AI and Data Governance Policies

Created by Andy Robinson, Modified on Mon, 1 Dec at 12:28 PM by Sam Cybulska

Overview
Data Privacy
Data Security
Data Sovereignty and Residency
Retention and Deletion
AI Usage and Transparency
Compliance Policy
Third-Party Sub-Processor
Customer Rights and Controls
Fairness and Transparency

Overview

This article outlines Streets Heaver's approach to data governance, security, and compliance for Compucare on Azure and its AI features (NIVA). It details the controls, standards, and regulatory frameworks in place to ensure customer data is processed securely and in line with UK legal and industry requirements.

Guest-submitted files are scanned using Microsoft Defender for Storage and Azure AI Content Safety. If any detector flags malware or suspected illegal content, the file is quarantined, the Controller is alerted without undue delay, and the file is destroyed on the Controller’s instruction (or per a pre-authorised standard operating procedure). Streets Heaver, acting as Data Processor, will not access or use the content for any other purpose.

Data Privacy

Ownership: All data input into Compucare (including ecosystem sub-apps) remains the property of the customer. Streets Heaver acts solely as a data processor, not a controller.
Use of Data: Data submitted to our AI features (NIVA) is processed solely to generate responses. It is not used to train, fine-tune, or improve models.
Personal Data Handling: Processing complies with UK GDPR and the Data Protection Act 2018.
De-identification: Any structured, personally identifiable information (PII) is excluded from prompts before processing where feasible. For example, non-structured data could contain information we are unable to redact. It is the responsibility of the controller to ensure the confidentiality of the data entered into prompts.
Streets Heaver Data Privacy Policy: A full data privacy policy is available on request.
Processor role (guest uploads): For guest-submitted files, Streets Heaver acts solely as Data Processor on the Controller’s documented instructions. See Guest Uploads & Illegal Content Handling.

Data Security

Encryption: Data is encrypted in transit using TLS 1.2 or higher, and at rest using AES-256 or stronger.
Access Control: Access is controlled via Compucare's NIVA Hub privileged roles.
Audit & Monitoring: All prompts and responses are logged and auditable for 30 days via NIVA Hub. Token usage and quota are retained for 90 days..
Penetration Testing: External penetration tests are carried out in accordance with the PEN Testing Policy, with findings remediated promptly.
Guest Uploads & Illegal Content Handling
- All guest uploads (PDF/JPG/PNG) are scanned on-ingest using Defender for Storage and Azure AI Content Safety.
- If any scanner returns a blocking verdict, alerts are triggered and the file is moved to a quarantine container with deny-by-default access.
- Streets Heaver alerts the Data Controller without undue delay and destroys the content upon the Controller’s instruction (or per a pre-authorised standard operating procedure).
- Only minimal metadata (hash, size, timestamps, detector verdict) is retained for audit. No content is stored in logs.

Data Sovereignty and Residency

UK Customers: Data is exclusively processed within Microsoft Azure EU regions, ensuring it remains under EU jurisdiction. For more details, see https://azure.microsoft.com/en-gb/explore/global-infrastructure/data-residency/
Assurance: Microsoft guarantees regional residency. No data is transferred across borders without customer consent.

Retention and Deletion

Transient Processing: AI inputs and outputs are retained for 30 days, stored centrally in the Streets Heaver tenant, and then purged after the retention policy.
Logs: Minimal usage operational logging is retained for 90 days, stored centrally in the Streets Heaver tenant, and then purged after the retention policy.
Customer Rights: Customers may request immediate deletion of data at any time, in line with the GDPR right to erasure.
Guest upload blobs: ≤1 mins; quarantine items: ≤6 hours max.

AI Usage and Transparency

Explainability: AI-generated outputs are intended to assist users. Final decisions (clinical, operational, or workforce-related) remain the responsibility of the client.
Accuracy & Bias: NIVA outputs are not guaranteed to be accurate; they must be validated before use/acceptance.
Transparency: Users are informed when NIVA-generated responses are being used.
No Automated Clinical Decision-Making: NIVA is restricted to administrative, workforce, and operational support.

Compliance Policy

UK: Streets Heaver complies with the NHS Data Security and Protection Toolkit (DSPT), UK GDPR, and ICO guidance.
Processes align with ICO guidance on high-risk processing and illegal content handling (notice-and-takedown).

Third-Party Sub-Processor

Azure Only: All AI processing takes place on Microsoft Azure Foundry, under Microsoft’s compliance certifications (ISO 27001, ISO 27018, SOC 2, HIPAA, GDPR).
No OpenAI Direct: Data is not sent to OpenAI’s public API or servers.

Customer Rights and Controls

Consent & Control: NIVA features are opt-in; customers control where and how AI is used.
Training & Support: It is recommended that all users receive instruction on the clear, safe and compliant use of NIVA features.

Fairness and Transparency

Fairness: NIVA usage is regularly assessed for fairness and bias. Response ratings inform ongoing improvements.
Human Oversight: NIVA suggestions are advisory only. Final responsibility always lies with human decision-makers.
Transparency to End-Users: End-users are clearly informed whenever NIVA is generating responses.