We are committed to protecting and respecting your privacy and this policy (together with the terms of service) sets out:
2) Applicable law
3) Information we collect about you
4) How we use your information
5) Where we store your information
6) How we protect your information
7) Legal bases for processing your data
8) How long we keep your information
9) Subject access requests, changing and deleting your personal data
10) Your rights
11) Child safety
Our data protection officer (DPO) is Martyn Rankin and can be contacted at firstname.lastname@example.org
Data processing by Onkohealth Limited is subject to English law. Pursuant to UK GDPR, UK DPA 2018, and any other applicable data protection regulations, we work to ensure our users have appropriate protection of their privacy and personal data.
For the purposes of European Economic Area data protection law, (the “Data Protection Law”), the data controller is Onkohealth Limited. This means we are responsible for deciding how we hold and use personal information about you.
We are committed to the GDPR principle of data minimisation, and only collect the personal data we require to be able to provide our Services to you. We will collect and process the following personal data from you:
Information you give us
In certain circumstances you may be obliged to provide us with personal data for us to be able to enrol and maintain you on the programme. If you opt out or fail to provide the personal data when requested, we may not be able to accept you onto the programme or continue to offer the service once you are enrolled. This information includes your full name, postal address, email address, telephone number, date of birth, existing health conditions, treatment and / or medication and the name and contact information of your healthcare team, hospital and GP.
You can choose to import metrics on activity, heart rate and sleep via wearable devices (for e.g. Fitbit and Apple Health). You will also be able to journal your mood and symptoms, such as the type, severity and frequency, so you can track your progress over time and share with others where you choose to do so. This data helps us deliver an optimised service, but you can opt out should you wish by not choosing to input or import data.
Only employees and agents of Onko, which are obligated to maintain confidentiality, can access applicable data and only as reasonably necessary to perform their role. Other third parties do not have access to your personal data without your explicit consent.
Your personal data, as well as all data collected via the App or website (e.g. data about activity, symptoms, mood etc., including from connected external apps e.g. Fitbit, Apple HealthKit,) will only be used for rendering Services according to contractual obligations. When Onko is providing Services to, and on behalf, of the NHS or Private medical Insurers, personal data is exchanged between Onko and referring healthcare professionals (e.g. your GP practice) for the purposes of caregiving and safeguarding. We also record telephone calls as needed for optimal customer service and quality management purposes.
When Onko is providing Services to, and on behalf of the NHS or Private Medical Insurers, non-personally identifiable (or anonymised) data on Service users is shared with commissioning bodies and contractually relevant parties for the purposes of evaluating our Services and/or for research. Such data may be used by Onko and authorised affiliates (i.e. NHS) for research and publication purposes and can be analysed and used to improve our Service (optimisation, further development and research) during the duration of the contract and after the termination of the contractual relationship.
You have the right and ability to opt out of certain uses or sharing of your data etc., please see below section titled “Subject Access Requests, Changing & Deleting Your Personal Data”. The reason you cannot opt out of all data sharing with us is that we would be unable to provide you with our Service.
5.0 WHERE WE STORE YOUR INFORMATION
We use Amazon Web Services (“AWS”) (offered by Amazon Web Services, 60 Holborn Viaduct, London, EC1A 2FD) to host the data. Your data is processed on servers in the UK. Data is encrypted end to end.
The data we collect from you is stored within the European Economic Area (“EEA”).
6.0 HOW WE PROTECT YOUR INFORMATION
All information you provide to us is stored on our secure servers and is encrypted between your device and any external host storage to keep it safe (i.e. ‘encrypted in transit’ as well as ‘encrypted at rest’). We use the AES 256 encryption standard.
The Twilio video used for video consultations is based on the open standard WebRTC protocol. The security architecture is described here and the protocols used include TLS, DTLS and SRTP. All communication between a Programmable Video client and the Twilio cloud is encrypted. Media shared in Group Rooms is encrypted during transport to Twilio, is briefly decrypted in memory in Twilio’s cloud, and is immediately re-encrypted before being sent to other Participants. Decrypted media is not written to any persistent storage or sent across the network. For further information please consult https://www.twilio.com/docs/video/media-security
7.0 LEGAL BASES FOR PROCESSING YOUR DATA
Any information about your health is classed as sensitive personal data and we ensure that additional safeguarding measures are in place to protect this information. Our legal bases relied upon in processing of your personal data are:
Should you have any questions on which may apply to your particular personal data, please e-mail email@example.com
8.0 HOW LONG WE RETAIN YOUR INFORMATION
Your personal data is retained only for as long as necessary, per contract and in accordance with data protection regulations. In many cases, the retention period is 8 years, to comply with applicable NHS data retention standards.
Should you have any questions on this, please e-mail firstname.lastname@example.org
9.0 SUBJECT ACCESS REQUESTS, CHANGING AND DELETING YOUR PERSONAL DATA
You can make a Subject Access Request (SAR) to change or delete the personal data entrusted to us at any time if you request same with a copy of your identification (passport, driving license) by e-mail to email@example.com. We will oblige your request except for any data which might be required for us keep on file for a specified timeframe for compliance with applicable law(s), NHS standards/regulations, etc.
We strive to respond to your requests within 28 days and will let you know if we are unable to meet this timeframe. If your request or concern is not satisfactorily resolved by us, you may approach your local data protection authority (see https://ec.europa.eu/info/law/law-topic/data-protection_en).
The Information Commissioner (ICO) is the supervisory authority in the UK and can provide further information about your rights and our obligations in relation to your personal data, as well as deal with any complaints that you have about our processing of your personal data. You can contact the ICO by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
10.0 YOUR RIGHTS
Under data protection legislation, data subjects have the following rights with regards to their personal information:
The website and the App is intended for use only by persons who are at least 18 years of age. By using our Services, you confirm to us that you meet this requirement. If you suspect that a child under 18 is accessing the App and providing personal data without their parent or guardian’s consent, please contact us at firstname.lastname@example.org so that we can investigate and remove/delete the data where necessary.
We are committed to protecting the privacy of our users and will not disclose or distribute your data to any third parties for marketing purposes
However, we may use information for marketing our services to you in the following ways: