Updated Auguest 2nd, 2020
The following definitions shall apply in this Schedule.
Agreed Purpose: means the purpose of providing Intelligent Rehabilitation Therapies to patients via a virtual reality headset.
Data Controller: means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
Data Protection Legislation: the Data Protection Act 2018 (DPA 2018), the General Data Protection Regulation EU 2016/679 ("GDPR") and any national laws or regulations constituting a replacement or successor regime to GDPR or DPA 2018 and all applicable laws and regulations relating to the Processing of the Personal Data and privacy.
Data Subject: means an identified or identifiable natural person about whom Personal Data is processed; an identifiable natural person is one who can be identified, directly or indirectly, by reference to the Personal Data.
Personal Data: means information relating to a Data Subject such as a name, an identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person, including opinions about a Data Subject.
Processing, Processed and Process: means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Relevant Occurrence: any of the following:
Any communication from the Information Commissioner's Office (ICO) relating to the Shared Personal Data;
Any complaint, enquiry or other communication from a Data Subject relating to the Shared Personal Data; and
Any actual or suspected means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Shared Personal Data
Shared Personal Data: means such patient information as is necessary to provide the Service, including, the patient's NHS Number, demographics such as home address, phone number, emergency contact information, discharge information and background medical records accessed via the EMIS system.
This schedule sets out the framework for the sharing of Personal Data between the parties as Data Controllers. This schedule is in addition to, and does not relieve, remove or replace a Party's obligations under Data Protection Legislation.
Each party acknowledges and agrees that it is a Data Controller in its own right and responsible shall comply with all applicable requirements of the Data Protection Legislation with respect to its Processing of the Shared Personal Data.
Each party agrees to only process Shared Personal Data for the Agreed Purpose and such other purpose as the Data Subjects may consent from time to time.
Each party shall ensure that its privacy notices provide sufficient information to the Data Subjects for them to understand what of their Personal Data will be shared for the Agreed Purpose.
Concept Health shall provide Data Subjects with the Privacy Notice set out at Annex A.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, to the extent that it is processing Shared Personal Data each party shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk in order to achieve the Agreed Purpose.
If a Relevant Occurrence happens the Concept Health shall promptly notify the Customer and provide full co-operation in relation to any questions raised by the Customer about the Relevant Occurrence.
Each party shall appoint a single point of contact (SPoC) who will work together to reach an agreement with regards to any issues arising from the data sharing and to actively improve the effectiveness of the data sharing initiative. The points of contact for each of the parties are:
8.1. CH – Dr Muhammad Farhan Amin, SRO
Annex A: Concept Health Privacy Notice
Privacy notice for Concept Health Limited
Concept Health Technologies Limited (we or us) is registered in England and Wales under company number 11784534 . Our registered office is at [3rd Floor 86 – 90 Paul Street London, EC2A 4NE].
1. What is the purpose of this document?
1.1 We are committed to protecting and respecting your privacy. This privacy notice sets out the basis on which any personal data we collect about all users of our services and our website at https://concepthealth.co.uk (our site), or that you provide to us or we obtain from you and/or from your healthcare provider, in connection with your use of our devices, and how this will be processed by us.
1.2. This privacy notice applies to: patients who use our monitoring devices; medical professionals involved in the treatment of patients; visitors to our site who do not register as well as those who do; any customers that purchase our goods and/or services from us; and all individual contractors and service providers who provide services to our business (you).
1.3. We are a data controller. This means that we are responsible for deciding how we hold and use personal information about you, and for explaining this clearly to you.
1.4. Please read this privacy notice carefully to understand what we do with your personal information and what rights you have in relation to our activities.
2. What is personal data and our lawful basis for processing?
2.1. Personal data, or personal information, means any information relating to an individual from which that person can be identified. There are special categories of more sensitive personal information which require a higher level of protection (see further at section 4, below).
2.2. We will only use your personal information when the law allows us to. Our principle lawful basis for processing is set out in the table below. However, some of our grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
2.3. We may only rely on our legitimate interests (or those of a third party) to process your personal information, if your interests and fundamental rights do not override those interests. Where we rely on legitimate interests for our processing, we have set out the relevant interest, below.
2.4. We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
2.5. Please note that we may process your personal information without your knowledge or consent where this is required or permitted by law.
3. Information we collect from you, about you and how our use complies with the law
3.1. Patients and users of our Device Kits
3.1.1. We collect your name and contact details, including telephone number and email address. We use this to contact you in connection with your treatment. Because it is necessary to provide the service to you.
3.1.2. We access your medical records, including [demographic data, personal medical data from your discharge information and other background information provided to us by your healthcare practitioner relating to your medical condition and related treatment. We use this to monitor your condition and the effectiveness of the Device Kit and perform predictive analytics. Because it is necessary for the purpose of your treatment.
3.1.3. We monitor the information collected via the Device Kit. We use this to monitor your condition and the effectiveness of the Device Kit and perform predictive analysis. If you consent, we also use this information to inform and improve our service. Because it is necessary for the purpose of your treatment.
3.1.4. We collect name and contact details for healthcare professionals involved in delivering the service to patients. To contact the healthcare professional and to monitor the patient process. Because it is necessary for the legitimate interest of providing the service to patients.
3.2. Business Related Contacts
3.2.1. The information you provide when you create an account with us online or otherwise. To manage your account with us. To provide you with marketing information (if you have agreed to this). Because it is necessary to perform the contract with our customers. With your consent (where applicable) otherwise for the legitimate interest of promoting our business, provided that you have not asked us to stop sending you marketing.
3.2.2. For customers and prospective customers, we collect the name, job title and business contact information of your individual employees and other representatives. To provide our services to patients. We add this information to our CRM system to manage our relationship with you. To provide you with marketing information. This information is necessary to enter and to perform the contract between us and our client. With your consent (where applicable) otherwise for the legitimate interest of promoting our business, provided that you have not asked us to stop sending you marketing.
3.2.3. For suppliers and prospective suppliers of services to our business, we collect the name, job title and business contact information of your individual employees and other representatives. To receive your services. We add this information to our CRM system to manage our relationship with you. To provide you with marketing information. This information is necessary to enter and to perform the contract between us and our supplier. With your consent (where applicable) otherwise for the legitimate interest of promoting our business, provided that you have not asked us to stop sending you marketing.
3.2.4. We use the business contact information provided for individual employees and other representatives of our clients and suppliers (including prospective clients and suppliers) to provide updates and information about our services. We only send direct marketing by email to corporate addresses if the individual has not opted out of receiving marketing from us. Such processing is necessary for the legitimate interest of promoting our business.
3.2.5. We may perform due diligence in the form of credit checks on companies, including checking photographic identification and proof of address of directors and, in some cases, your shareholders, and verifying their identity using publicly available sources, such as companies house. For the purposes of fraud protection and credit risk reduction and to maintain the reputation of our business. Such processing is necessary for the legitimate interest of protecting our business.
3.3. Information we collect about users of our site
3.3.1. We collect the Information about your preferences and the types of services you are interested in via the cookies on our website. To improve the services, we offer to you and others. To provide you with information about other products and services which we think may be of interest to you. It is necessary for our legitimate interests to ensure the smooth running of our website. You can disable cookies on your browser.
3.3.2. We collect the background information relating to our past dealings with you to inform and improve our service. This is necessary for the legitimate interest of informing and improving the service we provide to you.
3.3.3. We use technical information, including the Internet protocol (IP) address to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform via cookies on our website. This is necessary for our legitimate interests to ensure the smooth running of our website and to improve the services we offer to you and others. You can disable cookies on your browser.
3.3.4. The information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page. To improve the services, we offer to you and others. This is necessary for our legitimate interests to ensure the smooth running of our website. You can disable cookies on your browser.
4. Special Category Data
4.1. Special category data includes: health data, data revealing racial or ethnic origin, genetic data, biometric data, data relating to your religious or philosophical beliefs, your sex life or sexual orientation, your political opinions or trade union membership.
4.2. In addition to our use of medical information for the purposes set out in the table above, we may also process special category information:
4.2.1. to ensure meaningful equal opportunity and diversity and inclusion monitoring and reporting;
4.2.2. where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent;
4.2.3. where it is necessary to establish, exercise or defend a legal claim;
4.2.4. where you have manifestly made the information public; or
4.2.5. otherwise with your explicit consent.
5. Sharing your information
5.1. We share your personal information with third party contractors and service providers to the extent necessary to provide our service.
5.2. We share your information with other third parties as follows
5.2.1. Your GP and other medical professionals involved in your treatment;
5.2.2. our regulators, professional advisors and auditors;
5.2.3. HMRC or other government or law enforcement agencies;
5.2.4. our insurance provider;
5.2.5. if we sell any business or assets, in which case we may disclose your personal information to the prospective buyer of such business or assets;
5.2.6. if we have a legal obligation to do so; and
5.2.7. for the purposes of fraud protection and credit risk reduction.
5.3. If you object to our sharing or continuing to use your personal data with any specific third party please contact us at email@example.com.
5.4. We share your data with third-party service providers, such as our website host server, IT support and maintenance service, cloud storage provider and email exchange server and other businesses that provide certain services on our behalf. All of our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes.
6. If you fail to provide personal information
6.1. You are required to provide the personal information set out in sections 1 of the table. If you fail to provide certain information when requested, we will not be able to provide our services to you.
6.2. We want to be sure that the personal information we hold about you is accurate and current. To update the information we hold about you please contact firstname.lastname@example.org.
7. Automated decision-making
7.1. Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention.
7.2. We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
8. Data security
8.1. We have put in place:
8.1.1. Appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
8.1.2. Procedures to deal with any suspected data security breach, and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
8.2. Any personal information that you submit to us will be held on secure servers, based within the UK or the European Economic Area (EEA).
8.3. If we are required to transfer your information outside the UK or the EEA, we have put in place the appropriate measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection.
8.4. If you are based outside the UK or EEA we may transfer personal information to the correspondence address you provide to us. We will take all reasonable steps to ensure that such transfers are secure. By using our services outside the UK or EEA you acknowledge and agree that such transfers are necessary for us to provide services to you.
9. How long will we keep your personal information for?
9.1. We will only keep your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.
9.2. Where a minimum retention period is required by law (such as retaining records for HMRC purposes) we comply with that minimum period plus up to 12 months to allow time for us to anonymise or delete information in accordance with our internal data management processes.
9.3. Emails are kept for up to [5 years] on our email exchange server. After which they are they are archived, and can only be accessed by request through the IT department. They are permanently deleted after a further [5 years].
9.4. Information relating to our contract with customers, including payment data, may be retained for up to 10 years after termination of the contract.
10. Your rights
10.1. You have the following rights:
10.1.1. to be told what we are doing with your personal information. We do this by providing you with this privacy notice;
10.1.2. to correct inaccurate information or update the personal information we hold about you;
10.1.3. to object to the processing of your personal information;
10.1.4. to request a copy of the personal information we hold about you;
10.1.5. to ask us to delete the information that we hold about you where there is no good reason for us continuing to process it;
10.1.6. to ask us to stop processing your personal information where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground;
10.1.7. to ask us to restrict how we use your personal information for a period of time if you claim that it is inaccurate and we want to verify the position or in some limited other circumstances;
10.1.8. to ask us to send your personal information to another organisation in a computer-readable format;
10.1.9. to complain to the Information Commissioner's office if you are unhappy with our use of your personal data: you can do this at https://ico.org.uk/concerns/. Do contact us straight away if you consider that we are not handling your personal information properly so we can try and sort the problem out.
10.2. If we delete your personal information or restrict our use of it, we will not be able to provide our services to you.
10.3. If you want to exercise any of your rights, please contact email@example.com. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights).