Summary of changes
21 Oct, 2022: NHS login specific conditions added due to the rolling out of NHS login authentication in my mhealth
For the purposes of the relevant Data Protection Laws, my mhealth act as a Data Controller. We are therefore responsible for any information we receive through the use of our apps, and for determining how and why it is processed.
We provide our services to others, such as healthcare organisations. At times we may be processing your information on their behalf, as their Data Processor. This will mean that we will be processing your information subject to their lawful basis and/or for our own legitimate interests.
Signing up to use our app(s), you are entering into a contractual agreement with us, allowing us to collect and use your data, as outlined within this policy.
We will collect
- Any information given to us by you. This will include your name, address, email and NHS number. We need your NHS number to check that it is you, and for your unique user identifier
- Information from your device where you install or access our service(s). This will depend on the device permissions that you have granted. This can include connection and location information, such as your IP address, to allow us to efficiently balance service access loads to provide the fastest application response for you, and your geolocation, to provide you with the most accurate local weather forecasts, pollution, and pollen levels
- Your activity when using our service(s), to understand what you find most useful and to review your progress through the educational material and courses available within the app(s)
- Information given to us about you, working with you, to manage your condition(s). This can include healthcare professionals, and from approved linked healthcare devices, such as glucometers, blood pressure machines and smart halers
We will use your data;1. To provide you with the service
- To create, register and manage your user account, and to ensure your information is accurate and up to date
- To enable users to work together in a safe and secure environment
- To inform you of any changes, modifications, and updates to the service(s)
- To review, investigate and address issues that may affect your use of our service
- We will use your data to review and assess the quality of our service(s)
- To provide you with a responsive service, and to support you, when you contact us
- For our own internal operations. This could include troubleshooting, fraud detection and resolution, data quality checks, functional testing, security, audit, and statistical analysis to ensure that our app(s)/service(s) continues to satisfy the needs of our users
- To contact you, to make you aware of any service evaluation(s), studies, or research trials that may be of interest to you. You will only be contacted where the above are relevant to your condition(s).
- We will disclose information where it has been requested as part of a reasonable regulatory requirement or in response to a legal request.
Sharing of your dataYour information is used to support you to improve your self-management and for you, and us, to learn more about your condition(s). To do this, we will need to share some information with other parties, such as;
- Data storage and back up provider(s), to record the information that is input to your account
- Push notification software providers for medication reminders and to receive updates from your healthcare team
- Your healthcare team(s), for them to support you, and to evaluate our service(s).
- Research team(s), where you have expressed an interest to receive further information about a service evaluation, study, or research trial opportunity. Your information will be shared to allow them to contact you.
- SMS and email messaging services for communicating to/with you, information relevant to your condition(s)
How do we keep your information secure?You access your information via secure password credentials, set by you. Information kept by us is stored within Amazon Web Solutions, a cloud-based service, situated in their London region, and is encrypted both at rest and in transit.
We have strict procedures and security measures to prevent, as much as reasonably possible, unauthorised access to, or disclosure of, your information. We cannot guarantee the security of any information you transmit to us, such as emails containing information about you.
How long will we store your information?We will keep your information for up to 20 years, from your last interaction within the platform or until you request that your data be deleted. If we delete your data, it can take up to 6 months of to remove from our back up facility, simply due to the way that they operate, and in some cases, it may remain on our back up facility for legal and regulatory purposes.
Following the confirmed death of a user, their data will be removed after a period of 10 years, again in line with medical guidelines.
What rights do you have regarding your information?We are committed to complying with your rights to your information and will deal with any requests, outlined below without undue delay, and in line with regulatory timeframes. By law you have a number of rights that apply in certain circumstances. These include the right to
- Object to processing
This means you may not want your information used in some ways
- Restrict processing
This means we can no longer use your information, but we will store it and maintain your place on our data set of users whose information we hold but cannot use moving forward
- Be informed
You should have clear, accessible and transparent information provided to you so you understand how we work, protect and use your information
- Have access to your information
This enables you to check we are using your data correctly and is done by contacting us directly or your healthcare team.
- Data rectification
If you see incorrect or incomplete information, you can ask to have that corrected.
- Be erased
This means you can be "forgotten". It is important to know; this is not a general statement and is subject to some conditions, but the right means you could have all the information we hold on you deleted where there is no compelling reason for us to keep using it
- Move your data
This is referred to as portability. Your data should be provided for you in a way that is accessible and provides you with the option of reusing the data in other situations, as you own your data
You have the right to lodge a complaint, and we will respect this and deal with it in a timely fashion in line UK regulations.
- Withdraw consent
This means you remove the right for us to use your data. You may do this at any point and without providing a reason for doing so. Removing your consent though means you will no longer be able to use our services.
Contact UsIf you have further questions, you can contact us at the address:
60 Chiswell Street
Telephone (+44) 01202 299 583
Our Data Protection Officer is Adam Kirk, at the above details and email@example.com
If you would rather deal with an independent group or feel we have not satisfactorily dealt with your enquiry, you can contact the ICO by email firstname.lastname@example.org OR phone 0303 123 1113.
Full details of the Data protection regulation, can be found at www.gov.uk/data-protection.
Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS Digital (as the “controller”) when verifying your identity. To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.