Security & Privacy – Privacy Policy

January 2024

Introduction

Privacy and information governance is the most important aspect of Health Diagnostics’ services.

This Privacy Policy explains how we handle personal information about our users in health and social care organisations, and how we handle personal information about their patients. This notice also contains information applicable to individuals, job candidates, employees, and contractors out with of our contracts with health organisations.

Health Diagnostics operate a specialised digital platform that is used to help manage and administer population health services, with the potential of linking the information across multiple health and social care organisations. Typically, we are data processors based on a data processing agreement with the health and social care organisation (data controller).

This policy applies to our digital services, website and services. We’ve tried to make it easy to read, but if you do find anything unclear, please get in touch.

Who are we?

Our full company name is Health Diagnostics Ltd Limited and our:

  • Registered Office is at Mentor House, 24 Ainsworth St, Blackburn BB1 6AY
  • Operating Office is at Unit C1, The Quadrant, Chester. CH1 4QR
  • Company Registration Number is 04649183
  • ICO Registration Number is Z136831X
  • NHS Data Security and Protection Toolkit Organisation Code is 8HM99
  • You can send any questions about privacy to enquiries[at]healthdiagnostics.co.uk
  • Our Data Protection Officer is Ametros Group Ltd.
You can contact our DPO via email or by phone:
enquiries[at]healthdiagnostics.co.uk
(+44) 01244 669700
Our data protection accountability statement can be downloaded here

What personal identifiable information do we collect about you, and why?

As a health and care professional

Health and social care professionals can operate a Health Diagnostics Cloud Suite account. 
When you do so, we collect the following information about you, and link them to a unique identifier in our system:

  • Name
  • Email address

Through the use of our Cloud Suite, the following information will be collected from you when required:

  • Affiliated organisation
  • Job role
  • The content of communications with patients when using our digital services
  • Data about the way you have used our digital services, such as the functions you’ve used, and the devices and software you used to connect to our digital services.
  • Contact phone number

We collect this data to provide you with digital services that your organisation has agreed for us to provide to them, as governed by our Terms and Conditions and any contractual relationship we have in place with them. Health Diagnostics’ digital services are a platform used to invite patients into screening and lifestyle programmes and to perform health risk assessments on patients attending such programmes.

We may also use your contact details to tell you about other solutions that we have built for the NHS or social care services that we think your organisation may be interested in, subject to your right to object to direct marketing.

As a patient or individual whose healthcare providers use Health Diagnostics’ digital services

When your health and social care organisation uses our digital services to communicate with you, they provide us with information they hold about you so that we can make sure you receive communications from them. We only ever act on their instructions and in line with a data processing agreement held between your health and social care organisation and Health Diagnostics. You can see how we keep your data safe and how you can restrict or object to its use here.

Depending on the digital services used by your provider, the information we handle on their behalf will vary. At a minimum, when our software is first used in relation to any communication about you, we will safely store and use the following information about you:

  • Name
  • NHS number
  • Date of Birth
  • Gender at birth
  • Full address
  • Telephone number
  • Mobile telephone number
  • Email address
  • Ethnicity

We may also handle the following recent clinical information if available in order to prioritise provider contact with you:

  • Current and past smoking status
  • Recent (within last 6 months) blood pressure results
  • Recent (within last 6 months) results
  • Your height
  • Recent (within last 6 months) weight record
  • Any family history of coronary heart disease in a close relative
  • History of invitation and attendance to health and social care screening and lifestyle programmes
We use this information to enable your health and social care provider to communicate with you, either through SMS and email messages sent on our platform, or for them to call you.

Our purpose is to safely collect, store and transmit the history about communications sent to you, and evidence of any risk assessment conducted on you depending on the nature of the service we provide on behalf of your health and social care organisation. These may include:

  • messages from these health and social care providers (e.g. your GP)
  • communications you have sent back to health and care professionals after they asked you, including survey responses
  • clinical records of health assessments performed by professionals using our digital services

When explicitly instructed and authorised, we use information from clinical records in other systems to which your health and social care provider has access. We do this in order to make those records available to your provider or to other professionals involved in your care.

Acting on behalf of the health and social care providers who care for you, we may also obtain data about you from the following sources:

Health Diagnostics also collects usage data, such as when your health and social care provider open and close our software, what product features they use and what computer they are using. This allows us to provide clear audit trails, and so that we can improve our software and maintain the clinical safety of our products and services. We also monitor the functioning of our digital services and to prevent fraud, cyberattacks and other dishonest behaviour.

Other groups of people who Health Diagnostics process information about

We process corporate prospects contacts or past corporate clients contacts data, including for direct marketing purposes, subject to the right to object and any opt-out exercised.

We process job candidates’ CVs and related data as long as this may be required in relation to the selection process.

We may process individuals data as part of user testing studies. Where this is applied a relevant Privacy Notice will be available to determine the nature of the processing and lawful basis if different from this privacy notice.

  • What is the legal basis for processing this data?

Health Diagnostics always acts as a data processor in relation to patients’ data that providers share with Health Diagnostics through the use of its digital services.

Health and social care providers’ lawful basis for processing patient data using Health Diagnostics’ services is expected to be:

  • Article 6(1)(e) – ‘…exercise of official authority…’;

…and their processing of special categories (health) data using Health Diagnostics’ digital services, the conditions are expected to be:

  • 9(2)(h) – ‘…health or social care…’, and/or
  • 9(2)(i) – ‘…public health purposes…’.

For processing special categories (such as ethnicity) data using Health Diagnostics’ services, the conditions are expected to be:

  • 9(2)(h) – ‘…health or social care…’, and
  • 9(2)(b) – ‘…social protection law…’ (for monitoring equality of access)

Anyone using Health Diagnostics’ digital services for purposes beyond those set out above are likely to be misusing the digital services and in breach of the terms and conditions.

Our other legal bases for processing personal data where we are data controllers are to perform our contract to provide a service, when the contract is with you (GDPR Art. 6 (1)(b)), or our legitimate interests, provided they are not overridden by your individual interests, rights and freedoms surrounding data protection GDPR Art. 6 (1)(f).

We may on occasion require a persons consent to process data for a specific activity such as end user testing/feedback studies. Where this is applied a separate privacy notice will be provided to the individual and the legal basis for processing will be UK GDPR Art. 6 (1)(a) – Consent of the individual

Do we share this data with third parties?

We use third-party data processors, such as our email, SMS, productivity, design, communications and storage providers. A patient’s information may also be shared with other health care and social care organisations in the context of your exchange of communications with health and social care providers through Health Diagnostics’ digital services. This sharing is strictly limited to the instructions a health and social care provider, the data controller, gives us and will be covered by a data processing agreement.Health Diagnostics will not transfer your personal data to any country other than those that have been granted an adequacy decision under the General Data Protection Regulation.We may however share your personal data with third-party organisations who then transfer the data. We shall take all reasonable measures to ensure those third parties are also compliant with data protection law.We compile anonymised statistics about the use of our platform, such as the use of different features by our users, and attendance to health and social care services. All personal data is removed by aggregating the data to provider level or above. We share these aggregate statistics with third parties. These third parties include:
  • national bodies including NHS Digital, NHS England and relevant government departments;
  • local commissioning bodies such as CCGs and local public health departments;
  • partners of Health Diagnostics in the commercial, charity, and academic sectors.

How long do we retain data for?

As a data processor

Patients’ data is generally kept in line with the Records Management Code of Practice for Health and Social Care 2016. However, we would delete the data earlier than suggested by this code if we are informed that the condition of Article 9(3) GDPR and s. 11(1) Data Protection Act 2018 no longer applies.

As a data controller

We will keep your personal data only for as long as required to achieve the purposes for which it was collected, in line with this privacy notice.
Our usual retention timescales will be to retain your data from the end of contract plus 6 months.
We may be required to retain your data to comply with regulatory requirements or financial obligations.
We may be required to retain your data by any law we are subject to.
Otherwise, we will retain data until all purposes for which the data was originally gathered have become irrelevant or obsolete or until it has been requested that we no longer process the data and that it is erased.

We process job candidates’ CVs and related data as long as this may be required in relation to the selection process.

When we no longer need your data it is permanently destroyed by electronic means.

Your Rights, Our Responsibility

There are several rights granted to you immediately upon providing us with your personal information; some of these are mentioned above. We’d like you to know that at Health Diagnostics we take your rights seriously and will always conduct ourselves in a way that is considerate of our responsibility to serve your legal rights.

The Right of Access

This grants you the right to confirm whether or not your personal data is being processed, and to be provided with relevant details of what those processing operations are and what personal data of yours is being processed.
If you would like access to the personal data we have about you, we ask that you contact us using the details below.

The Right to Rectification

This one is fairly straight forward; if you notice that the data we have about you is inaccurate or incomplete, you may request we rectify the mistake. We will make every effort to respond to requests of this type immediately.

The Right to Erasure

Otherwise known as the ‘right to be forgotten’, this given you the right to request your personal data be deleted.
This is not an absolute right; if you were to request that we erase your personal data, we would erase as much of that data as we could but may have to retain some information if it is necessary.
Were we have received a request for personal data to be erased, if it is necessary for us to retain some of that information we shall ensure that the remaining data is used only when and where it is absolutely necessary. You may also contact us (enquiries[at]healthdiagnostics.co.uk) to request that we delete the data that we hold about you or alternatively complete our subject access request form available here.

The Right to Objection

The right to object is a basic freedom all democracies enjoy. If you wish to object to the way we use, or have used, your personal data you may do so freely.

How to contact us?

If you have questions or concerns about privacy, if you suspect your data has been compromised, or wish to exercise rights you have in relation to personal data we process about you, you can email enquirie[at]healthdiagnostics.co.uk or write to The Compliance Officer, Health Diagnostics Ltd, Suite C1, The Quadrant, Sealand Road, Chester. CH1 4QR

You may always make further enquiries to, or complain to the www.ico.org.uk

Use of cookies

Our website uses cookies so that we can understand user behaviour and create consistency across multiple visits, for example so you can continue an online support conversation that you were having with us. Please refer to our cookies page for more detail about the use of cookies on this public website, and in our product.

Future updates to this notice

This notice may change periodically and will be published on the Health Diagnostics website.

© 2024 Health Diagnostics All Rights Reserved