Minuteful™ 10 - Privacy Notice
Last updated: 27/04/2023
Note to healthcare professionals: If you are using the services on behalf of an organisation that has entered into a contractual relationship with us for these services, those contractual terms will govern your use of the services and supersede the terms and this Privacy Notice in the event of any conflict. In line with UK data protection legislation, responsibility for providing transparency information, such as a Privacy Notice, is with the Data Controller. Please contact your organisation if you have any questions or queries.
Note to patients: This Privacy Notice is provided to you because you and your care team have agreed that the Minuteful™ 10 Service is required as part of your treatment. This service is being offered to you by your healthcare provider, who for the purposes of Data Protection Legislation, is the Data Controller and is responsible for how your personal data is processed. In line with UK data protection legislation, responsibility for providing transparency information, such as a Privacy Notice, is with the Data Controller. Please contact your healthcare provider if you have any questions or concerns.
Who is Healthy.io?
This document describes how Healthy.io (UK) Limited (“Healthy”, “Healthy.io” “we”, “our” or “us”), a company registered in the UK,
- with Companies House registration number 10996079, and
- with the Information Commissioner’s Office (“ICO”), our Data Protection registration reference is ZA289700,
use your personal data in relation to support your trust, hospital, healthcare provider or healthcare organisation (“healthcare provider”) with the Minuteful™ 10 service.
What is Minuteful™ 10 and how does the service work?
The Healthy.io Minuteful™ 10 urine urinalysis test and application enables patients to perform a test at home for a wide range of conditions including urinary tract infections, ketosis, health in pregnancy as well as diseases of the kidney and liver.
Minuteful™ 10 is CE certified and its analytical sensitivity is equivalent to point of care semi – quantitative urinalysis devices.
The 10 parameters indicated are:
- Leukocytes
- Nitrites
- Glucose
- Ketones
- Protein
- Blood
- pH
- Urobilinogen
- Bilirubin
- Specific Gravity
Minuteful™ 10 can be used in various clinical pathway where these parameters are required to be tested, for example, maternity, renal surgery, renal transplant.
Who is the Data Controller?
A ‘Data Controller’ determines the purposes for which and the means by which personal data is processed. A Data Processor carries out tasks on behalf of a Data Controller.
For the purposes of this processing, which is to support your healthcare provider in providing you with direct care:
- Your healthcare provider is the Data Controller and
- Healthy.io is the Data Processor.
In line with UK data protection legislation, responsibility for providing transparency information, such as Privacy Notice, is with the Data Controller. Please refer to your healthcare provider’s Privacy Notice for further information.
Before a clinician can use the Minuteful™ 10 application, we ensure that a signed Data Processing Agreement (“DPA”) is in place between us and your healthcare provider. A DPA is a legally binding document to be entered into between the Controller and the Processor that regulates the scope and purpose of processing, as well as the relationship between the Controller and the Processor.
What is the purpose and lawful basis for processing my personal data?
Please see below an outline of the personal data processed, purpose and lawful basis for processing.
What personal data items are processed?
- To provide you with the service, your healthcare provider shares the minimum amount of personal data with us, they are: NHS number, first name, last name, date of birth,phone number and address.
- When you complete the test on your phone the following data is also processed: test date, test result, smartphone information (carrier, operating system, device, model, app version, city), and app information (IP address)[1].
Is special category data processed?
Special category data is personal data that needs more protection because it’s sensitive, for example health data is categorised as Special Category Data. As part of this service, the following special category data are processed: test result.
What is the purpose of the processing?
To support the provision of direct care, the Healthy.io Minuteful™ 10 urine urinalysis test and application enables patients to perform a test at home for a wide range of conditions including urinary tract infections, ketosis, health in pregnancy as well as diseases of the kidney and liver.
What is the lawful basis under the UK General Data Protection Regulation (GDPR)?
- Personal data: Article 6, 1 (e) public task.
- Special category data: Article 9, 2 (h) Health or social care.
What is the lawful basis under the Data Protection Act 2018?
- Schedule 1, Part 1: (2) Health or social care purposes.
How does this personal data sharing comply with the Common Law Duty of Confidentiality (CDLC)?
- The CDLC is satisfied as Healthy.io’s Minuteful™ 10 service will be used by clinicians for the purpose of direct care.
- It should be noted that when personal data is processed and shared for the purpose of direct care, consent is not required.
How do you obtain my personal data and for how long is it retained?
We obtain the minimum amount of data from your healthcare provider who shares your data with us in order to be able to provide the service. Only Healthy.io staff members in authorised roles will have access to your data.
The table below shows the data items processed, how they are obtained and retention information.
Data set one
Data items processed for this service NHS number, First name, Last name, Date of Birth, Mobile phone number, Address, any personal data that you may directly provide us with, for example when you contact us for support.
How do we obtain your personal data? Unless you have provided any data directly to us (e.g. for support purposes), the data items in data set one are shared directly from your healthcare provider with us.
What happens to your data at the end of the retention period? Personal data is deleted.
Data set two
Data items processed for this service Test date, Test result, Smartphone information (carrier, OS, device, model, app version, city).
How do we obtain your personal data? These data items are obtained when you complete the ACR test using the smartphone app.
What happens to your data at the end of the retention period? Personal data is anonymised. When the personal items in data set one have been deleted, data items in data set two are anonymous as they cannot be linked to an individual directly or indirectly.
Data set three
Data items processed for this service Smartphone information - IP address.
How do we obtain your personal data? This data item is obtained by Healthy.io when the Minuteful™ 10 app is used.
What happens to your data at the end of the retention period? Personal data is anonymised and retained on a separate database for forensic and information security purposes and deleted after 12 months.
We will retain your personal data in line with our Data Retention Policy, which means that we retain your data for the duration of the contract with your healthcare provider. If required by law, we will keep your data for the minimum time required under the applicable law.
When personal data is no longer required, we delete or anonymise data in line with UK data protection legislation and appropriate industry guidance.
Will you share my personal data with other organisations for purposes other than direct care?
When your healthcare provider shares your data with us, we will only use your personal data to provide direct care to you.
A ‘Sub-processor’ is a trusted third-party data processor engaged by Healthy.io who has access to personal data. We use third party Sub-processors to provide elements of services (such as data hosting). We have contracts in place with Sub-processors which ensures appropriate use of your data.
In some circumstances we are legally obliged to share information. If we do need to share personal data with other organisations, we do this in line with the Data Protection Act 2018, the UK GDPR and relevant legislation or court order and we share the minimum amount of information required.
Is my personal data processed outside the UK?
We (or Sub-processors acting on our behalf) may store or process limited data about you in countries outside the UK. Most of the data processing is carried out in the UK or the EEA.
- Patient personal data is stored in the UK or EEA.
- Most staff personal data is stored in the UK or EEA. However, in order for us to provide you with our service, a limited amount of personal data may be processed outside the UK and the EEA.
Where data is processed outside of the UK or EEA, we will take the required steps to ensure that your personal data is protected to the standard and data transfer mechanisms required by UK data protection legislation.
How is my personal data protected?
In order to protect your personal data, we and our Sub-processors use all reasonable industry-standard physical, procedural and electronic security measures (such as access control, secure servers, firewalls, internal policies, encryption, database backup etc.). We cannot and do not guarantee the absolute safety of any Personal Data stored with us or with any third-party.
We are committed to complying with information security industry standards such as:
-
Data Security and Protection Toolkit (DSPT): Reference 8KC08
-
ISO 27001:2013 Information Security Management System (ISMS)
-
ISO 22301:2019 Business Continuity Management System (BCMS)
-
ISO 13485:2016 Medical devices - Quality management systems - Requirements for regulatory purposes
You can find more information about our information security practices on the Trust Centre webpage of our website.
What are my data rights, and can I object to you processing my personal data?
Individual rights requests are the responsibility of the healthcare provider where you are receiving care. Any individual rights requests that are made directly to Healthy.io will be reported to your healthcare provider for them to process and confirm actions required to be taken by Healthy.io. This process is in place as we can only act under the instruction of your healthcare provider to process your data.
You have the right to object processing and opt out of the service. If you would like to object, you can contact your healthcare provider.
Who can I contact if I have any questions or queries?
As we can only act under the instruction of your healthcare provider to process your data, if you have any questions or queries about how your data is used, please contact your healthcare provider where you are receiving care.
How can you make a complaint?
As we can only act under the instruction of your healthcare provider to process your data, if you have any questions or queries about how your data is used, please contact your healthcare provider where you are receiving care.
You have a right to make a complaint if you are unhappy about how your personal data is processed.
Please note that the ICO will not normally consider an appeal until you have exhausted your rights of complaint. Please see the ICO website (link below) for further advice.
If you remain dissatisfied, you may wish to contact the ICO:
-
Website: https://ico.org.uk/make-a-complaint/
-
Post:
Information Commissioner's Office Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
- Telephone: 0303 123 1113
Copyright © 2022, Healthy.io LTD. All rights reserved.
Citations and Footnotes
- Smartphone information, including IP address is processed for operational purposes, including, troubleshooting, maintenance, support, and information security purposes.