This policy explains how we use your personal data from the point of view of patients and clinicians. We want to help you understand how we work with your data, so that you can make informed choices and be in control of your information. We invite you to spend a few moments understanding this policy. We may update this policy from time to time but the latest version will always be available here. By continuing to use our products and services after the changes have been made and we have notified you of them, the way we use your personal data will be subject to the terms of the updated policy.
This policy explains how we use your personal data for our healthcare services and products, including, amongst others, our surgery planning software (Innersight3D).
This policy covers:
- Who we are;
- What personal data we hold and how we get it;
- What we use your personal data for;
- Sharing your personal data;
- Data security and transfers;
- Your rights.
If you have any further questions about how we process your information, please don't hesitate to get in touch by contacting our Data Protection Officer at email@example.com.
1. Who we are
2. What personal data we hold and how we get it
Patient personal and medical details
When your healthcare provider commissions us to assist with planning your operation, an anonymised copy of your surgery planning medical scan is shared with Innersight alongside your unique hospital number. This hospital number is not related to the state of your clinical health and is thus not patient confidential data. However, it is patient identifiable data and is thus treated with the utmost of care, security and protection. This number is required to allow your clinician correctly and uniquely identify your case.
Clinician personal details
When you register with us, you complete forms and provide us with basic information about yourself, such as your name, email address and telephone number (optional). You are responsible for the accuracy of the information that you provide to us. To monitor our service quality, we may retain records of when you contact our support teams via email. Please refer to the ‘Retention Periods’ section of this policy.
None for patients or clinicians.
Technical information and analytics
When you use our our website, we may automatically collect the following information where this is permitted by your device or browser settings:
- technical information, including your login information, system and operating system platform type and version, device model, browser or app version, time zone setting, and
- information about your visit (such as when you first used the website and when you last used it, and the total number of sessions you have had), including products and services you viewed or used, interaction information (such as button presses or the times and frequency of your interactions with the communications we deliver to you).
We work with partners who provide us with analytics and advertising services (for our services only and not for third party advertising). This includes helping us understand how users interact with our services, providing our advertisements on the internet, and measuring performance of our services and our adverts. Cookies and similar technologies may be used to collect this information, such as your interactions with our services. You can prevent the setting of cookies by adjusting the settings on your browser or your mobile phone.
3. What we use your personal data for
Providing you a service
- We obtain and use your personal details in order to establish and deliver our contract with you and/or your healthcare provider.
- We obtain and use your medical information because this is necessary for medical purposes, including the provision and assistance of healthcare or treatment.
Keeping you up to date
- We will not initialise contact with patients. We will of course respond to any requests for information from a patient. General enquiries are invited from the public, but case specific questions should be submitted through the clinician to ensure fidelity of the request.
- Clinicians: We use your email address and/or phone number to contact you or present you with occasional updates based on our legitimate interest in marketing our services to you and subject to your right to opt out at any time.
- Based on our legitimate interest in managing and planning our business, we may analyse data about your use of our products and services to troubleshoot bugs within our website, forecast demand of service and to understand other trends in use, including which features users use the most and find most helpful, and what features users require from us. This does not involve making any decisions about you that would have a significant legal effect on you – it is only about improving our website so that we can deliver better services to you. Strict confidentiality and data security provisions will apply at all times.
- Where necessary for safety, regulatory and/or compliance purposes, we may audit your interactions with our services. Strict confidentiality and data security provisions will apply at all times to any such audit and access.
4. Sharing your personal data with others
We will, where necessary for your treatment or care, share your information with your other health and social care providers if explicitly approved by your clinician. For example, your surgeon may wish to get a second opinion from an expert outside of your healthcare provider organisation. Such a request from your surgeon must be made in writing either by letter or email.
We may preserve or disclose information about you to comply with a law, regulation, legal process, or governmental request; to assert legal rights or defend against legal claims; or to prevent, detect, or investigate illegal activity, fraud, abuse, violations of our terms, or threats to the security of our services or the physical safety of any person.
Except as described above, we will never share your personal information with any other party without your consent.
5. Retention periods
|Category||Who’s Information?||Retention Period|
|Account information||Controller staff (clinicians / IT)||1 year post account closure|
|Medical Images & analysis||Patients undergoing surgery||7 years|
|Support Tickets||Controller staff||1 year post account closure|
6. Data storage, security and transfers
Where you have chosen a password that enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share the password with anyone.
We do not store any credit or debit card information.
Your data is processed and stored in servers within the UK in accordance with data protection law and subject to strict safeguards. We work with third parties who help deliver our services to you and we select those servers to be located within the UK. For further information on the safeguards we take to keep your data within the UK, contact firstname.lastname@example.org.
7. Your rights
You also have specific rights under the GDPR and DPA to:
- wherever we process data based on your consent, withdraw that consent at any time by contacting us;
- understand and request a copy of information we hold about you, subject to our retention periods;
- ask us to rectify or erase information we hold about you, subject to limitations relating to our obligation to store medical records for medical treatment and regulatory transparency for prescribed periods of time;
- ask us to restrict our processing of your personal data or object to our processing; and
- ask for your data to be provided on a portable basis.
You may also contact the Information Commissioner’s Office (the data protection regulator in the UK): Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, telephone: 0303 123 1113 (local rate).