Practice Toolbox
Legal & Governance Information
This document explains how Practice Toolbox supports safe, lawful, and compliant use within healthcare organisations.
It contains:
- Privacy Notice
- Terms of Use
- Acceptable Use Policy
- Data Processing Framework
- Information Governance Framework
- DSP Toolkit Position
- CQC Governance Statement
- ICO Risk Position
By using Practice Toolbox, users and organisations agree to comply with the requirements set out in this document.
1. Privacy Notice
1.1 Introduction
Practice Toolbox is a digital governance, workforce management, and operational support platform designed for use by NHS-aligned healthcare organisations and associated providers.
The platform supports organisational processes but is not a clinical record system and must not be used to store or manage patient clinical records.
1.2 Data Protection Roles
Healthcare organisations using Practice Toolbox act as:
- Data Controllers for staff data and organisational operational data.
Practice Toolbox Ltd acts as:
- Data Processor when processing data on behalf of healthcare organisations.
- Data Controller for platform administration, security monitoring, service analytics, and account management.
1.3 Data Protection Contact
Data Protection Lead:
Paul Drinkwater
Practice Toolbox Ltd
Contact:
support@practice-toolbox.co.uk
1.4 Categories of Personal Data Processed
The platform may process:
- Staff identity and contact details
- Employment and role information
- Compliance and training records
- Internal communication content
- Workforce operational data
- System usage and audit logs
Special category data may be processed where required for:
- Occupational health administration
- Workforce reasonable adjustments
- Governance compliance processes
Patient clinical data must not be entered into the platform.
1.5 Lawful Basis for Processing
Processing may be carried out under:
- Contractual necessity
- Legal obligations relating to healthcare governance
- Legitimate interests in secure system operation
- Employment law obligations
- Public task where determined by NHS organisations
Healthcare organisations remain responsible for determining lawful bases for their own processing activities.
1.6 Purpose of Processing
Data is processed to support:
- Workforce governance
- Compliance management
- Internal communication
- Operational oversight
- Training administration
- Audit management
The platform is not intended to support clinical decision-making or patient treatment processes.
1.7 Security Measures
Practice Toolbox implements:
- Role-based access controls
- Secure authentication mechanisms
- Encryption of data in transit
- Secure hosting environments
- Audit logging
- Incident detection and response procedures
1.8 Data Retention
Retention periods are determined by:
- Healthcare organisation policies
- Regulatory requirements
- Employment law obligations
- Operational necessity
Certain communication data may be retained for limited operational periods only.
1.9 Data Sharing
Data may be shared with:
- Hosting providers
- Security and infrastructure partners
- Regulatory authorities where legally required
Personal data is not sold.
1.10 Individual Rights
Individuals have rights under UK GDPR including:
- Access
- Rectification
- Erasure (where lawful)
- Restriction
- Objection
Requests should normally be directed to the employing organisation first.
1.11 Incident Management
Practice Toolbox operates incident response procedures aligned to UK GDPR and NHS information governance expectations.
1.12 Changes to this Notice
This notice may be updated periodically. Updated versions will be made available within the platform.
2. Terms of Use
2.1 Platform Purpose
Practice Toolbox supports:
- Workforce management
- Organisational governance
- Compliance monitoring
- Internal operational communication
It is not designed for:
- Clinical record storage
- Direct patient care systems
- Emergency communication
2.2 User Responsibilities
Users must:
- Use the system professionally
- Follow organisational governance policies
- Maintain account security
- Avoid entering patient identifiable clinical information
2.3 Organisational Responsibility
Healthcare organisations remain responsible for:
- Clinical governance
- Regulatory compliance
- Data accuracy
- Workforce decision-making
The platform supports governance processes but does not replace statutory duties.
2.4 Availability
Practice Toolbox aims to maintain high availability but does not guarantee uninterrupted service.
2.5 Security
Users must:
- Protect login credentials
- Report suspected security incidents
- Use secure devices
2.6 Prohibited Use
Users must not:
- Attempt unauthorised system access
- Store clinical records
- Use the system unlawfully
2.7 Liability
The platform supports organisational processes.
Clinical responsibility remains with healthcare providers.
2.8 Termination
Access may be suspended where:
- Terms are breached
- Security risks arise
- Service agreements end
2.9 Governing Law
These terms are governed by the laws of England and Wales.
3. Acceptable Use Policy
3.1 Purpose
This policy ensures safe, professional use of Practice Toolbox.
3.2 Professional Conduct
Users must:
- Communicate respectfully
- Use systems appropriately
- Follow employer policies
3.3 Clinical Data Restrictions
The platform must not be used to:
- Share patient identifiable clinical information
- Replace clinical systems
3.4 Messaging Use
Messaging tools are intended for:
- Informal internal communication
Not for:
- Clinical instructions
- Urgent escalation
3.5 Security Responsibilities
Users must:
- Maintain password confidentiality
- Log out from shared devices
- Report incidents promptly
3.6 Monitoring
System activity may be monitored for:
- Security
- Governance
- Compliance
3.7 Misuse
Misuse may result in:
- Account suspension
- Employer disciplinary action
4. Data Processing Framework
Practice Toolbox processes data only under documented instructions from healthcare organisations.
Processing includes:
- Storage
- Organisation
- Retrieval
- Workflow-based transmission
Appropriate technical and organisational measures are maintained.
Sub-processors may include hosting and security service providers.
5. Information Governance Framework
Practice Toolbox supports organisational IG obligations by providing:
- Access control mechanisms
- Audit trails
- Governance reporting tools
- Policy acknowledgement tracking
- Workforce compliance monitoring
Healthcare organisations remain responsible for maintaining their own IG policies and staff training.
6. DSP Toolkit Position
The platform supports compliance with NHS DSP Toolkit requirements including:
- Access control evidence
- Incident reporting processes
- Workforce governance documentation
- Policy acknowledgement records
The platform does not replace organisational IG responsibilities.
7. CQC Governance Statement
Practice Toolbox supports the CQC Well-Led domain by enabling:
- Governance system oversight
- Workforce compliance monitoring
- Risk management processes
- Policy and audit tracking
It does not replace clinical governance systems or safeguarding processes.
8. ICO Risk Position
Practice Toolbox is:
- Operational governance software
- Not clinical software
- Not medical device software
Risk mitigation includes:
- Clear usage boundaries
- Acceptable use enforcement
- Secure hosting
- Auditability
Acceptance Statement
By continuing to use Practice Toolbox, users confirm that they have read and understood this Legal & Governance Information and agree to comply with its requirements.
Sign in to record acceptance.