What this Policy is about
At Invizo Limited (trading as the Children’s e-Hospital) we are committed to protecting any personal information which we may hold about you. This policy explains the types of information which we may collect and how we treat and use that information.
We comply with the various requirements set out in the Data Protection Act 1998 which regulate how personal information should be treated. Invizo Ltd is registered with the information commissioners office (registration number ZA120145).
GDPR (General Data Protection Regulation) took effect on 25th May 2018 and from that date we are required to ensure that we gain a new data protection and privacy consent from all clients. In it (amongst other things) we confirm what information we hold about you and how we are permitted to use it. All of our registered patients will therefore be asked to consent to the holding of their data as per GDPR rules.
What is meant by “personal data”?
For the purposes of the Data Protection Act 1998, personal data is information which relates to a living individual who can be identified from that information. Common examples of personal data used in day to day business activities include names, addresses, telephone numbers, email addresses and in some cases, CVs and salary or other payment details. Some information is considered to be “sensitive personal data” for the purposes of the legislation. This would include for example, information about racial and ethnic origin and mental or physical health.
The type of information that we may hold
The information which we may gather and hold about you will depend in part on how you use our website (www.e-hospital.co.uk). For example, if you are a member of the public and you send us your contact information in order to sign up to our health alerts or you wish to register with our service, then we will hold your name and contact details such as your email address. Similarly, if you contact us using the contact link on our website then we may retain any emails which you send to us and any personal information which is included in them. If at any time we provide to you any paid-for services, we will also hold transaction details.
The information which we may hold may be in computerised or in some cases, paper format.
We may also collect information about your use of our website as you browse and may use that information to personalise content. That information may not necessarily constitute personal information however and further information about this is provided in our Cookies Policy.
Certain functions on our website are reserved for use by medical professionals only and where they have registered with us for use of those functions. As part of using that functionality, we will also need to hold certain information about those registered users such as name, contact details, place of work, job title and qualifications.
From time to time, we may also invite people who are interested in working with us, to send relevant information such as a CV.
Your consent to our use of your information
By providing us with any personal information, you understand and agree to our using the personal data in accordance with this policy and for the purposes for which you sent us the information.
If you provide any personal data to us about any other person then you must have the express agreement of that person to disclose that information or should otherwise be in a position to disclose it for example, if you are a parent disclosing information about your child. You should only disclose personal data about any other person where you have the appropriate consent and authority to do so.
Similarly, if you are a minor (aged under 16 years) you should also have the permission of your parent or guardian before disclosing any personal information to us.
How your personal data will be used
We will treat your personal data securely and we have in place procedures to adhere to our obligations under Data Protection law. Our data servers are based on the microsoft Azure cloud infrastructure which is trusted by many of the world’s leading enterprises and government agencies. GDPR imposes restrictions on the transfer of personal data outside the European Union. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined. To ensure we comply with GDPR the data centres that we use are located in the European Union. Going forwards, in view of the lack of clarity from the UK Government and European Union about how Brexit might impact GDPR the data company that we use we have invested in the necessary infrastructure to allow them to re-locate their data centres so that they remain compliant with future regulatory and legal requirements, should this prove necessary. The servers that we use are protected by 256-bit SSL encryption.
Provision of a patient specific ID allows us to protect your privacy by displaying your ID (instead of your name) in our diary, documents, notes and emails and thereby avoiding the need to transmit PII (Patient Identifiable Information). The medical records that we keep on you (or your child) will be used to provide medical care for you in keeping with “Good Medical Practice” as outlined by the General Medical Council. If a safeguarding situation arises we have to, by law, inform the police or social care to ensure that no harm comes to a child or adult.
The uses which we make of your personal data may include (though are not limited to), us using information to deal with queries and enquiries, administer and maintain records of any staff or contractors where relevant, provide services whether paid for or otherwise, send out our health alerts and other communications and generally, for the proper administration of our business.
We may also use your personal information to keep you up to date with services which may be relevant to you such as to tell you about any training events which we may be running and we may contact you by post, phone or in most cases, by email. If you decide that you no longer wish to receive information from us then you can let us know at any time by emailing us at firstname.lastname@example.org or follow the instructions on our health alerts or other communications.
From time to time, it may become necessary or appropriate to disclose your personal data to carefully selected third party organisations, for example where we use an external organisation to provide services such as IT systems support or external consultants who may help us in our core business function. If this is the case, we will only disclose your personal data in compliance with our obligations under the Data Protection Act and GDPR which means that we will put the appropriate safeguards in place when disclosing any such personal data about you. Where we use third party IT service providers, this may include information being transferred outside the European Economic Area (EEA) for example, depending on where our service providers’ servers or computers are located.
We may disclose personal information in response to a legal process, for example, in response to a court order. We may also disclose data in response to a law enforcement agency’s request or where we believe it is necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person or as otherwise permitted or required by law and in accordance with legal requirements.
We will retain the personal data on our records for as long as we have a business requirement to retain it.
A person about whom we hold personal data has a right of access to that information. This means that you may submit a request at any time and you will usually be entitled to a description of your data which we hold and the purposes for which the data is being processed. Any such requests should be made in writing and should be addressed to The Children’s e-Hospital, PO Box 748, Wetherby, LS22 9FS or via email address: email@example.com. We aim to deal with requests for access to personal information as quickly as possible but will ensure that such requests are dealt with within 30 days of receipt of your request unless there is good reason for delay (As per article 15 of GDPR). We reserve our right to charge a nominal amount (which the law prescribes) in some circumstances.
We also have an obligation to ensure that the information which we hold about you is accurate and up to date. You have the right to ensure that any inaccuracies in your personal data are corrected or removed. In order to assist us in ensuring that the information which we hold about you is accurate and up to date, please ensure that we are notified of any changes in your personal details (such as a change of email address) by contacting us at The Children’s e-Hospital, PO Box 748, Wetherby, LS22 9FS or at firstname.lastname@example.org.
Our data protection officer is Dr Tim Ubhi who will deal with any concerns you may have. If after raising your concern with us, you remain dissatisfied with the response then you have the right to raise a complaint with the Information Commissioner’s Office which is the organisation responsible for promoting and enforcing data protection compliance.
Changes to this policy
We reserve the right to amend this policy at any time and as we see fit and you are advised to check it regularly for any changes.