Re: Software provider stops data controller from allowing 3rd party to access to data

Hi

I sort of understand what your saying here.

Was you using an APi or just calling/scraping the data
Were is the data file ( on dentist site or remote only )

And, what does the dentist contract say about interactinbg with the database.

What are you asking for in relation to the FOI, is it the database schema , so you can write your owen API, as that will be private to the company.

Re: Software provider stops data controller from allowing 3rd party to access to data

iHi Crazy Council, thanks for replying!

As I understand it the 3rd party are querying the DB directly as there are no other methods available to get to the data. Exports of data are only as per available in the software and these are not provided in a format that can be used by anyone else. I would have to get the dentist to confirm about the contract as I don't have access to it. The 3rd party would, preferably, use an open API from the software company but they have refused provide this as an option. Basically, they say he has to use them to process the data.

Hope that make sense!

Re: Software provider stops data controller from allowing 3rd party to access to data

There can be security concerns around API acsess to databases, and load ( bandwidth ) considerations. There may be no way around what the company says in relation to interacting with there databases as there own software may have security that they can not disclose.

But, were you can export the data from there software
Not to hard to convert nearly any format that it exports to, or write something to scrape the data served up from there software, doing it that way, you may not be breaching any terms of use.

Re: Software provider stops data controller from allowing 3rd party to access to data

Thanks. The problem with the exports is that they don't give enough data to be able make use of them. Its all restricted so the user has to either use the software or nothing. Just doesn't feel right that the data controller is being restricted in how they are able to process their own data.

Re: Software provider stops data controller from allowing 3rd party to access to data

A lot depends on the dentist contract with the provider, and also, terms fo use for the data.

Probebly nothing can be done unless they agree to allow you acsess through other software. If you can legaly quiry the database without there software, then you can profile the database to get the structure and feilds. its usualy only the calculated/virtual fields that give a problem.

Keep in mind, if its NHS?patient data, there is a shed load of rules and regulations around the storage, collection, use and distrubution of the data/file that you may breach just playing in this area.

Re: Software provider stops data controller from allowing 3rd party to access to data

I suspect this is may be more about data protection, bearing in mind the data held is sensitive personal information. The data is not his to do with as he pleases obviously, it is all about protecting the patient's data, even if he does believe his process is a better experience for his patients. The data is the patient's and must be protected appropriately. The Data Protection Act together with the GDPR (comes into force 28.05.18) have serious ramifications for businesses in relation to any breaches of data. I imagine the software people are only complying with the data protection rules as they stand currently (soon to be tightened considerably by GDPR).

There may be an element of tying your friend in to their product, but as holders of sensitive personal information they also have obligations they must fulfil. After May 2018 your friend could find themselves liable for any breaches of the software company, in addition to his own. Extreme caution needs to be taken when dealing with sensitive personal information. This is probably an issue for your friend and the software company not something others can try and help out with.

It can be galling when company's are able to tie others into using only their products, Apple maybe the biggest culprit. However the data must be protected as securely as possible and the software company may be the best positioned to do this. Of course we have no information concerning the friend's knowledge, security aspects etc and they may be more than qualified to assist but if not then it may be worth biting the bullet and sticking with the software company provided their data protection is up to the task. Once you have a case management system in place it can be a lengthy and costly process changing this. They also have to bear in mind that the fines, from May 2018 for data breaches, are up to 4% of annual turnover, I would look carefully at the contract to check who would be liable for any breaches at their end and whether if there was a breach and a 3rd party has been involved would this be a breach of contract and therefore may have no comeback against the software company whatsoever, even if it was an issue their end.

As the data controller your friend really needs to appraise himself of the stricter GDPR coming in and his obligation in protecting the data he holds. He is also responsible for ensuring cloud services and company's dealing with any of the data he holds are also compliant with the Regulations. He can also be held responsible for their breaches after May 2018.

I don't mean to scaremonger and I'm sorry if your friend has already dealt with his data protection obligations, but there are huge numbers of businesses who really have not got their heads around the new Regulations and how much wider they reach. This link may help if further information is needed https://ico.org.uk/for-organisations...gulation-gdpr/ and this section is specifically directed to health professionals including dentists. https://ico.org.uk/for-organisations/health/