Last modified: 24/06/2019
We are Datix Limited (trading as RLDatix) (company number 02046379) (“we”, “our” or “us”). This policy applies to personal data passed to us (“Your Information”) in connection with services we provide to you in accordance with an agreement entered into between us and you (the “Agreement”). It does not apply to personal data we obtain from your use of our website, including for the purpose of accessing our services.
Data Protection Officer contact details: June Lewis, Datix Limited, Swan Court, 11 Worple Road, Wimbledon, London, SW19 4JS. firstname.lastname@example.org
This policy explains how we will use Your Information, why we use it in that way, who it will be shared with and other important information. Please read the following carefully.
1 SOURCE OF INFORMATION AND WHAT WE PROCESS
1.1 Your Information is passed to us by you pursuant to the Agreement. The categories of information that we receive and process are: information you choose to submit for the management and investigation of patient safety events, risks, complaints, claims and mortalities. These categories of information are chosen by you and may include for example names and addresses, email addresses, phone numbers, hospital number, NHS number, ethnicity, religion, sexual orientation, language spoken, details of disabilities and medical information.
1.2 Should you use the mobile application, Datix Anywhere, to submit Your Information, we may also request access to the microphone and the camera, and the voice, video, photo or other digital content on your mobile device to receive, process and delete Your Information that you choose to submit via the mobile application. This will include information described above but in addition may include images, voice data and physical likenesses. Location tracking services are not used.
1.3 We are aware that Your Information may be confidential and we will protect the confidentiality of Your Information in accordance with the legislative and compliance frameworks of the UK and the principles of ISO27001 security standard. Information is protected using storage and transport cryptography, with “least privilege” access controls and layered network security mechanisms. DatixCloudIQ application code is continually tested for vulnerabilities and the infrastructure is monitored for incidents. Data is logically segregated and physically secure.
2 HOW WE USE YOUR INFORMATION
2.1 We will use Your Information to provide you with the DatixCloudIQ service or to enable you to use DatixWeb and/or to provide you with related services.
2.2 We will collect anonymised statistical information about your activity when using the services we provide to you in accordance with the Agreement, for example the number of users viewing pages on a site or how often a feature is used, in order to monitor the effectiveness and responsiveness of the services we provide to you in accordance with the Agreement and to help us improve it.
2.3 Access to the network where Your Information is stored is restricted to our operational engineers. The principle of “least privilege” ensures that administrative users of the system have only the minimum rights necessary to perform their role.
2.4 RLDatix collects technical information to identify the mobile device on which you use the mobile application, Datix Anywhere, to generate encryption keys for the secure transmission of data.
2.5 The patient data you input into our system will be of a nature that allows identification of individual patients (“Identifiable Data”) and we will hold this securely in accordance with strict security policies and data protection laws. We will only use that Identifiable Data for the purposes of providing you with our Services.
2.6 The existence of this data, when analysed on a large scale, anonymised basis, and aggregated with your own or other organisations’ anonymised data, offers the potential of learning from the data, to gain insights towards improving patient care. Part of our mission is to be instrumental in helping the general improvement in patient care and we want to help you and other healthcare organisations obtain learnings and insights from the overview of aggregated anonymised data which may not be perceptible when only looking at smaller, individually identifiable data sets. Therefore we will also separately de-identify the data you input into our system and use it for healthcare applications.
2.7 In relation to this de-identified data, we will NOT:
2.7.1 use it for healthcare applications (except to provide you with our Services) unless it is de-identified,
2.7.2 re-identify the data or attempt to do so, unless with your permission, or
2.7.3 use Identifiable Data in the way we will use de-identified data.
3 WHO WE SHARE YOUR INFORMATION WITH
3.1 In order to assist us in delivering services we provide to you in accordance with the Agreement, we may permit specialist data hosting organisations or other third party specialist organisations to store or maintain Your Information on our behalf. However, we do not permit staff from these organisations to view or have access to Your Information, unless such viewing or access is necessary for such organisation to provide the services, or as necessary to comply with the law or a binding order of a governmental body. We require any such contractors, services providers, or other third parties to maintain the confidentiality of Your Information and to use it only for the limited purposes for which we disclose it to them.
3.2 We may also share Your Information with other organisations:
3.2.1 if we sell or buy any business or assets (as we may share Your Information with the prospective seller or buyer);
3.2.2 if we or substantially all of our company assets are acquired by another party, in which case Your Information will be one of the transferred assets;
3.2.3 if we have to share Your Information to comply with legal or regulatory requirements.
3.3 RLDatix takes measures to protect Your Information from interception when transmitted between networks and when stored on disk using asymmetrical encryption.
3.4 RLDatix may share Your Information in order to diagnose or investigate a serious issue relating to the RLDatix production network.
4 TRANSFERS TO THIRD COUNTRIES
4.1 Your Information will be stored in the UK. In accordance with the Agreement, Your Information may in some circumstances be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the processing of the provision of support or investigation services relating to the service.
4.2 We have the following safeguards in place for the transfer of Your Information outside of the EEA: Data will be sanitised as appropriate before transfer using (SHA-256) SSL encryption. Your Information will be only be transferred where relevant safeguards are in place.
4.3 Please do not give to us any personal information that you do not want, or do not have permission, to be transferred to or stored outside the EEA. By providing Your Information to us, you agree and consent to us transferring to, and storing Your Information at, a destination outside the EEA. You confirm that you have consent from the relevant data subjects and/or the benefit of another legal basis to permit such transfer outside the EEA.
5 RETENTION OF YOUR INFORMATION
5.1 We will keep Your Information as long as you subscribe to services pursuant to the Agreement, and then for up to 30 days after such subscription after which Your Information will be securely removed from our systems.
For a list of our sub-processors please click here.