• Streamlined Forensic Reporting Limited

Governance and compliance

We take privacy very seriously and have put several processes into place to ensure that our products, services and workstreams are compliant.

Employee vetting

All staff undergo an assessment as part of the application process, and everyone who has access to sensitive information are subject to additional checks, regardless of their location. All staff with access to sensitive information undergo vetting to an appropriate standard as defined by the Warwickshire Vetting Unit. All operational staff are certified medical professionals in verified good standing with their governing bodies.


We often get questions about our technology solutions and security protocols, and have put together several supporting documents which we are happy to share. These technical documents and Q&As can help with your business case, filling out a DPIA, or ensuring your DPO understands how our process works. We also have several policies in place which all staff must adhere to, including a Data Protection Policy, a Data Retention & Deletion Policy and a Password Policy.

SFR Medical uses the following mediums to share patient sensitive information both internally and externally:

  • Microsoft Dynamics and CDS database
  • Microsoft Power Portals
  • NHS digital platform(NHS Mail, Egress and NHS OneDrive)

All sensitive data is stored on an NHS One Drive/ Microsoft Dynamics UK datacentres and accessed by authorized SFR Medical staff only via Azure virtual machines(VMs). The Azure VMs ensures that

  • users cannot copy or store any information outside of the virtual machines
  • access to emails and virtual machines is granted to only those who need it, and who have been approved by the CMO and CTO
  • multifactor authentication (per NHS digital guidelines) is enabled for emails, One Drive, VM access and applications to ensure additional security against potential cyber-attacks

The NHS email system is end-to-end encrypted and allows for secure transmission, mitigating for paper-loss or electronic device loss and inadvertent information disclosure. The NHSMail Live Service is accredited and compliant with ISO27001 as well as a number of other security standards. It has been approved as a permitted method of emailing personal identifiable data (PID) or confidential data in the UK (https://digital.nhs.uk/services/microsoft-office-365-for-the-nhs).

Alongside, Microsoft ensures that the data at it datacentres(data at rest) and data in transit are encrypted to minimize security risks. Microsoft Dynamics follows industry standard encryption protocols, and provides strong access management through multifactor authentication and azure security centre. Microsoft Cyber Defense Operations Center (CDOC) protects Microsoft’s Cloud infrastructure and customers from evolving threats.

We comply with relevant guidelines with regards to data retention. During the retention period, data is stored by SFR Medical on secure Azure BLOB storage.

SFR Medical is Cyber Essentials certified and complies with 14 cloud principles.

Consent form modification

For SFR Medical to have freedom to operate and maintain full ICO compliance, our name and reference to our Privacy Policy should be inserted on a force’s consent form. We will provide data security, appropriate policies and assurances as well as insurance.