Privacy Notice

Who are we?

We are Health and Care Innovations Limited and under the UK General Data Protection Regulation (UK GDPR) we are the data controller and responsible for your personal data. However, there are circumstances whereby we become a processor of your data. These are explained later in this Privacy Notice.

We are required to register with the Information Commissioner’s Office and our registration number is ZA281329.

Our trading address: Teignbridge Business Centre, Heathfield, Newton Abbot, Devon. TQ12 6TZ

Our Company registration number: 08955041

In this document Health and Care Innovations Limited may be referred to as “we”, “us”, or “our” or “HCI”.

About our Privacy Notice

This Privacy Notice has been produced to help you understand everything you need to know about the way we collect, use, and share personal data, what your legal rights are, and how to exercise them.

We regularly review and where necessary update this Privacy Notice. We reserve the right to update this Privacy Notice at any time, and we will provide you with a new Privacy Notice on our website when we make any substantial changes.

Health and Care Innovations Limited takes its responsibility for protecting your data very seriously and we hope you’ll take some time to read this document; we’ve tried to keep it all as simple as possible and to avoid, or explain any jargon. If there’s anything here you don’t understand, or if you want to ask any questions, please feel free to contact us (our contact details are at the end of this Notice).

Why do we collect your personal data and what do we use it for?

We collect your personal data for a number of reasons which are described below. These are our ‘purposes’ for processing (using) your personal data. We ensure that our data processing activities are conducted in accordance with the requirements of the UK GDPR.

We only ever collect and store personal data required to provide our services to you. We have created individual sections where each different use is described in more detail in this Notice, and these are:

A: Our CONNECTPlus mobile application

B: Our Video Libraries

C: Our websites and running our business

A. Personal data we collect if you use our CONNECTPlus mobile application

What do we use CONNECTPlus for (our ‘purposes’)?

The CONNECTPlus application (the ‘app’) is used:

By individuals like you to manage their health and wellbeing,
By health and care providers to help their patients manage their health and benefit from treatment. This includes the option for patients like you to share information about their health with their medical professionals, and
By companies who buy access to our application to help employees manage their health and wellbeing.

There are three different ways in which you can choose to use CONNECTPlus:

Install only, which limits the functions you can use on the app
Register, so you can use the interactive features of the app
Register and use the app to share information with your care provider

The sections below describe the different implications of each of these options in respect of your personal data.

1. Install only

If you choose to download the app but not register, you will only be able to see the education and information content in the app. You will not be able to use the interactive features.

As a result, we will not collect or process any personal data about you.

2. Register and use the interactive features of the app.

What do we use CONNECTPlus registration for (our ‘purposes’)?

If you register to use the app, we will collect your name and email address. You will be asked to create a password to gain access to the app.

In addition you will have the option to record your date of birth and NHS number in the app. This is your choice and you do not need to give us this information.

If you do give us this information, we will use this information to verify your details against the NHS Personal Demographic Service (PDS) records.

Apart from this verification process, we will only share your information with your health and care providers, employer, or insurance companies if you have given us your explicit consent in Section 3 below.

We will not share your personal information with any other organisations other than when required by law or the organisations who are listed in Section C below. These are organisations who help us provide this service to you.

As a result of registering for an account on the app you will be able to access the education and information content in the app and additionally record information about your health (for example details about your medications, appointments, your symptoms, your treatment and other health issues). This is called ‘special category data’ in the General Data Protection Regulation.

Your personal data will be stored in our Amazon Web Services (AWS) servers in the UK.

Access to your information is strictly controlled, based on the role of our staff in HCI, and this is audited by our systems.

We may anonymise your personal data so that we can use it to conduct research into yours and others’ interactions with our app, and the effect it has on things like attitudes to health. This is essential to help us develop the clinical elements of our service in the future.

From time to time we may also contact you about our research or any improvements we are planning to make in order to gauge your reaction or to send you a survey about how we provide our services. These will mainly be conducted ‘in app’ but may also include options to take part by email. We will only contact you by email if we have your explicit consent to do so.

What data do we collect?

In summary, if you register for an account on the app we will collect the following data about you:

Name, email address, and information relating to your health.
We may also collect your date of birth and NHS number.

What is our lawful basis?

UK GDPR requires that we justify our use of your personal data (such as name, date of birth, NHS number) and special category data (such as health data). These lawful bases are listed in Article 6 and Article 9 of the UK GDPR.

When you download and give us your email address and create a password to register an account with us, we use the lawful basis of forming a contract between us to provide you with the CONNECTPlus application (Article 6(1)(b)).

When you record additional information about your health you are giving us your explicit agreement to use your data (Article 9(2)(a)).

So that we can provide and manage the application, monitor your use, develop enhancements and assist you if you need help we believe that we have a legitimate interest in using your personal data so that we can ensure that the app works correctly and our users are happy with its use (Article 6(1)(f)).

We will also process your personal data in order to anonymise it to research how people interact and improve their health and wellbeing outcomes by using our application. All information relating to you or that could be used to identify you is removed in this process, giving us a pool of data that cannot be used to trace it back to you. This is essential to help us develop the clinical elements of our service in the future. To do this, we rely on the legal bases of legitimate interests (Article 6(1)(f)) and the Article 9(2)(j) exemption related to research.*

*Where this legitimate interest extends to research, we are required to undertake and provide appropriate safeguards to protect you. In this case, those safeguards will be to create a new, anonymised dataset where all the possible identifiers are removed so that it cannot in any way be linked back to you or joined up with other data about you in order to identify you.

What about if I remove the app or remove my consent to any of the purposes?

If you remove the app our systems will receive a notification and we will delete all your information and you will no longer be able to use the full functionality of the application.

3. Register and use the app to share information with your care provider

What do we use CONNECTPlus registration and data sharing for (our ‘purposes’)?

HCI works with your health and care teams (such as in a hospital, GP practice, other care provider, or insurance company) to help patients like you to manage their health and benefit from treatment. This includes the option to share information about their health with their health and care teams.

When you choose to share your information with them, you will be informed within the app that the information will be made available to your health and care provider.

In order for us to share your data with your health and care provider we use your NHS number and date of birth to verify your identity to make sure that we provide your clinician with information about the correct person.

To verify your identity we send your name, date of birth and NHS number to the Personal Demographic Service (PDS). Once confirmed with the PDS, your NHS number is stored in our databases.

It is important to understand that where we provide this service, we provide it under a contract with your health and care provider under which your health and care provider becomes responsible in law for your personal data instead of us.

If you have any questions about how they use your personal data, you should refer to their privacy notice on their website. This will explain how they use your data and how you can exercise your rights in respect of your data.

What information do we share when you agree?

Name, date of birth, NHS number, email, medical data (including details about your medications, appointments, your symptoms, your treatment, other health issues and any questionnaires or other information your health and care provider has asked you to record through the app).

What is our lawful basis?

We have a contract in place with your health and care provider which is compliant with Article 28 of the UK General Data Protection Regulation in order to provide this service to you.

What happens if I switch off sharing with my health and care provider?

If you switch off your data sharing we will no longer share any more information with your health and care provider but the data you have already provided to them will be available as it may form a part of your medical record. You should contact your health and care provider about what they use your personal data for.

B. Personal data we collect if you use our Video Library

What do we use the Video Library for (our ‘purposes’)?

HCI provides the Video Library to give you information to help you manage your own health and care and your interactions with your health and care professionals.

What data do we collect?

We don’t process any personal data when you view the videos on the Video Library.

However, if you complete our Video Library Survey you will be asked to provide some demographic information. This information will not enable us or anyone to identify you and as a result is not personal data that is subject to the requirements of the UK GDPR. You do not have to provide this information if you don’t want to.

We will share this demographic information with the organisation(s) that sponsors Video Library so that we and they can better understand the views of our users of the Video Library so we can improve the services that we offer to you and patients like you.

Access to information is strictly controlled, based on the role of our staff in HCI and in the sponsoring organisations.

What data do we collect?

When you complete the Video Library Surveys we may collect the following data: Age, partial details of your postcode, gender, marital status, carer role, parental status, conditions and health status, communication needs, ethnicity.

What is our lawful basis?

UK GDPR requires that we justify our use of your personal data (such as postcode, age) and special category data (such as health data, ethnicity, sexual life and preference). These lawful bases are listed in Article 6 and Article 9 of the UK GDPR.

When we use your information in this way as part of our Video Library Surveys we rely on the legal basis of consent under Article 6(1)(a).

C. Personal data we collect to run our websites, our business systems and to manage our customers and members of the public

What do we use our websites and systems for (our ‘purposes’)?

We capture data from our websites, our business systems and other public sources such as LinkedIn, Twitter and other public registers for the purposes of running our business, our websites, managing our financial accounting, and the account management of new and existing customers.

What data do we collect?

Name, address, organisation, role, email and phone number.

What is our lawful basis?

Our lawful basis is the management of our business and our relationship with our customers, including managing business interactions and managing our website in order to run our business effectively and efficiently (Article 6(1)(f)).

Where we collect email addresses from the website and enter people on to our mailing lists or contact database, we rely on consent under Article 6(1)(a).

Other information you need to know about your rights in respect of your personal data

Your rights are enshrined in UK GDPR. If you want to exercise any of your rights that are listed below, please contact us using the details provided at the bottom of this section.

The Right of Access

This grants you the right to confirm whether or not your personal data is being processed, and to be provided with relevant details of what those processing operations are and what personal data of yours is being processed, including access to copies of the data.

The Right to Rectification

If you notice that the data we have about you is inaccurate or incomplete, you can request we rectify the mistake. We will make every effort to respond to requests of this type immediately.

The Right to Erasure

Otherwise known as the ‘right to be forgotten’; this gives you the right to request that your personal data is deleted.

The Right to Objection

You have the right to object to how we use your information.

The Right to Data Portability

This is a legal right afforded to you that states we must pass on all of the details you have provided to us in a machine-readable format, either to your or to another provider of your choosing.

This right is only available when it is technically feasible to do so and, as our app is proprietary software, this is not currently an option.

Rights related to automated decision-making including profiling

No automated decision making is used in our products or services.

The Right to Complain

We will always try to maintain the highest standards and encourage the confidence our customers have in us as an organisation. In order that we can achieve this we do request that you raise any complaints with us so we can properly investigate matters.

If however you would like to complain about us to a supervisory authority you may do so by contacting the Information Commissioner's Office on 0303 123 1113, or anyone of the other reporting methods listed on their website – https://ico.org.uk/concerns.

How long will we keep your personal data?

We will keep your personal data only for as long as required to achieve the purposes for which it was collected, in line with this Privacy Notice.

The following criteria are what determine the period for which we will keep your personal data:

We will consider the amount of and sensitivity of the personal data we have, the amount of harm that could be caused by a data breach, the benefits of the purposes the data is being used for and any legal requirements that we are bound to,
Until we are no longer required to do so to comply with regulatory requirements or financial obligations,
Until we are no longer required to do so by any law we are subject to,
Until all purposes for which the data was originally gathered have become irrelevant or obsolete,
Until it has been requested that we no longer process the data and that it is erased; in some cases, where there is a remaining relevant or legal reason why we are required to keep this data, we may opt to restrict the amount of processing being conducted to what is absolutely necessary, rather than erase it.

When data is deleted at your request or in line with our retention policy, it will be securely destroyed in our backups and live systems in accordance with applicable laws and industry best standards.

Who do we share your information with?

The following table describes the organisations or organisation types we share your personal data with in order to be able to manage our business and deliver our services including the CONNECTPlus app and the Video Library.

Name: Amazon Web Services (AWS)
Role: AWS cloud data services
Security: Your data is protected by HCI and AWS using best practice to meet current industry best standards such as FIPS 140-2 and FIPS 197. All data are encrypted both in transit and at rest.
Location: UK datacenter

Name: Google Workspace
Role: Email, word processing, and non-personal data storage
Security: Mandatory Multi Factor Authentication for all user accounts, minimum 16 character password changed annually
Location: US and Europe

Name: Sentry.io
Role: Application monitoring
Security: https://sentry.io/trust/privacy/. Sentry data is hosted on Google Cloud Platform, which encrypts all data at rest by default, in compliance with the Privacy Rule within HIPAA Title II. Sentry also exercises strong access control and technical and administrative safeguards in compliance with HIPAA’s Security Rule.
Location: USA

Name: Xero
Role: Provision of our finance solution
Security: Mandatory Multi Factor Authentication on all accounts. Encrypted at rest and in transit to industry standards
Location: New Zealand and worldwide. For third countries Xero use EU Standard Contractual Clauses

Name: Google Analytics
Role: Provision of our marketing software
Security: Mandatory Multi Factor Authentication on all accounts
Location: USA

Name: Mailchimp
Role: Analytic data for our websites and platforms
Security: Mandatory Multi Factor Authentication on all accounts
Location: USA

Please note, there is a UK International Data Transfer Agreement in place to protect personal data where the companies listed in the table above transfer personal data to countries outside the European Economic Area.

We may also share your data for the following reasons:

Other members of our group of companies, which includes any subsidiary, investing or the holding company (each as defined by the Companies Act 2006) of Health and Care Innovations Limited,
In the event that we sell or reorganise our business, or if otherwise required by law or by an authorised regulator, we may transfer your personal data as a part of the general business data to the relevant parties.

Who is our Data Protection Officer?

Kaleidoscope Consultants Limited

East Side

Kings Cross

London

N1C 4AX

Email: dpo.hci-digital@kdpc.uk

https://kaleidoscopeconsultants.com

How you can contact us

If you wish to get in touch with us please use any of the following contact details:

Health and Care Innovations Limited

Teignbridge Business Centre