Privacy Notice
Welcome to the Health and Care Innovations Limited Privacy Notice
This Privacy Notice has been produced to help you understand everything you need to know about the way we collect, use, and share personal data, what your legal rights are, and how to exercise them.
Health and Care Innovations Limited takes its responsibility for protecting your data very seriously and we hope you’ll take some time to read this document; we’ve tried to keep it all as simple as possible and to avoid, or explain, jargon. If there’s anything here you don’t understand, or if you want to ask any questions, please feel free to contact us.
Who are we?
We are Health and Care Innovations Limited and under the UK General Data Protection Regulations (UK GDPR) we are the data controller and responsible for your personal data.
Our trading address: Teignbridge Business Centre, Heathfield, Newton Abbot, Devon. TQ12 6TZ
Our registration number: 08955041
In this document Health and Care Innovations Limited may be referred to as “we”, “us”, or “our” or “HCI”.
We may make changes to this Privacy Notice
We regularly review and where necessary update this Privacy Notice. If this should happen and you are using our app, we will notify you in the app that there is a change and explain the changes. You will then need to accept the new version of the Privacy Notice if you are happy before continuing to use our app.
If you are accessing our services using a website we reserve the right to update this Privacy Notice at any time, and we will provide you with a new Privacy Notice on the website when we make any substantial changes.
What kinds of personal data do we collect and process?
Health and Care Innovations Limited collects personal data for various purposes; with that in mind we have created a list of the types of personal data that we may collect, either directly from yourself or from other sources, in order to achieve those purposes.
The kinds of personal data we may collect include:
Patients and App Users
Name, date of birth, NHS number, address, telephone, email, patient data, medical data (including appointment information, medication information and health score information)
Clinicians
Name, address, telephone, email
Applicants / Temporary staff / Volunteers / Interns
Name, address, telephone, email, bank account details NI Numbers
Professional Contacts
Name, address, telephone, email
Actors and Script writers
Name, address, telephone, email, bank account details NI Numbers
Our products and services are not intended for use by children. If you wish to report any use or knowledge of a child accessing the app and providing personal data, without parental consent please contact us using the contact details provided at the bottom of this Privacy Notice.
Why do we collect personal data?
We collect data for a number of reasons which are described below and as a result, we ensure that our data processing activities are conducted in accordance with the requirements of the UK GDPR.
We only ever collect and store personal data required to provide our services to you.
Contractual necessity and legal obligation - UK GDPR Article 6 (1) (b) and (c)
Health and Care Innovations Limited uses personal data firstly to fulfil any contractual obligations that exist between us and yourself. Where we request personal data be provided to enter into, or meet the terms of any such contract, you will be required to provide the relevant personal data or we will not be able to deliver the goods or services you want. In such cases the lawful basis of us processing the personal data is that it is necessary for the performance of a contract.
We are required by law to process personal data for purposes relating to our legal obligations, these include:
- To provide for our financial commitments, or to relevant financial authorities.
- To comply with regulatory requirements and any self-regulatory schemes.
- To provide safeguarding or other legal duties
- To carry out required business operations and due diligence. (e.g administration, reorganisations, security, investment or corporate/asset sales)
- To cooperate with relevant authorities for reporting criminal activity, or to detect and prevent fraud.
- To investigate any insurance claims, claims of unfair dismissal, claims of any kind of harassment or of discrimination, or any other claim where we may have to defend ourselves.
Where you have given consent - UK GDPR Article 6 (1) (a)
We may process your personal data where we have received a request from you or your consent or agreement to do so.
You may withdraw your consent for us to process your personal data at any time. After a withdrawal of consent request is received, we may have to contact you to verify the request.
Withdrawing your consent for us to process your personal data will not affect the lawfulness of the processing beforehand.
Legitimate business interests - UK GDPR Article 6 (1) (f)
We may process personal data for any of the following purposes, which are considered to be within our legitimate business interests:
- To provide our goods and services where they have been requested,
- To provide a pathway of care for your health including recording and analysing medical symptoms, booking and managing appointments, providing you with information relating to your condition, assisting you to manage your medications,
- To provide information regarding your conditions to your health care providers and other agencies to assist with your direct care,
- To update you of service issues at your providers of care which may have an impact on your engagement with them,
- To invite you to participate in research in fields and disciplines you may be interested in,
- To facilitate the completion of research initiatives,
- To inform you of goods and services we provide or offers that may interest you,
- To send notification on subjects where you have asked to be kept informed,
- To send notifications of any changes to the goods and/or services provided that may affect you,
- To improve the quality of the services we offer, and to better understand our customers’ needs by requesting feedback, or reviews of the services provided, or sending survey forms,
- To improve our services so that they are delivered more efficiently
- To understand the scale of our customer base; for statistical analysis and market research,
- To recognise when people re-engage with us,
- To allow us to support and maintain our products in active service,
- To provide reference information to third party organisations when necessary,
- To improve our website so content is delivered more efficiently,
- To enhance the security measures in place that protect data we are responsible for,
- To protect our assets
Special Category Personal Data - UK GDPR Article 9 (2) (h) and (j)
Data concerning health information is considered to be a Special Category of Personal Data under the UK GDPR and we may process your data for the following reasons on the basis of Union or Member State law or pursuant to a contract with a health professional and subject to the conditions and safeguards referred to in Paragraph 3 of UK GDPR:
- Preventive or occupational medicine,
- For the assessment of the working capacity of the employee,
- Medical diagnosis,
- The provision of health or social care or treatment (this is likely to include social work, personal care and social support services),
- The management of health or social care systems and services,
- Scientific or historical archiving, researching or statistical purposes
Where do we obtain your personal data?
We will collect personal data directly from you in various ways. This could include:
- When you complete an online form,
- When you use this service,
- When you provide the data directly to a representative of HCI,
- From your health care providers and all departments and health care professionals within your health care providers,
- From devices linked to the internet that you have given us permission to connect to,
- From fitness tracking devices such as smart phones, watches, Fitbit and Garmin and telemedicine devices such as heart and blood pressure monitors, scales and movement tools etc.
- From platforms that make use of device settings that allow geographical location tracking, such as IP Address mapping, WiFi, GPS signals and cell tower positioning,
- From publicly accessible sources such as (but not exclusively); LinkedIn, Twitter, Web searches, Other organisation websites,
- From third party organisations, which can mean your personal data has been provided directly by another company for a specific purpose, or where you may have accessed our platforms through a third party online service,
- From third-party organisations provided for a specific purpose,
- Local or national authorities provided for specific purposes
Using your NHS Number
To deliver some of our services we will confirm your NHS number through an NHS Digital service called the Personal Demographic Service (PDS).
We use your NHS number to verify your identity so that your health care professionals can be confident that they are providing you with the best direct care.
HCI sends your name, date of birth and NHS number to the PDS in order to find and verify your NHS number.
Once retrieved from the PDS, your NHS number is stored in our databases.
We will share information only with health and care professionals directly involved in your care.
Access to information is strictly controlled, based on the role of the professional, and where the user of the information has a direct care relationship with you.
Who will we share your personal data with?
To achieve the above stated purposes for which we process your personal data, we may have to share your personal data with certain third parties.
We shall make all reasonable efforts to ensure that any third-party we share your personal data with is also compliant with Data Protection law.
The kinds of third parties we may share your personal data with include:
Other members of our group of companies, which includes any subsidiary, investing or the holding company (each as defined by the Companies Act 2006) of Health and Care Innovations Limited,
In the event that we sell or reorganise our business, or if otherwise required by law or by an authorised regulator, we may transfer your personal data as a part of the general business data to the relevant parties.
Departments and health care professionals within any health care providers setting that are delivering services to you through our services,
We will share information only with health and care professionals directly involved in your care.
Organisations where it is necessary to provide our goods or services, or to setup various resources,
We may share anonymised information with third parties. In such an event the data will be appropriately anonymised in accordance with the Information Commissioner’s guidance,
We may share your personal data with third party organisations acting as data controllers or with specific individuals, groups or other organisations who act as neither data controllers nor data processors, but only where we are either legally required to do so by law or where doing so is necessary to achieve the intended stated purpose of processing the data,
The specific types of third-party Health and Care Innovations Limited may share your personal data with include:
Breath HR - Provision of HR solution
Xero - Provision of Finance solution
Purple - Provision of IT services
Mailchimp - Provision of marketing software
Please note, Xero and Mailchimp transfer personal data to countries outside the European Economic Area. Where this is the case, there is a UK International Data Transfer Agreement in place to protect your personal data.
Where will we store your personal data?
The data we collect is stored in our databases in Amazon Web Services (AWS) which are located in the UK.
We understand that encryption can be an appropriate technical measure to ensure that we process your personal data securely and we have an appropriate policy in place governing our use of encryption.
Your data is encrypted in transit between your device and our databases and whilst in storage.
Your data is protected by HCI and AWS using best practice to meet current industry best standards such as FIPS 140-2 and FIPS 197.
We understand the residual risks that remain, even after we have implemented our encryption solutions and we ensure that we keep our encryption solutions under review in the light of technological developments.
If we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission,
Where the data transfer is necessary in order to fulfil a contract between us and yourself,
Where we have received your specific consent after having made you aware of any risks involved,
Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
How long will we keep your personal data?
We will keep your personal data only for as long as required to achieve the purposes for which it was collected, in line with this Privacy Notice.
The following criteria are what determine the period for which we will keep your personal data:
- We will consider the amount of and sensitivity of the personal data we have, the amount of harm that could be caused by a data breach, the benefits of the purposes the data is being used for and any legal requirements that we are bound to,
- Until we are no longer required to do so to comply with regulatory requirements or financial obligations,
- Until we are no longer required to do so by any law we are subject to,
- Until all purposes for which the data was originally gathered have become irrelevant or obsolete,
- Until it has been requested that we no longer process the data and that it is erased; in some cases, where there is a remaining relevant or legal reason why we are required to keep this data, we may opt to restrict the amount of processing being conducted to what is absolute necessary, rather than erase it
- When data is deleted at your request or in line with our retention policy, it will be securely destroyed in our backups and live systems in accordance with applicable laws and industry best standards.
Your Rights, Our Responsibilities
There are several rights granted to you immediately upon providing us with your personal information; some of these are mentioned above. We’d like you to know that we take your rights seriously and will always conduct ourselves in a way that is considerate of our responsibility to serve your legal rights.
If you wish to exercise any of your rights we will always aim to respond to any request from you within 2 months.
These rights include:
Right to Opt-Out of NHS Data
Where NHS data is concerned, since May 2018, you are allowed to Opt Out of any of your data being used for research purposes. With future apps being developed, HCI may start to collect NHS data. Information about your health and care helps the NHS to improve your individual care, speed up diagnosis, plan your local services and research new treatments.
In May 2018, the strict rules about how this data can and cannot be used were strengthened. You can choose whether your confidential patient information is used for research and planning.
To find out more visit: https://www.nhs.uk/your-nhs-data-matters
You also have the right to object to the processing of your NHS number.
This will not stop you from using some of our services, but may reduce some of the functionality available to you.
The Right of Access
This grants you the right to confirm whether or not your personal data is being processed, and to be provided with relevant details of what those processing operations are and what personal data of yours is being processed.
If you would like access to the personal data we have about you, we ask that you contact us using the details below.
The Right to Rectification
This one is fairly straightforward; if you notice that the data we have about you is inaccurate or incomplete, you may request we rectify the mistake. We will make every effort to respond to requests of this type immediately.
The Right to Erasure
Otherwise known as the ‘right to be forgotten’, this gives you the right to request your personal data be deleted.
This is not an absolute right; if you were to request that we erase your personal data, we would erase as much of that data as we could but may have to retain some information if it is necessary.
Where we have received a request for personal data to be erased, if it is necessary for us to retain some of that information we shall ensure that the remaining data is used only when and where it is absolutely necessary.
The Right to Objection
The right to object is a basic freedom al
l democracies enjoy. If you wish to object to the way we use, or have used, your personal data you may do so freely,
The Right to Data Portability
This is a legal right afforded to you that states we must pass on all of the details you have provided to us in a machine-readable format, either to your or to another provider of your choosing,
Rights related to automated decision making including profiling
No automated decision making is used in our products or services.
The Right to Complain
We will always try to maintain the highest standards and encourage the confidence our customers have in us as an organisation. In order that we can achieve this we do request that any complaints be first brought to our attention so we can properly investigate matters.
If however you would like to complain about us to a supervisory authority you may do so by contacting the Information Commissioner's Office on 0303 123 1113, or anyone of the other reporting methods listed on their website – https://ico.org.uk/concerns
Who is our Data Protection Officer?
David Birkinshaw
Kaleidoscope Consultants Limited
East Side
Kings Cross
London
N1C 4AX
Email: dpo.hci-digital@kdpc.uk
https://kaleidoscopeconsultants.com
How can you contact us?
Lastly, if you wish to get in touch with us please use any of the following contact details:
Health and Care Innovations Limited
Teignbridge Business Centre
Cavalier Road
Heathfield
Newton Abbot
TQ12 6TZ
Telephone: +44 01626 833937
Online: www.hci.digital/contact-us
Email: info@hci.digital