ℹ️ Introduction
This article answers frequently asked questions about data processing, security and information governance within Ardens Manager. By the end of the article, you will understand how data is processed, stored and protected when using the platform.
Background
Ardens Manager is a population health analytics platform used by GP Practices, Primary Care Networks (PCNs), Integrated Care Boards (ICBs) and other organisations to analyse activity and monitor performance through dashboards and reports.
To provide these insights, Ardens Manager processes data extracted from clinical systems such as EMIS Web and SystmOne.
Data processing within Ardens Manager follows strict information governance and security standards, ensuring that organisations retain control over their data and that access to patient identifiable information is tightly managed.
How Ardens Can Help
Ardens Manager enables organisations to safely analyse and benchmark healthcare activity while maintaining strong data protection controls.
The platform supports organisations by:
Processing clinical system data to populate dashboards and reports
Allowing benchmarking across practices, PCNs and ICBs where agreements exist
Restricting access to patient identifiable data to authorised users only
Applying security controls such as encryption, access control and audit logging
These measures help organisations monitor performance and improve population health management while ensuring compliance with NHS and UK data protection requirements.
📁 Data Processing & Storage
Ardens Manager securely stores and processes data to provide dashboards, reports and analytics. This includes:
Information provided by users when setting up and managing accounts, organisations and groups
Clinical reporting data extracted from your clinical system (e.g. EMIS Web or SystmOne)
Organisational data uploaded into the platform, such as audits or documents
This data is processed to:
Populate dashboards and reports
Support performance monitoring and benchmarking
Calculate activity, income and contract values where applicable
All data processing is carried out in line with Ardens Terms of Supply and Use, which includes full details of the Data Protection and Processing Schedule.
❓ FAQs
Where can I find more information relating to data protection & information governance?
Further information is available in the following Ardens documentation:
Do you provide a Data Protection Impact Assessment (DPIA)?
Ardens acts as a data processor, so it does not have a statutory requirement to complete a DPIA. However, Ardens provides an Information Governance Review which organisations acting as data controllers (such as GP practices) can use to support their own DPIA process.
Has Ardens Manager been penetration tested?
Yes. Ardens undertakes annual penetration testing in line with industry and NHS security standards and conducts quarterly vulnerability scans to identify potential risks.
Does Ardens share data with third parties?
Ardens may share anonymous aggregated data to help identify large-scale healthcare trends that benefit the NHS. This data does not contain patient identifiable information. Currently, no third parties have access to data stored within Ardens Manager but should that change, we will identify these on our Privacy Policy.
How are video meetings handled in Ardens Manager?
Video meetings are hosted using Jitsi and are encrypted on the network using DTLS-SRTP encryption.
Meetings are not recorded or stored by Ardens Manager or Jitsi.
Temporary data such as chat messages or speaker statistics are deleted once the meeting ends.
If a user wishes to record a meeting they can store the recording on a separate Dropbox account. All participants are notified if the meeting is recorded.
For more information on Jitsi Security, please see their website.
6. What is the purpose and scope of data processing?
The purpose and legal basis for processing are defined in Annex 1 of the Terms of Supply and Use.
In summary, data is processed to provide reporting, analytics and service monitoring functionality within Ardens Manager.
7. What security controls protect data?
Ardens implements multiple technical and organisational security measures which are covered in Section 1.4 of the Product & Service Specification. These include:
Encryption of data at rest and in transit
Security monitoring through a Security Operations Centre (SOC)
NHS security and compliance accreditations.
These accreditations include:
NHS England IM1 integration
Cyber Essentials Plus
ISO 27001
DCB 0129 clinical safety standards
NHS Data Security and Protection Toolkit compliance
8. What categories of data are processed?
This is covered within Annex 2 of the Terms of Supply and Use.
9. How are data subject rights (such as SARs) handled?
This is covered within Annex 1 - Section 5 of the Terms of Supply and Use.
10. How are data breaches handled?
This is covered within Annex 1 - Section 6 of the Terms of Supply and Use. Ardens have a robust Incident Management Plan which meets the requirements of ISO 27001. Key performance indicators for incidents are covered within the Product & Service Specification.
11. How does Ardens reduce the risk of users uploading patient identifiable data?
Ardens Manager displays warning messages when users attempt actions that could potentially upload patient identifiable data. Users are also responsible for ensuring they do not manually upload patient identifiable information where it is not required. This is highlighted in our Privacy Policy.
ℹ️ Additional Support
To further your understanding of the Ardens Manager platform:
Book training for your GP Practice, PCN or ICB
Complete the Getting Started with Ardens Manager academy module
Contact our Support Team for support in real time