Privacy Policy

Last updated: April 2026

Note to site administrators: This policy describes how HomeCare Connects processes data on behalf of your organisation. Your organisation (the NHS trust or healthcare provider that has purchased this system) is the Data Controller. You should supplement this policy with your organisation's own privacy notice as required by your Data Protection Officer.

1. Who We Are

HomeCare Connects is a homecare prescription management platform developed and operated by Auxtechna Ltd. We provide this system to NHS trusts and healthcare providers ("your organisation") as a software service.

For the purposes of UK data protection law, your organisation (the NHS trust or healthcare provider that has licensed this system) is the Data Controller for patient and staff data processed within it. Auxtechna Ltd acts as the Data Processor on your organisation's behalf under a Data Processing Agreement.

Questions about this policy should be directed to your organisation's Data Protection Officer (DPO). To contact HomeCare Connects: info@homecareconnects.co.uk.

2. What Personal Data We Process

Patient data

Identifying information: full name, date of birth, NHS number, address
Contact details: telephone number, email address (where provided)
Clinical data: diagnoses, allergies, current medications, prescription history
Treatment data: dispensed items, delivery records, homecare order status
Prior authorisation data: Blueteq authorisation codes and dates (where applicable)
Portal access: email address and encrypted password (patient portal users only)

Staff data

Name, work email address, job role, ward or team assignment
System access logs and audit trail entries
Authentication credentials (encrypted; passwords are never stored in plain text)

3. Legal Basis for Processing

Data type	Legal basis
Patient clinical and prescription data	Article 6(1)(e) — performance of a task in the public interest; Article 9(2)(h) — medical diagnosis, treatment and management of health care systems
Staff personal data	Article 6(1)(b) — necessary for the performance of a contract (employment)
System audit logs	Article 6(1)(c) — compliance with a legal obligation (NHS Records Management Code of Practice)

4. How We Use Your Data

Managing homecare prescriptions from prescribing through to dispensing and delivery
Enabling clinical pharmacists to conduct clinical checks on prescriptions
Facilitating communication between NHS trusts and homecare dispensing suppliers
Providing patients with a secure portal to view their prescription and delivery status
Maintaining audit trails for clinical governance and regulatory purposes
Sending prescription and status notifications to patients (where consent has been given)

Your data is never used for marketing, profiling, or sold to third parties.

5. Who We Share Data With

Homecare dispensing suppliers — prescription and patient details are transmitted to the dispensing supplier appointed by your organisation, to enable dispensing and delivery of homecare medicines.
NHS systems — where integrated, data may be verified against NHS national systems (e.g. NHS CIS2 identity service for staff authentication).
Auxtechna Ltd (system operator) — as data processor, Auxtechna Ltd has access to the system infrastructure for support, security monitoring, and maintenance purposes only, under contractual obligations.
Hosting provider — pre-production and evaluation environments are hosted on Railway (Railway Corp). Live production environments for NHS End User Organisations are hosted on Microsoft Azure UK regions (UK South / UK West), under the Microsoft Online Services Data Protection Addendum. All personal data is stored and processed within the United Kingdom.

No patient data is transferred outside the UK.

5a. NHS Care Identity Authentication (CIS2)

If you access this service using your NHS Care Identity credentials, the identity access and management services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get a national digital identity and authenticate your claim to that identity, and uses that personal information solely for that single purpose. For any such personal information, our role is a "processor" only and we must act under the instructions provided by NHS England (as the "controller") when verifying your identity. To see NHS England's Privacy Notice and Terms and Conditions, view the NHS Care Identity Service 2 page on the NHS Digital website. This restriction does not apply to the personal information you provide to us separately, which is managed in accordance with this Privacy Policy.

6. How Long We Keep Your Data

Your organisation, as Data Controller, sets retention periods in line with the NHS Records Management Code of Practice. As a general guide:

Adult patient records — minimum 8 years after last treatment
Children's records — until the patient's 25th birthday (or 26th if treatment ended at 17)
Mental health records — minimum 20 years after last contact
Staff access logs and audit trails — minimum 8 years

When your organisation's contract with HomeCare Connects ends, data will be exported and deleted from the system in accordance with the Data Processing Agreement.

7. Your Rights

Under UK GDPR you have the following rights:

Right of access — you can request a copy of the personal data held about you
Right to rectification — you can ask us to correct inaccurate data
Right to restriction — you can ask us to restrict processing in certain circumstances
Right to object — you can object to processing based on public task or legitimate interests
Right to data portability — where processing is based on consent or contract and is automated
Right to erasure — in certain circumstances (note: this right is limited for health records subject to legal retention obligations)

To exercise any of these rights, contact your organisation's Data Protection Officer. Patient portal users may also update their contact details directly within the portal.

8. Cookies

This system uses only strictly necessary cookies. These are required for the system to function and are exempt from cookie consent requirements under the UK Privacy and Electronic Communications Regulations (PECR).

Cookie	Purpose	Duration
`.AspNetCore.Identity.*`	Secure authentication session	Session / sliding expiry
`.AspNetCore.Antiforgery.*`	Protection against cross-site request forgery (CSRF)	Session
`.AspNetCore.Session`	Server-side session state	Session

No tracking, analytics, advertising, or third-party cookies are used.

9. Security

We implement appropriate technical and organisational measures to protect personal data, including encrypted data transmission (TLS), bcrypt password hashing, role-based access controls, comprehensive audit logging, and automatic session timeouts. Access to production data is restricted to authorised personnel only.

10. Changes to This Policy

We may update this policy from time to time. The date at the top of this page indicates when it was last revised. Continued use of the system after an update constitutes acceptance of the revised policy.

11. How to Complain

If you have concerns about how your data is being handled, please contact your organisation's Data Protection Officer in the first instance.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Phone: 0303 123 1113