Summary of changes
21 Apr, 2017: This revision clarifies the role of Data Controller.
This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
"System": means hardware and software made available as a service by my mhealth Limited, usually through a network connection. The system holds and operates your personal data.
"Cookie": a small piece of data that may be stored on your device when you use our system.
"IP address": a locally or globally unique address given to every device connected to a network.
"Data controller": a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
"Data processor": means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
"Approved researchers": In the UK, this means NIHR approved or CRN research portfolio research.
Who controls and processes data on your behalf
For the purpose of the Data Protection Act 1998 ("the Act"), depending on the contractual agreement under which you obtained access to the system, the data controller for your personal data will be either:
a) a healthcare organisation under whose care you were referred to or that you interact with.
b) The health systems manufacturer "my mhealth Limited" ("We"), a company registered in England with company registration number 07881370 and having its registered address at Suite 5, 17 Holdenhurst Road, Bournemouth, BH8 8EW. We are registered as data controller at the Information Commissioner's Office under registration reference ZA151364.
If you obtained access to our system directly from us, then we are the data controller. If you obtained access to our system through other means under a contractual agreement between us and a customer of our company, then the agreement will specify who is the data controller. You can contact your healthcare provider to learn who is the data controller for your data.
Data we may collect from you
We may collect and process the following data about you:
Any data that you input in the system, for example your personal details, your clinical history and contact details of the healthcare professionals that are responsible for your care.
Data collected from devices that you decide to use with our system, for example the data provided by sensors like location and acceleration, by applications like web browsers, your device's IP address and the time and duration of your activity.
Details of your activity using our system, for example the time spent in each resource and the resources that you access.
If you contact us, we may keep a record of that correspondence.
Where we store your personal data
All data that you provide to us or that your clinicians provide to us will be stored and operated in infrastructure that is subject to regular security testing and regular security monitoring.
The transmission of data from end point to end point shall be encrypted. We shall ensure we will use strict procedures and security features to try to prevent unauthorised access.
Uses made of the data
Our system is intended primarily for you to be able to self-manage independently. Our system can also help facilitate the care provided to you by healthcare professionals. If they have your permission, the data provided by you, and stored on the system, may be available to any of these healthcare professionals. For example, they may want to review your symptoms, progress through a course, or blood pressure over time to help inform them to make decisions about your care.
Subject to contractual agreements with our customers and subject to your permission, we may sometimes use data you provide with approved researchers for the purposes of your possible participation in clinical trials, if this is allowed by law and meets the strict rules that are in place to protect your privacy. You can at any time include or remove yourself from this register by editing your preferences in the system.
Additionally, we may use the data:
- to contact you to carry out our obligations arising from any contracts entered into between you and us.
- to notify you about changes to our service.
Disclosure of your data
Subject to contractual agreements with our customers and subject to your permission, we may disclose your data:
- to healthcare professionals whose details you added to your account in the system.
- to our customers in a fully anonymised form (so it is impossible for anyone to identify you).
- to third parties to protect the security of the data or the personal safety and welfare of users of the system.
- to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation.
The Act gives you the right to access data held about you. Your right of access can be exercised in accordance with the Act. Any access request involving manual service may be subject to a fee of £10 to meet our costs in providing you with details of the data we hold about you.
You also have the right to request the deletion of all of the data we hold about you. If you do so, you are aware that important data might be unavailable that may be needed to make important decisions about your health care by the clinicians. We are not responsible for the outcome of you requesting to have your data removed from the system.