's compliance documentation with our ICB? Yes. All assurance documentation can be shared with your ICB, Caldicott Guardian, or NHS England assurance team. Contact support@quantumloopai.com to request the relevant documents.