PATIENT ACCESS is provided by Egton Medical Information Systems Limited ("we" or "EMIS"), a company registered in England with company number 2117205 with a registered office address of Rawdon House, Green Lane, Yeadon, Leeds, LS19 7BY (acting via its subcontractor and affiliate Patient Platform Limited (co. no. 10004395) and of the same address (“Patient”) and references below to we or EMIS will include, where relevant, references to Patient).
We are committed to protecting and respecting your privacy.
SCOPE OF THIS PRIVACY NOTICE
- the PATIENT ACCESS mobile application software (the"App") (available on a number of different App marketplaces (the"App Sites")), once you have downloaded or streamed a copy of the App onto your mobile telephone or other handheld device ("Device"); and
- the PATIENT ACCESS Service (the"Service") accessible through the App or through our website at https://www.patientaccess.com/ (the"Site").
This notice sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. ‘Processing’ for the purposes of this notice covers a very broad range of activities, including using, transferring, storing and even deleting data.
Please read the following terms carefully to understand our views and practices regarding your personal data and how we will treat it.
For the avoidance of doubt:
- You may use the Service in order to, amongst other things, access elements of your medical record. Your GP practice has responsibility for, and control over, access to your medical record and we will act in accordance with their instructions and as such your medical record does not form part of, and is not subject to, the terms of this privacy notice. You should contact your GP practice if you should have any questions regarding access to, the use of, or the contents of, your medical record.
If you register for the Service online then you will not be able to access all aspects of the Service (via the Site or the App) unless or until you contact your GP Practice in order to confirm your identity.
Please note in relation to any health information which you wish to add to your medical record or pass to your GP via the Service then this information will be passed securely to the GP practice. Your GP is responsible for this medical data and we can only act in relation to it accordance with their instructions.
PERSONAL DATA WE MAY COLLECT IN RELATION TO YOU
We may collect, and process, the following types of personal data about you:
- You may give us information about yourself (“Submitted Information”) by a number of different routes, including:
- information you provide when you download or register an App, subscribe to the Service or Site, and when you report a problem with an App, or the Service, or the Site. The information you give us may include your name, date of birth, NHS number, e-mail address and phone number, the Device's phone number, username, password and other registration information (and if registering for the Service online, your gender, house number and postcode);
- information you provide when using the Service (the Site and/or the App);
- if you contact us, we may keep a record of that correspondence;
- information provided when submitting or updating a request for support or contacting our support teams;
- details of your marketing and communications preferences you provide (in relation to receiving marketing from us and our third parties and your communication preferences) when you register with the service or otherwise when you request marketing to be sent to you;
- information collected as a result of any monitoring which may take place. We may monitor (which may include recording) certain interactions between us in order to comply with any legal obligations, to detect fraud or criminal activity as well as for training purposes; and/or
- health and wellbeing information you provide which you have extracted from third party health applications on your Device and any connected devices (collectively, the"Health & Fitness Data"). For the avoidance of doubt there is a clear distinction between Health & Fitness Data as provided for by this privacy notice (which includes information such as blood pressure or fitness information extracted from wearable devices) and the data which comprises your medical record (which is outside of the scope of this privacy notice).
- Information we collect about you and your Device. Each time you visit the Site or use the App we may automatically collect the following information:
- technical information, including the type of mobile device you use, a unique device identifier, mobile network information, your mobile operating system, and time zone setting ("Device Information");
- health information stored on your Device which you have explicitly consented to sharing, and the providence of that data including the device used to collect that data, time, date ("Content Information"); and
- details of your use of the App or your visits to the Site and the resources that you access ("Log Information").
As noted in the EULA, if you are under the age of 16 then your use of the Service will be dependent on your GP Practice authorising such use and will be subject to any additional requirements or conditions which they may choose to place on such use (for example, they may require you to provide them with permission from a parent or guardian).
You will only be able to register with the App or the Site if we have been provided with evidence from your GP that you have been assessed by the practice as competent for online services and that a corresponding “competency code” has been recorded by the practice in your patient record.
USES MADE OF THE INFORMATION
We may use personal data we collect about you in the following ways:
- Submitted Information: We will use information which you submit as part of registering to use the App and the Service in order to manage your account, to provide technical support, to contact you (including, via SMS) so as to notify you regarding any important updates relating to the Site, App or the Service, to answer queries you might raise regarding the Site, App or the Service and for our own internal administrative purposes.
- To help us to verify your identity where appropriate by cross-checking the records kept at the relevant GP Practice (to help keep your information secure).
- For marketing purposes: We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising, including the following personal data control mechanisms:
- We may use your identity, contact details and Device Information to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (i.e. ‘marketing’).
- You will receive marketing communications from us if you have requested information from us or receive services from us and you have not opted out of receiving that marketing.
- We may ask you to identify areas of particular interest (which may be related to certain conditions) and if you choose to provide those details then we may send you information which we feel may be relevant to those areas of interest or which might otherwise be of interest to you based on the preferences identified.
- We will get your express opt-in consent before we share your personal data with any third party for their marketing purposes.
- You can ask us (or any third parties) to stop sending you marketing messages at any time (see below for further details).
- Health & Fitness Data: We will use any Health & Fitness Data you submit through the App only for the purposes of storing that information and to make it available to you and/or (with your consent) your nominated health professional as you may request from time to time.
- Device Information:We will use this information to help ensure that Patient Access presents the correct version and data for your Device.
- Content Information: health information submitted through the App only for the purposes of storing that information and to make it available to you or (with your consent) your nominated health practitioner as you may request from time to time.
- Log Information: this is stored for security and audit purposes and to ensure that we are able to support your use of Patient Access.
- For security and safety purposes: We will monitor activity in order to help protect our users from security threats and to detect if users are trying to misuse any element of the Site, App or Service or to use them in an unauthorised manner. We may also use your contact information in order to alert you to any relevant security issues or safety concerns of which we are aware.
- To statistically analyse user behaviour and activity: We will monitor user interest and behaviour to help us to understand general usage of the Service, Site and App to help us improve the services we provide. We may also use this information to tailor the view of the Service, Site or App or any communications you receive from us so as to provide you with what we believe to be more relevant information. We may conduct statistical analysis in respect of the Service either ourselves or through an agency acting on our behalf.
We may associate any category of information with any other category of information and will treat the combined information as personal data in accordance with this privacy notice for as long as it is combined.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
BASIS ON WHICH WE PROCESS YOUR PERSONAL DATA
We may rely on a range of legal grounds in accordance with the applicable privacy laws in order to ensure that our use your personal data is lawful, including:
- Where it is needed to provide you with the Service, such as:
- updating your records, contacting you about the Service (where appropriate);
- sharing your personal data with service providers in order to deliver any element of the Service;
- activities relevant to managing the Service including any enquiries you may make regarding the Service, your application to receive the Service, and the administration and management of accounts;
- Where it is in our legitimate interests to do so (provided this is not overridden by considerations regarding your rights and interests), such as:
- managing the Service, updating your records, contacting you about the Service (where appropriate);
- performing and/or testing the performance of, our products, services and internal processes;
- following guidance and recommended best practice of government and regulatory bodies;
- managing and auditing our business operations;
- monitoring and to keeping records of our communications with you;
- undertaking market research and analysis and developing statistics;
- for direct marketing communication purposes and to help us to offer relevant products and services; and/or
- complying with any relevant legal and/or regulatory obligations;
- to comply with our legal obligations; and/or
- with your (explicit) consent. With the exception of certain direct marketing communications it is unlikely that we will be seeking to rely upon this ground save that by choosing to provide us with Health & Fitness Data (as defined above) then to the extent that such data amounts to ‘special category data’ (as defined in the relevant legislation, being data concerning your health) then you are expressly consenting to our processing that data for the purposes outlined in this privacy notice.
DISCLOSURE OF YOUR INFORMATION
We may disclose your personal data to third parties:
- If we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation or request.
- To a contractor (including, Patient) appointed by us to deliver elements of the Service on our behalf (and under our control). Any access we might grant to a contractor will be limited to such information as is required for them to deliver the relevant service (and will be subject to a contract which includes appropriate obligations of confidence and compliance with applicable law).
- In order to:
- protect the rights, property or safety of EMIS, our customers, or others (acting at all times in accordance with our obligations under the relevant data protection legislation and the terms of our agreement with your GP Practice).
- In accordance with any instructions we might receive from your GP Practice (in respect of your Health & Fitness Data and in their capacity as a data controller).
- In connection with a potential sale or transfer of part or all of our business. In such circumstances we may share information with prospective purchasers (for example as part of a controlled due diligence exercise).
- If we reorganise our business as we may need to transfer information about you to another member of our group of companies so that we could continue to provide the Service to you.
HOW AND WHERE WE STORE YOUR PERSONAL DATA
We use strict procedures and security features designed to prevent any unauthorised or unlawful access to the personal data which we control.
Personal data which we hold in relation to you will be stored securely at our offices and (where relevant) at the offices of third party agencies, service providers, representatives and agents. We may also hold your personal data in secure data centres located within the European Economic Area (EEA).
All Health & Fitness Data will be encrypted (using industry standard methods) when being transferred from your Device to the relevant data centre. No Health & Fitness Data is stored locally within the App on your Device.
Where we have given you (or where you have chosen) a password that enables you to access certain parts of the Site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
We will retain a record of your personal data in accordance with relevant law and the following criteria:
- where we have a reasonable business need to do so, for example, in order to manage our relationship with you;
- where we are providing products and/or services to you and then for as long as someone could bring a claim against us in respect of those products or services; and/or
- in line with any legal and regulatory requirements or guidance in respect of retention periods.
As noted above, we sometimes use other organisations to process your personal data on our behalf, for example, in relation to analysis of the use of the Service. We may use service providers to help us run the Site, App or Service, some of whom may be based outside the EEA. However, it is our responsibility to ensure that if we use any such service provider that we ensure that we have the necessary safeguards in place. We may also independently audit these service providers to ensure that they meet our standards.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of any data transmitted to the Site; any transmission that you make is therefore made at your own risk. However, once we have received your data, we will use strict procedures and security features designed to prevent any unauthorised or unlawful access to the same and all information you provide to us will be stored securely.
You have a number of important legal rights regarding the manner in which personal data relating to you is used. You can find more information about your rights on the Information Commissioner’s Office website – please see https://ico.org.uk/for-the-public/.
We have outlined below the key rights which we believe may be relevant to your use of the Site, App and/or the Service.
If you would like to exercise any of these rights then please contact us using the contact information provided below. Please note that you may be asked to provide us with reasonable proof of your identity so that we can be sure that we are discussing or providing your personal data with, or to, you (or if someone is making a request on your behalf, we need to check that they have the authority to do so).
Access to information
You have the right to access certain information we hold about you so that you can be aware of, and verify the lawfulness of, the processing we undertake.
You can exercise your right of access by making what is generally referred to as a 'subject access request'.
We will review each request which we receive and if we agree that we are obliged to provide personal data to you then we will (subject to certain limited exceptions provided under the relevant law) amongst other things: (i) describe it to you; (ii) tell you why we are holding it; (iii) tell you who it could be disclosed to; and (iv) let you have a copy of it (this may include providing an electronic copy).
Right to have information corrected
If you identify that any personal data that we hold about you is wrong, inaccurate or out of date then you may ask us to correct or update it. Please contact us via the details provided below and we will review each request and respond accordingly.
Right to stop or limit our processing of your personal data
This is also known as the ‘right to be forgotten’. You have the right to require us to stop or to limit any processing we are undertaking in respect of your personal data if we no longer have a valid reason to do so or if we have held it for too long.
This is not an absolute right but every request we receive will be considered carefully and we will respond accordingly (providing grounds for any decision we make).
In addition you also have the right to object where we are processing your personal data for direct marketing purposes by following the opt-out links on any marketing message sent to you or by contacting us at any time.
Right to withdraw consent
You are free to withdraw any consent which you have given to us in relation to our use of your personal data at any time (for example, in relation to any Health & Fitness Data). Please note that not all uses which we make of your personal data require your consent (for example, if we need to use that information in order to provide a service you have requested then we do not need your consent in order to do so). If you choose to withdraw consent in respect of Health & Fitness Data then you will no longer be able to use that functionality in respect of the Service.
Right to complain
If you are unhappy about the way in which we have processed your personal data then you have a right to raise the issue or to lodge a complaint with the Information Commissioner’s Office – as noted above please see https://ico.org.uk/for-the-public/ for further details.
Changes to our privacy notice
We will keep this privacy notice and we may update it from time to time (for example, to reflect changes we might make to our services or to reflect changes in the law or best practice). Any changes we may make to our privacy notice in the future will be posted on this page. We encourage you to visit this page periodically so that you are aware of any changes which have been made. In addition changes may be notified to you by e-mail or when you next start the App or log onto the Site. The new terms may be displayed on-screen and you may be required to read and accept them to continue your use of the Service.
This version of our privacy notice was updated on 12 September 2018.
If you have any comments or concerns regarding our privacy notice, or the manner in which we handle your personal data or if you would like to exercise any of the rights outline above then please do feel free to contact us by one of the following means:
- By post: FAO Data Protection Officer, Rawdon House, Green Lane, Yeadon, Leeds LS19 7BY
- By email: firstname.lastname@example.org
We will consider your comments and respond accordingly. Please note that if you have a ‘support’ query (for example you are having issues in accessing the service) then please refer to our support site - https://support.patientaccess.com/.