Minuteful kidney UK
Contact us

Minuteful Kidney - Privacy notice

Last reviewed: September 3, 2024

1. Who is Healthy.io and How Can You Contact Us?

This document describes how Healthy.io (UK) Limited (“Healthy”, “Healthy.io” “we”, “our” or “us”), a company registered in the UK, with Companies House registration number 10996079, and with the Information Commissioner’s Office (“ICO”), our Data Protection registration reference is ZA289700, use your personal data in relation to support your GP Practice with the Minuteful™ Kidney service.

If you have any questions, concerns or comments about this Privacy Notice, our privacy practices, or if you would like us to update information or preferences you provided to us, please contact us by email at [email protected].

2. What is Minuteful™ Kidney and How Does the Service Work?

Healthy.io makes albumin to creatinine ratio (“ACR”) testing easier and more convenient, by allowing you to test from home using a smartphone app called Minuteful™ Kidney. An ACR test is part of your health care review if you have a chronic kidney disease (CKD) or are at risk of CKD (for example diabetes or hypertension. The test looks for particles of protein in your urine called albumin.

Your GP Practice is collaborating with Healthy.io because doing a Minuteful™ Kidney ACR test allows your doctor to identify and monitor the presence of albumin, which may suggest the first signs of CKD.

Your GP practice will identify patients that have not completed their annual ACR test. Once eligible patients are identified by your GP Practice, to support patient choice in how their treatment is provided, a courtesy text message or letter is sent to the patient which notifies patients about the service and informs them they have the opportunity to opt out of the service.

The SMS or letter may be sent by your GP Practice or Healthy.io depending on the terms of the service between your GP Practice and us. This provides patients with an opportunity to decide if you would like to receive a urine test at home or whether you would prefer to continue visiting your practice for your test.

You have the right to object processing and opt out of the service. If you would like to object or opt out, you can contact your GP Practice. If you make this request after the service is live, you can contact your GP Practice who will forward your request to us to action, or you can call our customer service team on 020 7183 7939 or email [email protected] and we will be happy to answer any questions and support.

As part of the Healthy.io service, which is to provide direct care, the Practice will securely share the minimum amount of personal data with the Healthy.io’s onboarding team. We will then send out your kit that has been designed to fit through a letter box. To assist you with the test we may contact you either by text messages or a phone call.

Once you have received the ACR test kit, you will then need to download the Minuteful™ Kidney app from the Apple App Store or Google Play Store on your smartphone. Once downloaded, you will be able to run the test independently guided by Emily, our in-app nurse.

Patients are not required to create an account to access the Minuteful™ Kidney app. The app is downloaded and linked by the mobile phone number. At the end of the analysis, your test results are displayed and explained to you and automatically shared securely to your GP Practice’s electronic patient record system.

The results are accessible to be viewed by you in the app after the test is completed, you have the option to secure access to your results using a pin code.

3. Who is the Data Controller?

A ‘Data Controller’ determines the purposes for which and the means by which personal data is processed. A Data Processor carries out tasks on behalf of a Data Controller.

For the purposes of this processing, which is to support your GP Practice in providing you with direct care:

  • Your GP Practice is the Data Controller and

  • Healthy.io is the Data Processor.

In line with UK Data Protection Legislation, responsibility for providing transparency information, such as a Privacy Notice, is with the Data Controller. Please refer to your GP Practices Privacy Notice for further information.

Healthy.io is registered with the ICO, our Data Protection registration reference is ZA289700.

Before any personal data is shared with us by your GP Practice, we ensure that a signed Data Processing Agreement (“DPA”) is in place. A DPA is a legally binding document to be entered into between the Controller and the Processor that regulates the scope and purpose of processing, as well as the relationship between the Controller and the Processor.

4. What Personal Data is Processed?

The following categories of personal data are processed as part of the service:

  • Full name.
  • NHS number.
  • Mobile phone number.
  • Home phone number.
  • Address.
  • Date of birth.
  • Registered GP name.
  • Gender.
  • Special category data: medical information – diabetes type, CKD diagnosis and stage, date and value of last ACR test.
  • Test result (upon completion of the test).
  • IP address.
  • Device identifiers (carrier, operating system, device model, app version, city).
  • Email address (optional).
  • Ethnicity (optional, only at the request of the GP Practice).

Is special category data processed?

  • Special category data is personal data that needs more protection because it’s sensitive, for example health data is categorised as Special Category Data. As part of this service, the following special category data are processed: ethnicity, diabetes type, CKD diagnosis and stage, date and value of last ACR test, test result.

5. What is the Purpose and Lawful Basis of the Processing?

We may use the information we obtain about you for purposes allowed by applicable laws, including:

  • Providing our services.
  • Operating, evaluating and improving the services and to diagnose or fix technical issues.
  • Complying with and enforcing as needed applicable legal requirements, industry standards, our policies and our contractual rights.
  • Subject to our contractual obligations, and in order to improve the services, we may use anonymised data for internal testing, research, analysis, and product development and demonstration.
  • Responding to your requests, questions and comments and providing customer support.
  • Any other purposes with your consent.

While the lawful basis will be determined by the Data Controller, Healthy.io has identified the following lawful bases: ** UK General Data Protection Regulation**:

  • Article 6(1)(e) public task for personal data.
  • Article 9(2)(h) Health or social care for special category data.

** Data Protection Act 2018**:

  • Schedule 1, Part 1: (2) Health or social care purposes

How does this personal data sharing comply with the Common Law Duty of Confidentiality (CDLC)?

  • The CDLC is satisfied as your Practice will share your personal data with us for the purpose of direct care.

  • It should be noted that when personal data is shared for the purpose of direct care, consent is not required; therefore your GP Practice does not need to ask for your consent for the data processing. However, you will be informed about the service with a text message or letter which will inform you that you can opt out from this service should you choose to do so.

6. How is the Personal Data Collected and for How Long is it Retained?

The data is collected through the following sources:

  • from the organisation that has entered into a contractual relationship with us (e.g., a GP Practice);
  • directly from you; or
  • through the services (e.g., through usage analytics services).

We obtain the minimum amount of data from your GP Practice who share your data with us in order to be able to provide the service. Only Healthy.io staff members in authorised roles will have access to your data.

We will retain your personal data for the duration of the contract between the relevant contracting organisation and us. If required by applicable UK law, we will keep your data for the minimum time required under the applicable UK law. When personal data is no longer required, Healthy.io will delete or anonymise the data in line with Data protection legislation and appropriate industry standards.

7. Is Personal Data Shared with Other Organisations?

We may share personal data with third parties in certain circumstances or for certain purposes, including:

  • Our business purposes. Subject to our contractual obligations, we may share your personal data with our affiliates, vendors, service providers, and business partners, including our data storage, analytics and data security partners (collectively, our Sub-processors). We may also share your personal data with our professional advisors, such as our auditors and law firms.
  • With your consent. We may share your personal data if your GP Practice requests or directs us to do so.
  • Compliance with law. We may share your personal data to comply with applicable laws or any obligations thereunder, including cooperation with law enforcement, judicial orders, and regulatory inquiries.
  • Business Transfer. We may share your personal data to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganisation, dissolution, or other sale or transfer of some or all of our assets, in which personal data held by us about our users are among the assets transferred.
  • Anonymised data. Subject to our contractual obligations, we may also disclose anonymised information, so that it cannot be reasonably used to identify any individual.
  • To enforce our rights. We may share your personal data to enforce any applicable terms and conditions and Terms of Service, and to ensure the safety and security of our services and our users.

8. Is Personal Data Processed Outside the UK?

We (or Sub-processors acting on our behalf) may store or process personal data in countries outside the UK. Where data is processed outside of the UK, we will take the required steps to ensure that your personal data is protected to the standard and data transfer mechanisms required by applicable UK data protection legislation.

9. How is Your Personal Data Protected? We and our Sub-processors endeavour to maintain reasonable administrative, technical and physical safeguards designed to protect the personal information we maintain against accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use. However, we cannot ensure the security of any information you transmit to us, or guarantee that this information will not be accessed, disclosed, altered, or destroyed. We will make any legally required disclosures in the event of any compromise of personal data. You can find more information about our information security practices on the Trust Centre webpage of our website.

10. What are Your Data Rights, and Can You Object to Processing of Your Personal Data?

Individual rights requests are the responsibility of your GP Practice. Any individual rights requests that are made directly to Healthy.io will be reported to your GP Practice for your GP Practice to process and confirm actions required to be taken by Healthy.io. This process is in place as we can only act under the instruction of your Practice to process your data.

You have the right to object processing and opt out of the service. If you would like to object, you can contact your GP Practice. If you make this request after the service is live, you can contact your GP Practice who will forward your request to us to action, or you can call our customer service team on 020 7183 7939 or email [email protected] and we will be happy to answer any questions and support.

11. Who Can I Contact if I Have Any Questions or Queries?

As we can only act under the instruction of your GP Practice to process your data, if you have any questions or queries about how your data is used, please contact your GP Practice.

If you have any questions, concerns or comments about this Privacy Notice, our privacy practices, or if you would like us to update information you provided to us, please contact us by email at [email protected].

12. How Can You Make a Complaint?

As we can only act under the instruction of your GP Practice to process your data, if you have any questions or queries about how your data is used, please contact your GP Practice.

You have a right to make a complaint if you are unhappy about how your personal data is processed.

Please note that the ICO will not normally consider an appeal until you have exhausted your rights of complaint. Please see the ICO website (link below) for further advice.

If you are unsatisfied with how your complaint is handled, you are within your rights to contact the ICO by:

  • visiting the ICO’s website: https://ico.org.uk/make-a-complaint//
  • by telephone: 0303 123 1113
  • by writing to the following address by post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Copyright © 2024, Healthy.io Ltd. All rights reserved.

Citations and Footnotes

  1. We only collect this data if instructed to by your GP Practice. The reason your GP Practice may ask us to collect ethnicity is to support your GP Practice to demonstrate equity of access to health care when providing direct care.

  2. Smartphone information, including IP address is processed for operational purposes, including, troubleshooting, maintenance, support, and information security purposes.