Information Asset Register & ROPA

About This Document

To be compliant with data protection legislation, including the UK GDPR and Data Protection Act 2018, we maintain a register of all information we store, share, and receive. This document serves as our combined Information Asset Register (IAR) and Record of Processing Activities (ROPA).

Information Asset Register (IAR)

Details where and how information is held and how we keep it safe across all our systems and processes.

Record of Processing Activities (ROPA)

Lists the types of personal data we share with others, how it is shared, and the safeguards in place.

Data Controller: Elm Digital Health Limited, London, United Kingdom
Contact: support@elmdigitalhealth.com

Information Asset Register

The following table details all information assets held by Elm Digital Health, including where they are stored, their format, and security measures in place.

Asset Name	Description	Data Categories	Format	Location	Retention
Document Management System	Clinical documents, letters, and correspondence processed through our platform	Patient health records, clinical correspondence, referral letters	Electronic	UK Data Centre	As per NHS retention schedule or client agreement
Patient Index Database	Index of patient identifiers for document matching and retrieval	NHS number, name, date of birth, address	Electronic	UK Data Centre	Duration of service agreement + 1 year
User Account System	Healthcare staff accounts for accessing the platform	Name, email, job role, organisation, login credentials	Electronic	UK Data Centre	Duration of employment + 6 years
Audit Trail System	Complete record of all user actions and document access	User IDs, timestamps, actions performed, documents accessed	Electronic	UK Data Centre	8 years
Customer Enquiry Records	Contact form submissions and support communications	Name, email, phone, organisation, enquiry details	Electronic	UK Data Centre	3 years from last contact
Integration Logs	Records of data exchanges with NHS systems (GP Connect, MESH, etc.)	Transaction IDs, timestamps, status codes, error logs	Electronic	UK Data Centre	2 years
Backup Systems	Encrypted backups of all operational data	All data categories as above	Electronic	UK Data Centre (Geographically Separate)	90 days rolling
Contract and Agreement Records	Service agreements, Data Processing Agreements, contracts	Organisation details, signatory names, contract terms	Both	UK Secure Storage	Duration of contract + 6 years

Record of Processing Activities

The following table details all processing activities where personal data is shared with or received from other parties.

Processing Activity	Purpose	Data Subjects	Data Shared	Recipients	Lawful Basis
Document Processing for GP Practices	Classifying, routing, and managing clinical correspondence on behalf of GP practices	Patients registered at client practices	Clinical letters, test results, referrals, discharge summaries	GP practice clinical systems (EMIS, SystmOne, Vision)	Contract (Data Processor)
NHS Spine Integration	Verifying patient demographics and retrieving GP registration details	Patients requiring document routing	NHS number, demographic queries	NHS Personal Demographics Service (PDS)	Contract / Legal Obligation
GP Connect Data Retrieval	Accessing patient records to support clinical workflows	Patients at participating practices	Structured clinical records as per GP Connect specifications	NHS GP Connect / Spine	Contract (Data Processor)
MESH Message Exchange	Secure transfer of clinical documents between NHS organisations	Patients whose documents are being transferred	Clinical documents, patient identifiers	NHS MESH network participants	Contract / Legal Obligation
Customer Support	Responding to enquiries and providing technical support	Healthcare staff, practice managers, prospective customers	Contact details, enquiry content, support ticket history	Internal support team only	Legitimate Interest / Contract
Analytics and Service Improvement	Analysing aggregated, anonymised usage data to improve services	N/A (anonymised data only)	Aggregated usage statistics (no personal data)	Internal analytics team	Legitimate Interest
Regulatory Reporting	Compliance with legal and regulatory requirements	As required by regulation	As required by regulation	ICO, CQC, NHS Digital (as legally required)	Legal Obligation

International Transfers

We do not transfer any personal data outside the United Kingdom. All data processing, storage, and backup systems are located exclusively within UK-based data centres. Our subprocessors are contractually required to process data only within the UK.

Security Measures

We implement comprehensive technical and organisational measures to protect all information assets:

Encryption at Rest

All data encrypted using AES-256 encryption in UK data centres

Encryption in Transit

TLS 1.3 encryption for all data transmissions

Role-Based Access Control

Granular permissions ensuring staff access only what they need

Complete Audit Trail

Every access and action logged with user, timestamp, and details

Multi-Factor Authentication

MFA required for all administrative and clinical access

Session Management

Automatic timeout and session monitoring for inactive users

Automated Backups

Daily encrypted backups to geographically separate UK location

Incident Response

24/7 monitoring with documented breach response procedures

Certifications and Compliance

NHS Data Security and Protection Toolkit (DSPT) compliant
ISO 27001 aligned information security practices
Cyber Essentials certified
UK GDPR and Data Protection Act 2018 compliant
National Data Opt-Out compliant

Data Subject Rights

Where we act as a Data Processor on behalf of healthcare organisations, data subject requests should be directed to the relevant GP practice or healthcare provider (the Data Controller).

For personal data where we are the Data Controller (e.g., customer enquiries, staff accounts), individuals have the following rights:

Right of access: Request a copy of your personal data
Right to rectification: Request correction of inaccurate data
Right to erasure: Request deletion of your data (where applicable)
Right to restriction: Request limitation of processing
Right to portability: Request transfer of your data
Right to object: Object to certain types of processing

To exercise these rights, contact us at support@elmdigitalhealth.com.

Review and Updates

This Information Asset Register and Record of Processing Activities is reviewed and updated:

Annually: Full review of all assets and processing activities
When changes occur: New systems, processes, or data sharing arrangements
Following incidents: Any data breach or security incident triggers a review
Regulatory updates: Changes to data protection legislation or guidance

Document Owner: Data Protection Lead, Elm Digital Health Limited
Last Review Date: 1 February 2026
Next Scheduled Review: 1 February 2027

Contact Us

If you have any questions about this document or our data handling practices, please contact us:

Elm Digital Health Limited

Email: support@elmdigitalhealth.com

London, United Kingdom