WHO WE ARE
This privacy notice (the “Privacy Notice”) applies to all personal information processing activities carried out Health Exchange (referred to as “we”, “us” and “our”).
Health Exchange operates as both a data controller and data processor in respect of personal information that we process in connection with our business (including the products and services that we provide). In this notice, reference to “we”, “us” or “our” are references Health Exchange. This Privacy Notice sits within a wider Data Protection Policy. All documents relating to data protection can be read independently or as a collection within our collective policies.
Our principle address is Avoca Court, 27 Moseley Road, Digbeth, Birmingham, B12 0HJ Our website address is www.healthexchange.org.uk.
We respect individuals’ rights to privacy and to the protection of personal information. The purpose of this Privacy Notice is to explain how we collect and use personal information in connection with our business. “Personal information” means information about a living individual who can be identified from that information (either by itself or when it is combined with other information). We may update our Privacy Notice from time to time. When we do we will communicate any changes to all live clients and publish this updated Privacy notice on our website. We would encourage you to visit our website regularly to stay informed of the purposed for which we process your information and your rights to control how we process it.
THE INFORMATION WE PROCESS
We collect and process various categories of personal information at the start of, and for the duration of, your relationship with us. We will limit the collection and processing of information to information necessary to achieve one or more legitimate purposes as identifies in this notice. You provide some of this data directly, such as when you self-refer into our services or are referred, if you attend one of our events or training programmes as a member or non-member. Personal information may include:
· Basic personal information, including name and address, and contact details
· Online profile and social media information and activity, based on your interaction with us and our websites, use of our application,
· We may also process certain special categories of information for specific and limited purposes, such as making our services accessible to customer. We will only process special categories of information where we have obtained your explicit consent or are otherwise lawfully permitted to do so. This may include;
· Health specific information (Including where relevant your NHS Number)
· Information about racial or ethnic origin
· Employment Status
· Religious or philosophical beliefs;
· Trade union membership;
· Genetic data;
· Biometric data (where this is used for identification purposes);
· Sex life; or
· Sexual orientation;
HOW WE OBTAIN INFORMATION
Your information is made up of all the personal information we collect and hold about you after you have been referred to our service by Primary or Secondary Care (A GP, Nurse or other Health Professional, or you have self-referred, i.e you have decided to take up the offer of one of our services).
· Information you give to us;
· Information we may receive from third parties (where permitted by law);
· Information that we learn about you through our relationship with your and the way you engage with our services;
HOW WE WILL USE INFORMATION ABOUT YOU
We access, transfer, disclose, and preserve your data to operate our business and provide our clients and customers with the best possible service. We may use the data you provide to communicate with you. Most commonly, we will use your personal information in the following circumstances:
· To manage the relationship we have with you because you are or have received a health or wellbeing service from us
· To provide you with access to products and services e.g.; training, forums, events;
· To carry out obligations arising from any contracts entered by you and us;
· To seek your views or comments on the services we provide;
· To notify you of changes to our services;
· To comply with health and safety obligations;
· To comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies;
· For our own business management and planning, including accounting and auditing, reporting, and/or submitting raw data to Commissioners.
· Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents.
· To prevent fraud e.g. to prevent spam or attempts to defraud.
· To ensure network and information security, including preventing unauthorised access to our computer and electronic communication systems and preventing malicious software distribution.
· To conduct data analytics studies to review and better understand our service provision and offers including retention and attrition rates.
· In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.
You will need to opt in if you would like us to send you relevant marketing information (including details or services provided by us or selected service provision partners, affiliated third parties which we believe may be of interest to you), by mail, phone, email, text and other forms of electronic communication. If you change your mind about how you would like us to contact your or you no longer wish to receive this information you can tell us at any time by contacting us at 0121 663 0007 or at our offices – (Avoca Court, 27 Moseley Road, Digbeth, Birmingham B12 0HJ).
COMMUNICATIONS ABOUT YOUR SERVICE OR PROGRAMME PROVIDED BY HEALTH EXCHANGE
We will contact you with information relevant to the operation and maintenance of your account (including updated information about how we process your personal information), by a variety of means including online webchat, email, text message, post and/or by telephone. If at any point in the future you change your contact details, you should tell us promptly about those changes.
We record and log calls, emails, text messages and other communications in accordance with applicable laws for the purposes of our business.
We will actively seek consent for the processing of data relating to service you receive during referral process. We will also actively seek consent on your communication preferences, which you can modify at any time. We do not need your consent if we use categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of law.
When you engage Health Exchange services we may approach you for your written consent to allow us to share your data with a third-party organisation or person. This is often done to support academic research and development and to continually improve our services offered to you. If we do so, we will provide you with full details of the information that we would like, the reason we need it, and who it will be shared with so that you can carefully consider whether you wish to consent.
HOW WE USE SENSITIVE PERSONAL INFORMATION, AND DO WE NEED YOUR CONSENT?
“Special categories” of sensitive personal information require higher levels of protection. We may process special categories of personal information in the following circumstances:
· In limited circumstances, with your explicit written consent.
· Where we need to carry out our legal obligations and in line with our data protection policies.
· Where it is needed in the public interest, such as for equal opportunities monitoring, and in line with our data protection policies.
· Where it is needed to carry out obligations of a funded project.
* Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public or in the course of legitimate business activities with the appropriate safeguards.
CHANGES TO THE WAY WE USE YOUR INFORMATION
From time to time we may change the way we use your information. Where we believe you may not reasonably expect such a change we will notify you and will allow a period of at least 30 days for you to raise any objections before the change is made. However, please note that in some cases, if you do not agree to such changes it may not be possible for us to continue to certain services to you.
Automated decision-making may take place when we believe an electronic system is best placed to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:
· Where we have notified you of the decision and given you 21 days to request a reconsideration.
· Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
· In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.
· If we make an automated decision based on any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.
· You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you
We may have to share your data with third parties, including third-party service providers to complete any transaction, or provide any product or service you have requested or authorised. We only permit them to process your personal data for specified purposes of us and in accordance with our instructions. We require third parties to respect the security of your data and to treat it in accordance with the law.
We may share your personal information where required by law, or where we have another legitimate interest in doing so. When you provide payment data to make a purchase, we will share payment data with banks and other entities that process payment transactions or provide other financial services, and for fraud prevention and credit risk reduction.
In addition, we share personal data among organisations to whom you may be referred to for an additional service, in such cases, these companies must abide by our data privacy and security requirements and are not allowed to use personal data they receive from us or they have access to for any other purpose than stated. If you provide personal data to any of those third parties, beyond information that you explicitly allowed us to share, your data is governed by their privacy statements. We are not responsible for any such third party’s use of your information.
We are committed to ensuring that your information is secure with us and with the third parties who act on our behalf. We have put in place measures to protect the security of your information. Details of these measures are available upon request.
HOW LONG WE KEEP YOUR INFORMATION
By providing you with products or services, we create records that contain your information such as customer account records, activity records, communication records. Records can be held on a variety of media (physical or electronic) and formats.
We manage our records to help us to serve our clients and customers as well as we can (for example for operational reasons such as dealing with any queries relating to the service you have received) and to comply with legal and regulatory requirements. Records help us to demonstrate that we are meeting our responsibilities and to keep as evidence of our contractual and business activities.
Retention periods for records are determined based on the type of the record, product or service. We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention are available upon request. (In most cases this will not exceed two years unless we are contractually obliged to do so) Where this is different – specific information will be provided to you.
We want to make sure you are aware of your rights in relation to the personal information we process about you. We have described those rights and the circumstances in which they apply below.
If you wish to exercise any of these rights, if you have any queries about how we use your personal information that are not answered here, or if you wish to complain to our Data Protection Lead, please contact us at 0121 663 0007
Please note that in some cases, if you do not agree to the way we process your information, it may not be possible for us to continue provide certain products and services to you.
Access – you have a right to access the personal information we hold about you. If you would like a copy of the personal information we hold about you, please contact us at:
Health Exchange, Avoca Court, 27 Moseley Road, Digbeth, Birmingham B12 0HJ – 0121 663 0007.
Rectification – You have a right to rectification of inaccurate personal information and to update incomplete personal information If you believe that any of the information that we hold about you is inaccurate, you have a right to request that we restrict the processing of that information and to rectify the inaccurate personal information.
Please note that if you request us to restrict processing your information, we may have to suspend the operation of your account and/or the products and services we provide to you.
Erasure – You have a right to request that we delete your personal information. You may request that we delete your personal information if you believe that:
* we no longer need to process your information for the purposes for which it was provided;
* we have requested your permission to process your personal information and you wish to withdraw your consent; or
* we are not using your information in a lawful manner.
Please note that if you request us to delete your information, we may have to suspend services we provide to you.
Restriction – You have a right to request us to restrict the processing of your personal information.
You may request us to restrict processing your personal information if you believe that:
* any of the information that we hold about you is inaccurate;
* we no longer need to process your information for the purposes for which it was provided, but you require the information to establish, exercise or defend legal claims; or
* we are not using your information in a lawful manner.
Please note that if you request us to restrict processing your information, we may have to suspend the services we provide to you.
Portability – You have a right to data portability. Where we have requested your permission to process your personal information or you have provided us with information for the purposes of entering into a contract with us, you have a right to receive the personal information you provided to us in a portable format.
You may also request us to provide it directly to a third party, if technically feasible. We are not responsible for any such third party’s use of your account information, which will be governed by their agreement with you and any privacy statement they provide to you.
Objection – You have a right to object to the processing of your personal information. You have a right to object to us processing your personal information (and to request us to restrict processing) for the purposes described in this Privacy Notice), unless we can demonstrate compelling and legitimate grounds for the processing, which may override your own interests, or where we need to process your information to investigate and protect us or others from legal claims.
Depending on the circumstances, we may need to restrict or cease processing your personal information altogether or, where requested, delete your information. Please note that if you object to us processing your information, we may have to suspend the services we provide to you.
Marketing – You have a right to object to direct marketing. You have a right to object at any time to processing of your personal information for direct marketing purposes, including profiling you for the purposes of direct marketing.
Withdraw consent – You have a right to withdraw your consent. Where we rely on your permission to process your personal information, you have a right to withdraw your consent at any time. We will always make it clear where we need your permission to undertake specific processing activities.
Making complaints – You have a right to lodge a complaint with the regulator. If you wish to raise a complaint on how we have handled your personal information, you can contact our Data Protection Lead who will investigate the matter. We hope that we can address any concerns you may have, within a reasonable period of time in line with our organisational complaints policy but you can always contact the Information Commissioner’s Office (ICO). For more information, visit ico.org.uk
CCTV Policy – For information on the company’s use of CCTV at the Avoca Court premises, please consult the following document – CCTV POLICY v1.1
If you have any questions about this privacy notice, please contact Data Protection Lead at Health Exchange, Avoca Court, 27 Moseley Road, Digbeth, Birmingham B12 0HJ
Chief Operating Officer
February 2021 v1.1 [Updated company’s name & CCTV policy]