Graphnet Health Limited of Sunrise Parkway, Linford Wood, Milton Keynes, Buckinghamshire MK14 6DY ("we"/"us"/"our") is committed to protecting and respecting your privacy
Scope of Policy
This policy sets out how we process and protect any information about those who are end users of the product, that is staff or patients whose data is processed.
For the purpose of the General Data Protection Regulation (GDPR) and any additional data protection legislation, the data controller responsible for your personal data is the healthcare provider who employs or engages you and that has made our products and services available to you for your use. Graphnet is the Data Process for this information.
In this policy, personal data, or personal information, means any information about an individual from which that person can be identified.
It does not include data where the identity has been removed (anonymous data).
On behalf of the Data Controller, we may collect, process, store and transfer different kinds of personal data about you which we have grouped together follows:
- Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
- Contact Data includes address, email address and telephone numbers.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our products and services.
- Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
- Usage Data includes information about how you use our products and services.
On behalf of the Data Controller we also collect, process and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific product feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
Keeping your data secure
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions as per the requirements set out by the Data Controller and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify the Data Controller and any applicable regulator of a breach where we are required to do so.
Where your data is stored
Data collected as part of our services will be stored in accordance with the Data Controller’ instructions. We do not transfer your personal data outside the European Economic Area (EEA).
Controlling your personal information
We will not sell, distribute or lease your personal identifiable information to third parties without your instruction from the Data Controller.
Under certain circumstances, you have rights under data protection laws in relation to your personal data including the right to:
- request access to, deletion of or correction of, your personal data;
- request your personal data be transferred to another person; and
- complain to a supervisory authority.
To exercise any of these rights you must contact the Data Controller.
What we do with the information we gather?
We will only process your personal data for the purposes agreed with the Data Controller and when the law allows us to. Most commonly, we will process your personal data in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with the organisation that you work for/the Data Controller.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
Who is your information shared with?
Information may be shared in line with the responsibilities we carry out on behalf of the Data Controller and to the authorised third parties listed below:
- Other companies in the System C & Graphnet Alliance group who are based in the United Kingdom and provide IT and system administration services;
- Service providers acting as processors based in the United Kingdom who provide IT and system administration services.
- Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors, and insurers based in the United Kingdom who provide consultancy, banking, legal, insurance and accounting services.
- HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers based in the United Kingdom.
- Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice. We would always fully inform the Data Controller of any such change in relation to this.
In addition, we may disclose your personal information to third parties if we are required to do so by law or if we believe that such action is necessary to protect and defend the rights, property or personal safety of us, or any of our products or services.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
How long do we keep your information for?
We will only store your information in accordance with the Data Controller’s instructions and we will not hold your data for any longer than is necessary.
If you access our service using your NHS login details the identity verification services are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS Digital (as the “controller”) when verifying your identity. To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here.
This restriction does not apply to the personal information you provide to us separately.
NHS Digital’s Personal Demographic Service (PDS)
If you are receiving care from a health or care organisation, then that organisation may share your NHS number with other organisations providing your care. This is so that the health and care organisations are using the same number to identify you whilst providing your care. By using the same number, the health and care organisations can work together more closely to improve your care and support. Graphnet acts as the Data Processor for managing information to provide the shared care record platform where relevant health care data, such as that provided from PDS will be processed.
Your NHS number is accessed through an NHS Digital service called the Personal Demographic Service (PDS). A health or care organisation sends basic information such as your name, address and date of birth to the PDS in order to find your NHS Number. Once retrieved from the PDS the NHS Number is stored in the organisation’s case management system. These data are retained in line with the organisation’s record retention policies and in accordance with the Data Protection Act 2018, Government record retention regulations and best practice.
The organisation will share information only to provide health and care professionals directly involved in your care access to the most up-to-date information about you. Access to information is strictly controlled, based on the role of the professional. For example, social workers will only have access to information that is relevant to the execution of their care duties.
Case management systems are provided by system suppliers, who are bound by the same rules. In such cases, systems may access the PDS directly or use third party software to access the PDS, such as the PDS FHIR API.
The use of joined up information across health and social care brings many benefits. One specific example where this will be the case is the discharge of patients into social care. Delays in discharge (commonly known as bed blocking) can occur because details of social care involvement are not readily available to the staff on the hospital ward. The hospital does not know who to contact to discuss the ongoing care of a patient. The linking of social care and health information via the NHS Number will help hospital staff quickly identify if social care support is already in place and who the most appropriate contact is. Ongoing care can be planned earlier in the process because hospital staff will know who to talk to.
You have the right to object to the processing of your NHS Number in this way. This will not stop you from receiving care but will result in the benefits outlined above not being realised. To help you decide, the health or care organisation will discuss with you how this may affect their ability to provide you with care, and any other options that you have.
If you wish to opt-out from the use of your NHS Number in this way, please ensure you contact your healthcare providers direct.
Graphnet Health Limited
Ground Floor Building 5
Caldecotte Lake Drive
For the purposes of the Data Protection Act 2018 our Data Protection Officer is Anthony Smith: firstname.lastname@example.org