Statement and purpose of policy
- Healum Ltd. (Healum) is committed to ensuring that all personal data handled by the company is processed according to legally compliant standards of data protection and data security.
- It is confirmed that for the purposes of the data protection laws, Healum is a data processor of any personal data in connection with customers, clients and patients, and Healum is a data controller of the personal data in connection with staff employment.
The purpose of this policy is to help Healum achieve data protection and data security aims by:
- notifying staff of the types of personal information that Healum may hold about them, customers, suppliers and other third parties and what Healum do with that information;
- setting out the rules on data protection and the legal conditions that must be satisfied when Healum collect, receive, handle, process, transfer and store personal data and ensuring staff understand rules and the legal standards; and
- clarifying the responsibilities and duties of staff in respect of data protection and data security.
This is a statement of policy only and does not form a part of the contract of employment. Healum may amend this policy at any time, in absolute discretion.
For the purposes of this policy:
- Data protection laws means all applicable laws relating to the processing of Personal Data, including, for the period during which it is in force, the General Data Protection Regulation (Regulation (EU) 2016/679).
- Data subject means the individual to whom the personal data relates.
- Personal data means any information that relates to an individual who can be identified from that information.
- Processing means any use that is made of data, including collecting, storing, amending, disclosing, or destroying it.
- Special categories of personal data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.
Data protection principles
Staff whose work involves using personal data relating to customers, clients, patients, another member of staff, or others must comply with this policy and with the following data protection principles which require that personal information is:
- processed lawfully, fairly and in a transparent manner. Healum must always have a lawful basis to process personal data, as set out in the data protection laws. Personal data may be processed as necessary to perform a contract with the data subject, to comply with a legal obligation which the data controller is the subject of, or for the legitimate interest of the data controller or the party to whom the data is disclosed. The data subject must be told who controls the information (us), the purpose(s) for which Healum are processing the information and to whom it may be disclosed.
- collected only for specified, explicit and legitimate purposes. Personal data must not be collected for one purpose and then used for another. If Healum want to change the way Healum use personal data, Healum must first tell the data subject.
- processed only where it is adequate, relevant and limited to what is necessary for the purposes of processing. Healum will only collect personal data to the extent required for the specific purpose notified to the data subject.
- accurate and Healum takes all reasonable steps to ensure that information that is inaccurate is rectified or deleted without delay. Checks to personal data will be made when collected and regular checks must be made afterwards. Healum will make reasonable efforts to rectify or erase inaccurate information.
- kept only for the period necessary for processing. Information will not be kept longer than it is needed and Healum will take all reasonable steps to delete information when Healum no longer need it. For guidance on how long particular information should be kept, contact the Senior Information Risk Owner (SIRO)
- secure, and appropriate measures are adopted by Healum to ensure as such.
Data protection by design and by default
Companies/organisations are encouraged to implement technical and organisational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start (‘data protection by design’). By default, companies/organisations should ensure that personal data is processed with the highest privacy protection (for example only the data necessary should be processed, short storage period, limited accessibility) so that by default personal data isn’t made accessible to an indefinite number of persons (‘data protection by default’).
Procedure for data protection by design
- The use of pseudonymisation (replacing personally identifiable material with artificial identifiers) and encryption (encoding messages so only those authorised can read them).
- Only the necessary information required is requested from the user
- Allow users to monitor what is being done with their data
Procedure for data protection by default
- Setting default settings that increase the level of protection for a user’s data. For example, setting a default privacy setting for 2 factor authentication
Who is responsible for data protection and data security?
- Maintaining appropriate standards of data protection and data security is a collective task shared between Healum and Staff. This policy and the rules contained in it apply to all staff of Healum, irrespective of seniority, tenure and working hours, including all employees, directors and officers, consultants and contractors, casual or agency staff, trainees, homeworkers and fixed-term staff and any volunteers (Staff).
- This policy also holds information on how information of customers, user, clients, patients, clinicians, coaches, participants, (Customer) and any other user of Healum’s software and applications are handled.
- The Senior Information Risk Owner is accountable and responsible for information risk across the organisation. They ensure that everyone is aware of their personal responsibility to exercise good judgement, and to safeguard and share information appropriately. The Senior Information Risk Owner at Healum is Jonathan Abraham, [email protected]
- Questions about this policy, or requests for further information, should be directed to the Senior Information Risk Owner.
- All Staff have personal responsibility to ensure compliance with this policy, to handle all personal data consistently with the principles set out here and to ensure that measures are taken to protect the data security. Managers have special responsibility for leading by example and monitoring and enforcing compliance. The Senior Information Risk Owner must be notified if this policy has not been followed, or if it is suspected this policy has not been followed, as soon as reasonably practicable.
- Any breach of this policy will be taken seriously and may result in disciplinary action up to and including dismissal. Significant or deliberate breaches, such as accessing Staff or customer personal data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.
What personal data and activities are covered by this policy?
This policy covers personal data:
- which relates to a natural living individual who can be identified either from that information in isolation or by reading it together with other information Healum possess;
- is stored electronically or on paper in a filing system;
- in the form of statements of opinion as well as facts;
- which relates to Staff (present, past or future) or to any other individual whose personal data Healum handle or control;
- which Healum obtain, is provided to Healum, which Healum hold or store, organise, disclose or transfer, amend, retrieve, use, handle, process, transport or destroy.
This personal data is subject to the legal safeguards set out in the data protection laws.
What personal data does Healum process about Staff?
Healum collects personal data about Staff which:
- the employee provides or Healum gathers before or during employment or engagement with the company;
- is provided by third parties, such as references or information from suppliers or another party that Healum do business with; or
- is in the public domain.
The types of personal data that Healum may collect, store and use about Staff include records relating to :
- home address,contact details and contact details for next of kin;
- recruitment (including application form or curriculum vitae, references received and details of qualifications);
- pay records, national insurance number and details of taxes and any employment benefits such as pension and health insurance (including details of any claims made);
- telephone, email, internet, fax or instant messenger use;
- performance and any disciplinary matters, grievances, complaints or concerns in which Staff are involved.
What personal data does Healum process about customers?
Healum collects personal data about customers which:
- The customer provides directly to Healum in order to use Healum products or services;
- is provided by the data controller of the customer’s health care record, such as a GP practise for a patient, through a data sharing agreement/contract
- is in the public domain.
The types of personal data that Healum may collect, store and use about Customers include records relating to :
- home address,contact details;
- Wellbeing information surrounding a patient’s health, mood, diet, exercise activities and preferences;
- Biometric information in order to forward patient’s their blood results (If applicable)
- Race, ethnicity, age, gender in order to understand engagement metrics for different cohorts of users
- telephone, email, sms;
Sensitive personal data
Healum may from time to time need to process sensitive personal information (sometimes referred to as ‘special categories of personal data’). Healum will only process sensitive personal information if:
- Healum have a lawful basis for doing so, eg it is necessary for the performance of the employment contract; and
- one of the following special conditions for processing personal information applies:
- the data subject has given explicit consent.
- the processing is necessary for the purposes of exercising the employment law rights or obligations of the Company or the data subject.
- the processing is necessary to protect the data subject’s vital interests, and the data subject is physically incapable of giving consent.
- processing relates to personal data which are manifestly made public by the data subject.
- the processing is necessary for the establishment, exercise, or defence or legal claims; or
- the processing is necessary for reasons of substantial public interest.
- Before processing any sensitive personal information, Staff must notify the Senior Information Risk Owner of the proposed processing, in order for the Senior Information Risk Owner to assess whether the processing complies with the criteria noted above.
- Sensitive personal information will not be processed until the assessment above has taken place and the individual has been properly informed of the nature of the processing, the purposes for which it is being carried out and the legal basis for it.
- The privacy notice sets out the type of sensitive personal information that Healum process, what it is used for and the lawful basis for the processing.
How Healum use personal data
Healum will tell members of Staff the reasons for processing personal data, how Healum use such information and the legal basis for processing in the privacy notice. Healum will not process Staff personal information for any other reason.
In general Healum will use information to carry out business, to administer employment or engagement and to deal with any problems or concerns Staff may have, including, but not limited to:
- Staff Address Lists: to compile and circulate lists of home address and contact details, to contact Staff outside working hours.
- Sickness records: to maintain a record of sickness absence and copies of any doctor’s notes or other documents supplied to Healum in connection with health, to inform colleagues and others that Staff are absent through sickness, as reasonably necessary to manage absence, to deal with unacceptably high or suspicious sickness absence, to inform revieHealumrs for appraisal purposes of sickness absence level, to publish internally aggregated, anonymoHealum details of sickness absence levels.
- Monitoring IT systems: to monitor use of e-mails, internet, telephone and fax, computer or other communications or IT resources.
- Disciplinary, grievance or legal matters: in connection with any disciplinary, grievance, legal, regulatory or compliance matters or proceedings that may involve Staff.
- Performance Reviews: to carry out performance reviews.
- Equal Opportunities Monitoring: to conduct monitoring for equal opportunities purposes and to publish anonymised, aggregated information about the breakdown of Healum’s workforce.
Accuracy and relevance
- ensure that any personal data processed is up to date, accurate, adequate, relevant and not excessive, given the purpose for which it was collected.
- not process personal data obtained for one purpose for any other purpose, unless the subject agrees to this or reasonably expects this.
If Staff consider that any information held is inaccurate or out of date, then Staff should tell the Senior Information Risk Owner. If they agree that the information is inaccurate or out of date, then they will correct it promptly. If they do not agree with the correction, then they will note comments.
Storage and retention
- Personal data (and sensitive personal information) will be kept securely.
- The periods for which Healum hold personal data are contained in privacy notices.
- GDPR Article 5(1)(e) about storage limitation specifies that personal data shall be kept for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of GDPR.
- Personal data will be periodically reviewed and if it is no longer needed it will be deleted or anonymised as appropriate. Anonymised data is not subject to GDPR or the Data Protection Act 2018.
- Responsibility for retention and disposal is designated to the Senior Information Risk Owner. The default retention period of records at Healum is 6 years.
|Types of records||Minimum retention period||Disposal method|
|Regulatory Operations||6 years||Paper copies -Shredded Electronic copies – Wiped|
|Policy, Strategy and Public Affairs||6 years||Paper copies -Shredded Electronic copies – Wiped|
|Legal and Board Secretary||6 years||Paper copies -Shredded Electronic copies – Wiped|
|Human Resources||6 years||Paper copies -Shredded Electronic copies – Wiped|
|Internal Financial Information||6 years||Paper copies -Shredded Electronic copies – Wiped|
|Internal Financial Information||6 years||Paper copies -Shredded Electronic copies – Wiped|
|Internal Audit||6 years||Paper copies -Shredded Electronic copies – Wiped|
|Health and Safety||6 years||Paper copies -Shredded Electronic copies – Wiped|
|Buildings Records||6 years||Paper copies -Shredded Electronic copies – Wiped|
|Project Records||6 years||Paper copies -Shredded Electronic copies – Wiped|
|Complaint Records||6 years||Paper copies -Shredded Electronic copies – Wiped|
|Information Management Records||6 years||Paper copies -Shredded Electronic copies – Wiped|
|Employee Records||6 years||Paper copies -Shredded Electronic copies – Wiped|
|Press and Public Relations Records||6 years||Paper copies -Shredded Electronic copies – Wiped|
Paper record disposal is carried out in a way that preserves the confidentiality of the record. Non-confidential records i.e. records that are clearly in the ‘public domain’ can be placed in ordinary rubbish bins or recycling bins. Confidential records should be placed in the confidential waste bins or shredded and placed in paper rubbish sacks for collection by an approved disposal firm. All copies including security copies, preservation copies and backup copies should be destroyed at the same time in the same manner.
All electronic records must be either physically destroyed (and a record of destruction certified) or wiped to the current Government standard. Deletion of the files is not sufficient. Destruction will be overseen by the Head of IT.
Individuals have the following rights in relation to personal data. Individuals have the right to make a subject access request. If Individuals make a subject access request, Healum will tell them:
- whether or not personal data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from them;
- to whom personal data is or may be disclosed.
- for how long personal data is stored (or how that period is decided);
- rights of rectification or erasure of data, or to restrict or object to processing;
- right to complain to the Information Commissioner if they think Healum have failed to comply with data protection rights; and
- whether or not Healum carry out automated decision-making and the logic involved in any such decision making.
- Healum will provide individuals with a copy of the personal data undergoing processing. This will be in electronic form.
- To make a subject access request, contact Healum at [email protected].
- Healum may need to ask for proof of identification before request can be processed. Healum will let the individual know if Healum need to verify identity and the documents Healum require.
- Healum will normally respond to requests within 28 days from the date request is received. In some cases, eg where there is a large amount of personal data being processed, Healum may respond within 3 months of the date request is received. Healum will write to the individual within 28 days of receiving original request if this is the case.
- If request is manifestly unfounded or excessive, Healum are not obliged to comply with it.
The individual has a number of other rights in relation to personal data. Individuals can require Healum to:
- rectify inaccurate data;
- stop processing or erase data that is no longer necessary for the purposes of processing;
- stop processing or erase data if interests override legitimate grounds for processing the data (where Healum rely on legitimate interests as a reason for processing data);
- stop processing data for a period if data is inaccurate or if there is a dispute about whether or not interests override Healum’s legitimate grounds for processing the data.
- To request that Healum take any of these steps, please send the request to [email protected]
Healum will use appropriate technical and organisational measures to keep personal data secure, and in particular to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage. Maintaining data security means making sure that:
- only people who are authorised to use the information can access it;
- where possible, personal data is pseudonymised or encrypted;
- information is accurate and suitable for the purpose for which it is processed; and
- authorised persons can access information if they need it for authorised purposes.
- By law, Healum must use procedures and technology to secure personal information throughout the period that Healum hold or control it, from obtaining to destroying the information.
- Personal information must not be transferred to any person to process (eg while performing services for Healum on or behalf), unless that person has either agreed to comply with data security procedures or Healum are satisfied that other adequate measures exist.
Security procedures include:
- Any desk or cupboard containing confidential information must be kept locked.
- Computers should be locked with a strong password that is changed regularly or shut down when they are left unattended and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others.
- Data stored on CDs or memory sticks must be encrypted or password protected and locked away securely when they are not being used.
- The Senior Information Risk Owner must approve of any cloud used to store data.
- Data should never be saved directly to mobile devices such as laptops, tablets or smartphones.
- All servers containing sensitive personal data must be approved and protected by security software.
- Servers containing personal data must be kept in a secure location, away from general office space.
- Data should be regularly backed up.
Telephone Precautions. Particular care must be taken by Staff who deal with telephone enquiries to avoid inappropriate disclosures. In particular:
- the identity of any telephone caller must be verified before any personal information is disclosed;
- if the caller’s identity cannot be verified satisfactorily then they should be asked to put their query in writing;
- do not allow callers to bully Staff into disclosing information. In case of any problems or uncertainty, contact the Senior Information Risk Owner.
Methods of disposal. Copies of personal information, whether on paper or on any physical storage device, must be physically destroyed when they are no longer needed. Paper documents should be shredded and CDs or memory sticks or similar must be rendered permanently unreadable.
Data impact assessments
- Some of the processing that Healum carries out may result in risks to privacy.
- Where processing would result in a high risk to Staff rights and freedoms, Healum will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.
- If Healum discover that there has been a breach of personal data which poses a risk to the rights and freedoms of individuals, Healum will report it to the Information Commissioner within 72 hours of discovery.
- Healum will record all data breaches regardless of their effect.
- If the breach is likely to result in a high risk to rights and freedoms, Healum will tell affected individuals that there has been a breach and provide them with more information about its likely consequences and the mitigation measures it has taken.
- Acceptable data quality is crucial to operational and transactional processes and to the reliability of business analytics / business intelligence reporting. Poor data quality puts Healum at significant risk of: damaging stakeholder trust; weakening service delivery; and incurring financial loss.
Data controllers are required under the Data Protection Act 1998, principle 4 to ensure that ‘data are kept accurate and up-to-date’. In order to comply with this provision, Healum will: take reasonable steps to ensure the accuracy of any personal data obtained; ensure that the source of any personal data is clear; carefully consider any challenges to the accuracy of information; and consider whether it is necessary to update the information.
Data quality can be measured in the following ways:
- Coverage – the degree to which data have been received from all expected data suppliers.
- Completeness – the degree to which data items include all expected values.
- Validity – the degree to which data collected satisfy the set of standards and business rules that govern the permitted, excluding default, values and formats for each individual field in a dataset.
- Default – the degree to which the default values specified in applicable standards and business rules have been used in the data collected.
- Integrity – the degree to which data satisfy the set of business rules that govern the relationships between fields, records and data assets.
- Timeliness – reports the time between data recording and delivery of the product that uses the data.
- Staff are responsible for helping Healum keep their personal data up to date.
- Staff should let Healum know if personal data provided to Healum changes, eg if staff move house or change bank details.
- Staff may have access to the personal data of other Staff members and of customers in the course of employment. Where this is the case, Healum relies on Staff members to help meet its data protection obligations to Staff and to customers.
Individuals who have access to personal data are required:
- to access only personal data that they have authority to access and only for authorised purposes;
- not to disclose personal data except to individuals (whether inside or outside of Healum) who have appropriate authorisation;
- to keep personal data secure (eg by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);
- not to remove personal data, or devices containing or that can be used to access personal data, from Healum’s premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
- not to store personal data on local drives or on personal devices that are used for work purposes.
Healum always operates in accordance with the Caldicott Reviews regarding patient identifiable data laid out in the following 7 principles:
- Justify the purpose for using confidential information: Every proposed use or transfer of personal confidential data within or from our organisation is be clearly defined, scrutinised and documented, with continuing uses regularly reviewed.
- Don’t use personal confidential data unless it is absolutely necessary: Personal confidential data items are not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified is considered at each stage of satisfying the purpose(s).
- Use the minimum necessary personal confidential data: Where use of personal confidential data is essential, the inclusion of each individual item of data is considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary fora given function to be carried out.
- Access to personal confidential data should be on a strict need-to-know basis: In compliance with ISO/IEC 2000 and specifically the ISO/IEC 27001 standard for information security management, therefore CRB-checked Healum’s employees will have access to patient data on a strict need-to-know basis to reduce the risk of patient data exposure. This includes a clear audit log of what was accessed, by whom, when, what was altered that will be held for 6 years. We commit to accepting an audit on our products and services and agree to publish the findings.
- Everyone with access to personal confidential data should be aware of their responsibilities: Action are taken to ensure that those handling personal confidential data – both clinical and non-clinical staff – are made fully aware of their responsibilities and obligations to respect patient confidentiality. All employees are also familiar with the Information Governance and Security Policy.
- Comply with the law: Every use of personal confidential data is be lawful. A dedicated handler of personal confidential data is responsible for ensuring that the organisation complies with legal requirements.
- The duty to share information can be as important as the duty to protect patient confidentiality: We have the confidence to share information in the best interests of our users within the framework set out by these principles
Healum has implemented a variety of technical controls to increase data protection. These technical controls include but are not limited to:
- Role based access
- Firewall protection
- Regular system updates*
*Systems are regularly updated as new updates are made available. Updates commonly occur once per week.
Similarly, Healum has implemented physical controls to prevent unauthorized access to data. These controls include but are not limited to:
- Locked doors to official healum workspaces
- FOB access to business area
- Locked windows
- Clear desks of any sensitive data
- Healum will provide training to all individuals about their data protection responsibilities as part of the induction process and at regular intervals thereafter.
- Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy will receive additional training to help them understand their duties and how to comply with them.
Data protection and security induction
All new employees must complete the data protection and security induction. The purpose of the induction is to support staff in understanding their obligations under the National Data Guardian’s Data Security Standards. The induction is composed of reading the following guidance articles and policies:
Data Security Standard 01 Personal confidential data big picture guide.pdf
Data Security Standard 02 Staff responsibilities big picture guide.pdf
Data Security Standard 03 Training big picture guide.pdf
Data Security Standard 04 Managing data access big picture guide.pdf
Data Security Standard 05 Process reviews big picture guide.pdf
Data Security Standard 06 Responding to incidents big picture guide.pdf
Data Security Standard 07 Continuity planning big picture guide.pdf
Data Security Standard 08 Unsupported systems big picture guide.pdf
Data Security Standard 09 IT protection big picture guide.pdf
Data Security Standard 10 Accountable suppliers big picture guide.pdf
How to inform individuals
Staff must be knowledgeable on how to provide individuals with information about the collection and use of their personal data. This section outlines how that is accomplished at Healum
- First, An individual makes a request to a member of Healum staff to learn about how Healum uses their personal data. This request may come in the form of a phone call, text message, email, letter, or communicated verbally.
- The Healum staff member who receives this request should first inform the individual that their request has been acknowledged
- The Healum staff member should provide the individual will a copy of this document, the Data Security and Data Protection Policy, and the Privacy Notice.
- The Healum staff member should outline the specific areas in these documents that outline the Individual’s rights and the use of their persona data.
- The Healum If further information is requested, the Healum staff member should reference the exact data fields that Healum has collected on the individual and the purposes of the fields.
- This information will be specific to the application that the individual is using, this should be clarified at the beginning of the conversation.
- The information will be outlined in the DPIA and Record of Processing activities for that project/application/product
- If there is additional help needed Staff members can seek assistance from their manager.
Data protection further reading
- Basic concepts of data protection are discussed on the ico website, see https://ico.org.uk/for-organisations/guide-to-data-protection/introduction-to-data-protection/some-basic-concepts/
Data Protection Impact Assessment Guidance
- In tandem with platform security, protection of data is maintained based on legal requirements and ongoing risk assessments.
- Data privacy risk should be part of security risk assessments and overall corporate security policy.
- Part of such policy there must be procedures in place to restrict access to personal data based on roles and duties within the organisation.
- Measures to perform checks on any new employees, including background checks, pre-screening and performance reviews which should include data privacy responsibilities.
- Making data privacy as one of the cornerstones of business continuity plans by having a data-loss prevention strategy in place, performing regular security and penetration testing etc.
- Perform Privacy Impact Assessment (PIA) and Data Protection Impact assessments (DPIA) for any new products being built or changes to existing products using standardised guidelines, templates and parameters and as part of product development processes.
- Perform Privacy Impact Assessment (PIA) and Data Protection Impact assessments (DPIA) for any programs, software or technology being used using standardised guidelines, templates and parameters.
For further information see https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/how-do-we-do-a-dpia/
Record of processing activities guidance
A record of processing activities (ROPA) allows Healum to identify what data is being collected by the company and for what purpose. The ROPA is an evolving document that must be kept up-to date as project requirements are added or changed.
- For further information see https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/documentation/how-do-we-document-our-processing-activities/
- This Data Security and Data Protection Policy has been formally approved by the Senior Information Risk Owner, Jonathan Abraham.