We are committed to ensuring protection of all personal information that we hold, and to provide and to protect all such data. We recognise our obligations in updating and expanding this provision to meet the requirements of GDPR.
In addition, we aim to ensure:
- transparency with regard to the use of data
- that any processing is lawful, fair, transparent and necessary for a specific purpose
- that data is accurate, kept up to date and removed when no longer necessary
- that data is kept safely and securely.
Signum Health (i-navigator) is dedicated to safeguarding the personal information under our control and in maintaining a system that meets our obligations under the new regulations. Our practice is summarised below.
Your data protection policy is available on our website and a copy has been made available to all employees and to contractors and suppliers associated with this organisation. It forms part of the induction training of all new staff and follow-up sessions will be put in place if the legislation changes or further guidance is available.
Right to be forgotten
We recognise the right to erasure, also known as the right to be forgotten, laid down in the GDPR.
Subject access requests
We recognise that individuals have the right to access their personal data and supplementary information and will comply with the one month timeframe for responses set down in the GDPR. As a general rule, a copy of the requested information will be provided free of charge although we reserve the right to charge a "reasonable fee" when a request is manifestly unfounded or excessive, particularly if it is repetitive. If this proves necessary, the data subject will be informed of their right to contest our decision with the supervisory authority (the Information Commissioner's Office (ICO)).
As set out in the GDPR, any fee will be notified in advance and will be based on the administrative cost of providing the information.
We will implement data protection "by design and by default", as required by the GDPR. Safeguards will be built into products and services from the earliest stage of development and privacy-friendly default settings will be the norm. The privacy notice, which is on our website and which is provided to anyone from whom we collect data, explains our lawful basis for processing the data and gives the data retention periods. It makes clear that individuals have a right to complain to the ICO. We have conducted a privacy impact assessment (PIA) to ensure that privacy risks have been properly considered and addressed.
Privacy Information Notices
The privacy information notices for website visitors can be accessed here.
Data transfers outside the EU
We do not transfer personal data outside the EU.
We have put recognised procedures and safeguarding measures in place to secure, encrypt and maintain the integrity of any personal data that is transferred to countries outside the EU. Diligence checks are carried out to ensure that such countries have the necessary safeguards in place, provide enforceable data subject rights and offer effective legal remedies for data subjects where applicable.
The GDPR provides for special protection for children's personal data and we will comply with the requirement to obtain parental or guardian consent for any data processing activity involving anyone under the age of 16. Systems have been introduced to verify individuals’ ages.
If a data breach occurs that is likely to result in a risk to the rights and freedoms of individuals, the people affected will be informed as soon as possible and the ICO will be notified within 72 hours.
GDPR - How your information will be used
- As a health and social care application, Signum Health needs to keep and process information about you for normal health care purposes. The information we hold and process will be used for management and administrative use only. We will keep and use it to help provide health care and manage our relationship with you effectively, lawfully and appropriately, during your use of our application, and at the time when you have been discharged or no longer using our application. This includes using information to enable us to comply with any service/performance contracts, to comply with any legal requirements, pursue the legitimate interests of Signum Health and to protect our legal position in the event of legal proceedings. If you do not provide this data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision.
- As a business we may sometimes need to process your data to pursue our legitimate business interests, for example to prevent fraud, for administrative purposes or to manage your health care. We will never process your data where these interests are overridden by your own interests.
- Much of the information we hold will have been provided by you, but some may come from other sources, such as clinical and administrative staff, or in some cases, external sources, such as other health and social care providers.
- The sort of information we hold includes your contact details, elements of your medical record; correspondence with or about you, for example information from other health and social care organisations, medications; records of appointments, visits and other attendances.
- Where we record or process special categories of information relating to your health and social care records, racial or ethnic origin, religious, biometric data or sexual orientation, we will always obtain your explicit consent to those activities unless this is required by law or the information is required to provide healthcare.
- Where we are processing data based on your consent, you have the right to withdraw that consent at any time.
- We may record computer and telephone/mobile telephone contacts.
- Other than as mentioned below, we will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual duties to you, for instance we may need to pass on certain information to our external health insurance schemes.
- We may transfer information about you to other organisations for purposes connected with your healthcare or the management of Signum Health business, such as Commissioning bodies, trusts, health and social care services.
- Your personal data will be stored only for as long as we require it in relation to the purpose for which it was collected and/or processed.
- If in the future we intend to process your personal data for a purpose other than that which it was collected we will provide you with information on that purpose and any other relevant information.
- Under the General Data Protection Regulation (GDPR) you have a number of rights with regard to your personal data. You have the right to request from us access to and rectification or erasure of your personal data. You also have the right to restrict processing, object to processing as well as in certain circumstances the right to data portability.
- If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.
- You have the right to lodge a complaint to the Information Commissioner’s Office if you believe that we have not complied with the requirements of the GDPR with regard to your personal data.
The Data Protection officer for Signum Health is: Victoria Norman
If you would like to contact the Data Protection Officer, please use the following Email: Victoria@signum-health.com
Information Security and Technical and Organisational Measures
Signum Health takes the privacy and security of individuals and their personal information very seriously and takes every reasonable measure to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction. Personal Data is only stored on NHS Approved data hosting service.
GDPR Roles and Employees
If you have any questions about our GDPR compliance policies, please contact [Data Protection Officer (DPO)/Appointed Person].
Last reviewed September 2020