Ardens store any information you provide when you are using Ardens Manager. This includes when you register your account, update any information about yourself, your organisation or your groups. We also store and automatically process data you upload to Ardens Manager which may include clinical reporting data from your clinical system or any organisational data such as audits, receipts or meeting notes. We do not store or process any patient identifiable data. For further information on  data processing on Ardens Manager, please see our DPIA and Privacy Policy.


Data Processing & Storage FAQs

  1. Do you provide any guidance to practices on how to utilise the Ardens Manager to reduce risks of uploading PID data?
    Within Ardens Manager there are warning messages which are displayed at instances where a practices has the potential to upload any PID. However, we do also outline that it is the users responsibility to ensure that they do not send us any patient identifiable data in our Privacy Policy.
  1. Has Ardens Manager been penetration tested in the last 12 months?
    Our initial penetration test was carried out recently by JUMPSEC. We regularly review this requirment and carry out further penetration tests when necessary. If you would like more information on this please let us let us know. 

  2. Where are the servers (including back ups) located?
    We use Amazon S3 servers located in London. For more information on Amazon S3 servers, please see here.

  3. Your Privacy Policy states 'Ardens reserves the right to share any anonymised data with third party organisations'. What is the the nature of these purposes and what third parties the data may be shared with?
    The data shared will only be anonymous aggregate and for the purpose of identifying largescale healthcare trends to benefit the NHS. No third parties currently have access to any data on Ardens Manager nor have been planned to but if and when they do we will identify these on our Privacy Policy.

  4. Does the benchmarking data you provide to other practices or CCG or any other third party allow other practices to be identified?
    The practice has to consent to sharing their data with the other organisations before the practice can be identified.