Privacy Notice (United Kingdom and Ireland)
Purpose and Scope
This Privacy Notice applies to medical professionals enquiring about or purchasing our CardioSTAT service, patients, employees (present, past and prospective), suppliers or contractors who provide goods or services to us and other business contacts.
This Privacy Notice sets out how Icentia (the Data Controller) collects and uses your personal data. When we refer to “we”, “us” “our” or “controller” in this Privacy Notice we mean Icentia.
Please note that in the case of patients we act as data processors on behalf of the doctor, clinic, hospital, or NHS Trust that has made the decision for your heart to be monitored. They are the data controller of your personal data.
Our Privacy Notice is structured in a way for you to easily find the specific details of what we do with your personal data, depending on which processing activity you want to find out more about.
Part 1 of our Privacy Notice is information we must tell everyone regardless of your relationship with us. The remaining parts give specific information on how we use your personal data for each of the different processing activities we undertake.
General Information
Our contact details
You can contact us regarding the use of your personal data via one of the following ways:
Postal Address: Icentia Limited, Partnership House, Monks Cross Drive Huntington, York, YO32 9GZ
Telephone: 0800 124 4864 (in the UK), 01 697 1821 (in Ireland)
Email: privacy@icentia.com
Our Data Protection Officer contact details
Although we do not have a legal obligation under GDPR to appoint a Data Protection Officer, a member of our team does oversee our data protection compliance with the General Data Protection Regulation, the Data Protection Act 2018 and other relevant privacy laws (e.g. the Privacy & Electronic Communication Regulations 2003). The various ways you can contact us to discuss any data protection issues or concerns are shown in the “Our contact details” section.
How we get your personal data
We obtain your personal data either directly from you or indirectly from third parties.
Directly
We obtain personal data directly from you, i.e. you have given your details to us, when you:
enquire about our service and CardioSTAT recorder;
purchase our service and product;
contact our support line when you have been given our CardioSTAT recorder to wear.
Indirectly
We obtain your personal data from third party sources, i.e. someone else gives us your data, these are:
Doctors
Hospitals
Medical clinics
The legal basis to process your personal data
When gathering and using your personal data we must have a legal basis to do so – this is a requirement of data protection law.
The legal basis we rely on to process your personal data varies depending on the processing activity undertaken. The full details of the processing activities we undertake along with the legal basis we rely on to process your personal data are given in the specific Parts of this Privacy Notice.
Where we process your personal data for us to comply with a legal/regulatory requirement we will rely on the legal basis of “legal obligation” as the processing is necessary for us to fulfil our legal obligation to which we are subject to.
Your rights
Depending on the purpose and legal basis we rely on for processing your personal data, there are various rights available to you. You can:
access the personal data we keep about you and be given specific information about the processing. This right always applies regardless of the processing activity we undertake.
ask us to rectify personal data we hold about you that you think is inaccurate. This right always applies regardless of the processing activity we undertake.
ask us to delete your personal data. This right only applies in specific circumstances.
ask us to restrict the processing of your personal data. This right only applies in specific circumstances.
object to the processing when we have relied on legitimate interest to undertake that processing activity and you believe we have infringed your rights.
transfer your personal data from us to another service provider or give it to you. This right only applies to personal data you have given to us and when the processing is based on your consent or contractual basis and the processing is automated.
To find out more about how to exercise your rights please refer to the guidance on the Information Commissioner’s Office website.
You do not pay a fee to us to exercise any of your rights. However, if your request is manifestly unfounded or excessive, we may either charge a reasonable fee or refuse the request.
We shall respond to a valid request within one month of receiving it.
If you wish to exercise one of your rights, please contact us via one of the methods shown in the “Our contact details” section.
How to make a complaint about us to the Information Commissioner’s Office
If you are not happy with how we are processing your personal data or you believe we have not dealt with one of your rights correctly you are entitled to make a complaint to the Information Commissioners Office (ICO). The ICO has several ways in which you can get in touch with them, including post, email, and online forms. For full details how to make a complaint please refer to their website.
Sharing your information
We do not share, sell or rent your personal data to third parties for them to use for their own marketing purposes.
When we use a data processor to process personal data on our behalf (this means that we use another business to undertake a particular processing activity), we ensure we have appropriate GDPR compliant contracts in place with each one. The data processor is not allowed to do anything with your personal data other than what we have instructed them to do with it. They will not share your personal data with an organization apart from us unless they are required to do so by law. They will hold it securely and retain it for the period we instruct.
Our data processors include:
IT system providers, including cloud based storage;
IT servicing and maintenance providers;
Website host providers;
Email host providers;
CRM & customer support database provider;
Accountant;
Transferring personal data outside of the UK and EU
Sometimes it is not possible for us to store or process your personal data either wholly in the UK or EU. When your personal data does need to be transferred to be processed or stored outside of the UK or EU we make sure we comply with the specific requirements set out in GDPR for us to undertake this. We will only transfer personal data outside of the UK or EU when one of the following provisions are in place to safeguard your personal data:
An adequacy decision is in place with the country where the personal data is being transferred to. This means that the European Commission have approved that country as having the same or similar level of protections in place to protect and safeguard personal data.
Standard data protection clauses, codes of conduct, certification mechanisms, or contractual clauses that have been adopted or approved by the European Commission or UK Regulator (ICO) are in place.
If we are unable to rely on any of the above provisions, we will seek your explicit consent to make the transfer of personal data, unless another exception under GDPR applies to allow us to process your personal data.
Children’s information
We may sometimes collect and process personal data relating to children.
Cookies
We use cookies on our website. Our Cookie Policy sets out the details of the types of cookies we use and why.
Links to other websites
Our website may provide links to websites of other organizations. Our Privacy Notice does not cover how those organizations process your personal data when you visit their website. We advise you to read their Privacy Notices.
Changes to our Privacy Notice
We keep our Privacy Notice under review to ensure it remains accurate and up to date and we reserve the right to modify this policy at any time. Changes to this policy will be posted on our website and you should endeavor to review the policy frequently.
If you have any questions about our Privacy Notice, please contact us via one of the ways shown in the “Our contact details” section.
If you are a medical professional enquiring about or purchasing our CardioSTAT service
What personal data do we need?
We will need to obtain the following personal data when you make an enquiry or purchase our CardioSTAT service:
Full name
Organization
Postal address
Email address
Telephone numbers (landline and/or mobile)
How do we get your personal data?
We gather your personal data directly from you when you either enquire about our CardioSTAT service or enter into a contract with us to purchase our CardioSTAT service.
Why do we need your personal data and which legal basis do we rely on for the processing?
We use your personal data to:
provide information, at your request, on the CardioSTAT service we offer;
send the CardioSTAT recorders to your nominated delivery address;
provide you with any necessary information and updates regarding the CardioSTAT service you have purchased during the life of the contract; and send you marketing information relating to our services in general and the work we do.
The legal basis we rely on for these purposes are:
Contractual obligation (GDPR Article 6(1)(b))
When you enquire about our CardioSTAT service it is with a view to possibly entering into a contract with us. When you purchase our CardioSTAT service you are entering into a contract us.
We require certain information from you to enable us to fulfil our contractual obligation. If you are not able to provide all the information we need, we may not be able to provide you with the CardioSTAT service you have purchased and the arrangement may be terminated.
Legitimate interests (GDPR Article 6(1)(f)
GDPR allows us to use legitimate interests for direct marketing purposes in certain circumstances. We have undertaken a legitimate interest assessment, which balances our business purposes for the processing against your right to privacy. The outcome of the balancing test justifies our use of legitimate interests for this purpose as it would not be an unreasonable expectation for anyone who either enquires about our products with a view to purchasing them, or has purchased our products to receive information about the products and services we offer.
This also complies with e-Privacy laws, currently the Privacy & Electronic Communication Regulations 2003, which governs how a business can undertake electronic direct marketing. We can rely on soft opt-in for “individual subscribers” for email marketing to prospective and existing customers. We do not need consent or soft opt-in for “corporate subscribers”.
We always give you the opportunity to object to receiving marketing communications from us when we first collect your personal data and with every marketing communication thereafter.
Who do we share your personal data with?
Your personal data is used by our internal employees and contract staff for the purposes as set out in “why we need your personal data”. We do not share your data with any other organization.
How long do we keep your personal data?
We keep purchase invoicing data for a period of six years from the date you make a purchase from us.
Marketing contact details are held for as long as you want to remain on our marketing contact list.
Do we use any data processors?
Yes, we use the following data processors to deliver our service to you:
IT system providers, including cloud based storage;
IT servicing and maintenance providers;
Website host providers;
Email host providers;
Accountant;
CRM & customer support database provider;
If you are a patient who is using one of our recorders
What personal data do we need?
Although no patient identifying data is held on the ECG recorder we will hold some personal data about you, depending on whether the hospital has opted to share certain patient data with us for us to undertake certain processing activities. The personal data we may hold about you includes:
Patient Name (first name, last name, middle name, prefix, suffix)
Email
Address
Mobile Phone Number
Gender
Date of Birth
Patient Identifiers (ie MRN)
Current Cardiac Medication
Medical History related to Cardiac Diagnosis
Pacemaker information
Reason of prescription of CardioSTAT
Physician information
Patient Event documentation
How do we get your personal data?
We obtain your personal data from the doctor or hospital who has referred you for heart monitoring by wearing a portable ECG recorder.
Why we need your personal data and the legal basis we rely on for the processing
We use your personal data to:
safely identify you, the patient, in the context of performing clinical data analysis;
perform clinical data analysis of the information captured on the ECG recorder;
produce a report about the outcome of your ECG monitoring and provide this to your healthcare practitioner (e.g. doctor, consultant) who has referred you;
We may also use patient electrophysiological data, patient demographics or other patient data on an anonymous basis for the following purposes:
To improve the quality, efficacy and performance of our products;
To evaluate or demonstrate the quality, efficacy and performance of our products;
To perform research and statistical studies on our products.
NHS National Data Opt-Out
Data is recorded whenever a patient, i.e. yourself, has contact or interaction with the health and care system. The NHS National Data Opt-Out only applies to confidential patient information (CPI), this is data that includes both:
information that identifies or could be used to identify the patient
information about their health, care or treatment
The national data opt-out does not apply to information that is anonymized in line with the Information Commissioner’s Office (ICO) Code of Practice (CoP) on Anonymization or is aggregate or count type data.
Icentia only use patient data for the additional purposes set out above when it is fully anonymized – this means you cannot be identified from the data. The anonymized data is only used for analytical purposes.
The legal basis we rely on are:
We provide this service as a data processor to the doctor, clinic, hospital, or NHS Trust that has made the decision for your heart to be monitored. They are the data controller of your personal data and they have determined the legal basis to undertake this activity.
We, as the data processor, act under strict instruction from the data controller to undertake this work on their behalf. We, therefore, do not need to identify a lawful basis to undertake this work as it has already been determined by the data controller.
If you wish to know more about the legal basis, you must contact the doctor, clinic, hospital or NHS Trust that has referred you
Who do we share your personal data with?
Your personal data is used by our internal employees and contract staff for the purposes as set out in “why we need your personal data”.
We will share the results and analysis of your ECG heart monitoring to your referring doctor/hospital.
How long do we keep your personal data?
We keep your data for as long as is specified in the contract we have with the doctor, clinic, hospital or NHS Trust that has purchased our CardioSTAT service.
We sometimes keep fully anonymised data, this means we can no longer identify an individual from the data we hold, for the purposes of enhancing the performance of the analysis software and to provide a better service of care to patients.
Do we use any data processors?
Yes, we use the following data processors to deliver our service to you:
IT system providers, including cloud based storage;
CRM & customer support database provider;
Your rights
As set out in Part 1 of this Privacy Notice you have various rights in relation to the personal data we process about you.
However, you need to be aware that as we undertake the ECG recording and analysis work on behalf of either the doctor, clinic, hospital or NHS Trust (we are their data processor for this work), you should contact your health care professional in the first instance if you wish to access your personal data. If we receive requests directly from you, we are contractually bound to notify and pass these requests to your healthcare professional who will take the lead on dealing with them. We will, of course, support and work with your healthcare professional to help them process any such requests youmake.
If you are a supplier or contractor who provides goods or services to us
What personal data do we need?
For us to pay you for the goods you have provided to us or the service you have undertaken for us we need to collect and use a small amount of information about you and your business, this is also likely to include some information about the individuals who work at your business. The information we are likely to need is:
Your business name;
The name (first and last name) of the person who we are liaising with at your business (in some cases this may be several staff members details);
Business postal address;
Business email address;
Business telephone number;
Business mobile number;
Bank details to enable payment to be made;
How do we get your personal data?
We obtain your data directly when we start to use your services or when we have purchased goods from you. We gather the relevant information from you to enable us to process payment to you for those services and goods.
We also obtain some data, such as your business name and contact details, indirectly from publicly available sources or recommendations from 3rd parties to enable us to contact you to enquire about the services and goods you provide prior to us making a purchase.
Why we need your personal data and the legal basis we rely on for the processing
We need your personal data to either enquire about the services or goods you provide that we may be interested in purchasing or to make a purchase. We then use your personal data to pay for those goods and services when you invoice us or to raise any queries about the payment.
The legal basis we rely on are:
Contractual obligation (GDPR Article 6(1)(b))
The services or goods you have provided to us are done so under contract or with a view to entering into a contract (i.e. we have asked you for a quote for the goods or to undertake the service for us).
We require certain information from you to enable us to fulfil our part of the precontractual and contractual obligations, e.g. we need to have certain information to make the purchase and to process payment. If you are not able to provide all the necessary information for us to do this, we will not be able to purchase the goods or services you provide or be able to make payment once purchased.
Legal obligation (GDPR Article 6(1)(c))
We have a legal obligation to pay for any services or goods we have purchased.
Who do we share your personal data with?
Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.
Our Accountant will see personal data relating to suppliers and any payments we make.
How long do we keep your personal data?
We keep all financial data (which includes supplier information) for six years from end of the financial year it relates to.
Do we use any data processors?
We do not use any data processors.
If you apply for a job with us
What personal data do we need?
When you apply for a job with us you will need to provide some or all of the following information as part of the job application and recruitment process:
Full name
Postal address
Telephone number
Mobile number
Email address
Date of birth
Equal opportunities information (which includes age, disability, gender, religion, sexual orientation, ethnic group, relationship status, caring responsibility) –voluntary
Education history
Qualifications
Employment history
Health or medical condition, if relevant to the role applied for
Criminal convictions information
Whether you hold a UK work permit
Whether you hold a valid driving license and have appropriate vehicle insurance (if driving forms part of your role)
References
Some of this information is classed as “special category personal data”.
Depending on where you get to in the recruitment stage will determine what personal data you will need to provide.
How do we get your personal data?
We collect information directly from you when you submit your application form or your CV to us for a job you are applying for.
We may also collect your information from recruitment agencies who put forward your name for one of our recruitment campaigns.
We will also collect information about you from third parties including former employers, professional bodies, regulatory authorities or other background check agencies as you progress along the recruitment process.
Why do we need your personal data and which legal basis do we rely on for the processing?
We need your personal data to be able to process your application for a job with us, which includes, but is not limited to:
assessing your suitability for the role applied for;
making a decision on whether your application progresses to the next stage of the recruitment process (sifting and shortlisting);
inviting you to interview or tests;
making a decision on whether or not to appoint you to the role applied for;
obtaining further information in order to carry out pre-employment checks if we make a conditional offer of employment to you;
gathering of information for equal opportunities monitoring; and
gathering of information for criminal conviction checks.
The legal basis we rely on to undertake our recruitment activities includes:
Contractual obligation (GDPR Article 6(1)(b))
The processing of your job application is necessary in order for us to take steps at your request before entering into a possible employment contract with us.
We require certain information from you to enable us to fulfil our employment precontractual and contractual obligations. If you are not able to provide all the necessary information we need we may not be able to process your application and consider you for one of our job vacancies.
Legal obligation (GDPR Article 6(1)(c))
We have certain obligations under employment law in relation to recruitment and selection and equal opportunities that we must comply with.
Processing for employment law (GDPR Article 9(2)(b))
Information you provide to us that relates to special category personal data, such as health, religious or ethnic information is necessary for our recruitment and selection purposes as it relates to our obligations in employment law.
Processing to assess working capacity (GDPR Article 9(2)(h))
We have certain obligations to assess your health in relation to your ability to work for us.
Who do we share your personal data with?
Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.
Do we use any data processors?
Yes, we use the following data processors:
Recruitment Agencies
How long do we keep your personal data?
All speculative applicants’ details are kept for 12 months from receipt of the candidate details.
All unsuccessful candidate details are kept for 6 months from the end of the recruitment process they relate to.
Successful candidate details are transferred to their employment record and kept for 6 years after employment ends.