Carebit was built with patient privacy and security at its heart. As patients ourselves, we were frustrated at how hard it was to find out who had access to our health records and for how long. Our policy is to make data transparent - easily available to those who need it (like your doctor), and easy to control and understand by you, the patient. This policy spells out how we do that.
This policy provides an explanation as to what happens to any personal data that you share with us, or that we collect from you either directly via this Website or via email.
Certain businesses are required under the data protection act to have a data controller. For the purpose of the Data Protection Act 1998 our Data Controller is Dominic Eden, who can be contacted via email at firstname.lastname@example.org.
1. Information we collect
In operating our Website we may collect and process the following data about you:
1.1 Details of your visits to our Website and the resources that you access including, but not limited to, traffic data, location data, web log statistics and other communication data.
1.2 Information that you provide by filling in forms on our Website, such as when you register to receive information such as a newsletter or contact us via the contact us page.
1.3 Information provided to us when you communicate with us for any reason.
On occasion, we may gather information about your computer for our services, and to provide statistical information regarding the use of our Website.
Such information will not identify you personally, it is statistical data about our visitors and their use of our Website. This statistical data does not identify any personal details whatsoever. It is used by us to analyse how visitors interact with the Website so that we can continue to develop and improve this Website.
We may gather information about your general Internet use by using a cookie file that is downloaded to your computer. Where used, these cookies are downloaded to your computer automatically. This cookie file is stored on the hard drive of your computer as cookies contain information that is transferred to your computer’s hard drive. They help us to improve our Website and the service that we provide to you.
All computers have the ability to decline cookies. This can be done by activating the setting on your browser which enables you to decline the cookies. Please note that should you choose to decline cookies, you may be unable to access particular areas of our Website.
3. Use of your information.
The information that we collect and store relating to you is primarily used to enable us to provide our services to you. In addition, we may use the information for the following purposes:
3.1 To provide you with information requested from us relating to our services and to provide information on other services which we feel may be of interest to you if you have consented to receive such information.
3.2 To meet our contractual commitments in delivery of our services to you.
3.3 To notify you about any changes to our Website, such as improvements or service/product changes, that may affect our service.
3.4 If you are an existing patient, we may contact you with information about services similar to those which you previously used.
3.6 If you are a new customer, we will only contact you when you have provided consent and only by those means you provided consent for.
3.7 If you do not want us to use your data for ourselves you will have the opportunity to withhold your consent to this when you provide your details to us on the form on which we collect your data.
4. Storing your personal data
4.1 Carebit stores your data on behalf of a Partner, such as a private medical clinic, which has enrolled you as a patient. This data includes personal data (e.g. date of birth and address), notes, test results and letters of correspondence. We use encrypted SSL connections throughout Carebit, so whenever your data is entered into or retrieved from Carebit, it is only over an encrypted connection. Your data is also stored in an encrypted database accessible over an encrypted connection with extremely limited access permissions. For more information on the privacy and security processes of the Organization that has enrolled you, please contact them directly.
4.2 While we use bank-grade SSL encryption on our website and throughout our infrastructure to encrypt all communications between your device and our servers, the transmission of information via the internet is not completely secure and therefore we cannot guarantee the security of data sent to us electronically and the transmission of such data is entirely at your own risk. Where we have given you (or where you have chosen) a password so that you can access certain areas of our site or service, you are responsible for keeping this password confidential.
5. GDPR compliance summary
We are committed to ensuring the very highest levels of data protection for our Partners, and for the patients belonging to our Partners who have entrusted them with their data. As such, we employ highly-skilled IT professionals to help us achieve this. We use bank-grade encryption, private IP routing, IP whitelisting, VPNs and other best-practices extensively throughout our business.
Furthermore, the GDPR regulations require us to explain why we collect patient data and what it is used for. Below is a summary of the key points you need to know before you send your data to us for processing and storage.
Identity and contact details of the controller and the data protection officer: Please email Dominic Eden (email@example.com).
Purpose of the processing and the legal basis for the processing: Our lawful basis is one of contract. We and our Partners need to store and process your personal data (for example, your date of birth, name, and test results) in order to fulfil our contractual obligations to you in delivering services that you have requested and paid our Partners to perform. We cannot fulfil our contractual obligations to them, and they cannot fulfil their obligations to you without being able to store and process your personal data to understand your medical needs.
Special categories of personal data: on behalf of Partners that use Carebit, we collect and store data relating to patients’ racial or ethnic origin and health. Processing of this data is necessary for the purposes of carrying out our contractual obligations to deliver medical services: racial, health and sexual data is required in order for our Partners to ensure the highest standards of quality and safety of health care.
Any recipient or categories of recipients of the personal data: only Partners can access the data of their patients. Other Partners cannot access your data without your consent or at the request of your doctor for medical reasons.
Details of transfers to third country and safeguards: all data is retained in encrypted form on UK servers. No transfers are made to third parties or to third countries.
Retention period or criteria used to determine the retention period: in accordance with UK law, we keep patient data for 7 years from the date of last appointment in order to be able to provide followup appointments. Additionally, if you choose to transfer to another healthcare provider, our retention period allows us to (with your consent) transfer our patient data (including medical details of services we have performed) to them.
The existence of each data subject’s rights: you have specified rights under the GDPR legislation. These are:
- a right of access to a copy of the information comprised in your personal data;
- a right to object to processing that is likely to cause or is causing damage or distress;
- a right to prevent processing for direct marketing;
- a right to object to decisions being taken by automated means;
- a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
- a right to claim compensation for damages caused by a breach of the Act.
Please contact us to exercise any of these rights.
The right to withdraw consent at any time: if our Partners have not provided medical services (and so are not required to maintain medical records for 7 years from the last date of service), you may withdraw consent to us storing your information. They will delete your information and notify you of this. Please be aware that our Partners may no longer be able to provide medical services if this consent is withdrawn, and will require you to provide consent again if you require medical services.
The right to lodge a complaint with a supervisory authority: you have the right to complain to the ICO.
Whether the provision of personal data is part of a statutory or contractual requirement or obligation, and the possible consequences of failing to provide the personal data: Our Partners need to store and process your personal data (for example, your date of birth, name, and test results) in order to fulfil their contractual obligations to you in delivering a service that you have requested and paid them to perform (e.g. a consultation or surgery). They cannot fulfil their contractual obligations to you without being able to store and process your personal data to understand your medical needs. The consequences of failing to provide the personal data are that our Partners cannot treat you as a patient.
The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences: Carebit does not currently undertake automated decision making, but you should refer to the privacy policies of our Partners for their specific policy.
6. Disclosing your information
6.1 Where applicable, we may disclose your personal information to any member of our group. This includes, where applicable, our subsidiaries, our holding company and its other subsidiaries.
6.2 We may also disclose your personal information to third parties:
6.2.1 Where we sell any or all of our business and/or our assets to a third party.
6.2.2 Where we are legally required to disclose your information.
6.2.2 To assist fraud protection and minimise credit risk.
7. Third party links
You will find links to third party websites on our Website. These websites should have their own privacy policies which you should check. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.
8. Access to information
The Data Protection Act 1998 gives you the right to access the information that we hold about you. Please note that any demand for access may be subject to payment of a fee of £10 which covers our costs in providing you with the information requested. Should you wish to receive details that we hold about you please contact us using the contact details below.
9. Contacting us
We welcome any queries, comments or requests you may have regarding this policy. Please do not hesitate to contact us at firstname.lastname@example.org.