1. Introduction

This is the Privacy Statement of Clanwilliam Health (DGL) Ltd (“Clanwilliam Health”, “we”) whose registered office is at Aurora House, Deltic Avenue, Rooksley, Milton Keynes, Buckinghamshire, MK13 8LW and it applies to the use of the iMedPatient mobile app, iMedPatient web application and their associated web applications and services. iMedPatient is a patient portal application including online booking and remote consultation functionality that seamlessly integrates with Medical Consultants systems (“iMedPatient Service”).

Clanwilliam Health is committed to maintaining the trust and confidence of our customers and committed to protecting your privacy in accordance with the Data Protection Laws (as defined in Section 4 below) at all times. All personal data collected in association with the provision of the “Apps” is carried out in accordance with the applicable Data Protection Laws (as defined in Section 4 below).

2. Purpose of this Statement

This Privacy Statement provides information about the ways in which Clanwilliam Health collects, stores and uses personal data relating to its customers (medical professionals such as Medical Consultants who have entered into a service agreement with Clanwilliam Health) and its customers users (patients of Medical Consultants using the iMedPatient mobile app and iMedPatient web services).

References to services include use of the Apps and services unless otherwise stated. This Privacy Statement sets out how we use our customers’ personal information and our customers’ users personal information, uploaded via use of the iMedPatient Services and your rights in respect of our processing of such personal information.

The iMedPatient mobile app and iMedPatient web services can only be used by our customers whose organisation (for example a Medical Consultant practice) has entered into a service agreement with Clanwilliam Health (or an affiliated company/ company in the Clanwilliam group of companies). The licence agreement will define the data sharing and information governance terms that apply to the services. This Privacy Policy applies only to the use of the iMedPatient mobile app and iMedPatient web services and is subservient to the overall licence agreement a partnership, practice or organisation has with Clanwilliam Health in respect of any software or applications.

3. Who Are We and What Do We Do?

Clanwilliam Health comprises software solutions designed to assist healthcare professionals to provide best in class patient care across a wide range of settings. From GP and consultant clinics to pharmacies, care homes and hospitals, Clanwilliam Health software solutions are used by thousands of healthcare professionals on a daily basis. The services are operated by Clanwilliam Health, who have provided technology solutions to the health care sector for over 25 years.

4. Our use of Personal Information

“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly,

“Health Data” information relating to your health, such as medical information or records;

“Customers” means an individual or organisation who has entered into a licence agreement with Clanwilliam Health Ltd (or an affiliated company/ company in the Clanwilliam group of companies) in respect of the use of iMedPatient software.

“Customers’ users” means an individual user who has registered to use the iMedPatient mobile app and its services and is a registered patient of a Customer.

“Customer Account Data” means the personal data that we collect and process about you as a user of the iMedPatient application, including practice name, address details and the IP addresses of the devices you use to access the Services and analytics data relating to your use of the iMedPatient application, such as a log of when error messages are shown and a log of the Apps’ connection attempts;

“Customer Users Account Data” means the personal data that we collect and process about a Customer user as a user of the iMedPatient application, including name, address details, mobile number, gender, date of birth and the IP addresses of the devices you use to access the services.

“Video data” means video conferencing functionality. No data is collected, shared or stored by Clanwilliam Health or the service provider;

“Analytic Data” means data relating to the customers use of the iMedPatient application, such as a log of when error messages are shown and a log of the Apps’ connection attempts;

“Data Protection Laws” means the Data Protection Acts 1988 to 2018; Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR“); Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on Privacy and Electronic Communications) and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations, 2011 (to the extent applicable);“GDPR” means the General Data Protection Regulation (EU) 2016/679;

References to “controller”, “processor”, “processing”, “data subject” and “personal data” shall have the same meaning as defined in the Data Protection Laws.

For the provision of the iMedPatient mobile app, iMedPatient web application and their associated web applications and services, the relationship for the data processing activities are as follows:

Data Controller: The healthcare professional such as the GP or medical consultant is the “Data Controller” in relation to the data processing activities for the Customers’ Users and Customers’ Users Account Data (for example Patient data).

Data Processor: Clanwilliam Health act as the “Data Processor” in relation to the data processing activities for the Customers’ Users/Customers’ Users Account Data (for example Patient data).

Clanwilliam Health shall act as a “Data Controller” in respect of Customer Data and Analytic Data, which the use of is described below in section 5.

Clanwilliam Health agrees to comply with its obligations under the Data Protection Laws in respect of its provision of the Services.

 

5. How do we usE this Information

We receive and process information from Customers and Customers Users that is provided directly to us. This is required during setup in order to provide the Customers and Customers Users with the iMedPatient Service. The types of information we collect directly from our Customers and the Customers’ Users are on the primary basis of performance of our contract with our Customers.

5.1 Customers Data

For Customers who register for the iMedPatient service, we process your personal data in the capacity of a Data Controller, which includes: Practice Name, Practice Address, Email ID, Mobile Number and IP Address.

The purposes for the data processing and lawful basis are outlined below:

1. Set up a Customers account – Performance of a contract
2. Provide, operate and maintain the iMedPatient Services – Performance of a contract

3. Process and complete transactions, and send related information, including transaction confirmations. – Performance of a contract
4. Manage our customers’ use of the iMedPatient Services, respond to enquiries and comments and provide customer service and support – Performance of a contract
5. Send customers technical alerts, updates, security notifications, and administrative communications – Performance of a contract

1. For any other purposes about which we notify customers. – Legitimate Interests

 

We use the Customer Account Data to fulfil our obligations in the license agreement for the provision of the iMedPatient Services to you. This personal data will be deleted based on the terms of the contract.

 

5.2 Customers Users Data

For the Customers’ Users who register to use the iMedPatient Mobile App, we process the personal data on behalf of the Customer in the capacity of a data processor. The data includes name, gender, date of birth, postal address and mobile number.

This data is used as outlined below:

1. Set up a Customers’ User account
2. Provide, operate and maintain the iMedPatient Services
3. Process and complete transactions, and send related information, including transaction confirmations.
4. Investigate and prevent fraudulent activities, unauthorised access to the iMedPatient Services, and other illegal activities;

 

5.3 Who do we share personal information with for these purposes?

 

5.3.1 Customers Data

 

iMedPatient Service : Customer Account Data,
Service Provider: Amazon Web Services
Hosting: AWS (AWS EU-WEST-2)

Purpose: Cloud hosting of iMedPatient platform. In order to perform the Services, Customer Account Data is processed by our hosted provider Amazon Web Services (AWS). The data is encrypted using AES-256 technology.

Analytic Data: Customer Account Data
Service Provider: Clanwilliam Health
Hosting: AWS (AWS EU-WEST-2)

Purpose: We analyse Customer Account Data from your interactions with the Services (such as the functions of the Services that you use, error messages you receive, and the availability of the service throughout the day). This information is used to gain understanding of our customers’ use and adoption of the iMedPatient Services and allows us to improve the iMedPatient Service.

Video Conferencing: Video data
Service Provider: Vonage Business Inc.
Hosting: Peer-to-Peer

Purpose: Video conferencing software is provided by Vonage, to facilitate the consultation between the patient and the medical professional and enable the video consultations. The video consultations are not recorded by Clanwilliam Health or the service provider Vonage. Media is encrypted end-to-end (E2E) using WebRTC security protocols.

 

5.3.2 Customers’ Users Data

iMedPatient Service : Customers’ Users Account Data,
Service Provider: Amazon Web Services
Hosting: AWS (AWS EU-WEST-2)

Purpose: Cloud hosting of iMedPatient platform

In order to perform the Services, Customers’ Users Account Data is processed by our hosted provider Amazon Web Services (AWS). The data is encrypted using AES-256 technology.

 

iMedPatient Service : Customers’ Users Account Data,
Service Provider: Twilio Ireland Limited
Hosting: AWS (US-EAST, US-WEST)

Purpose: Email notifications (registration and notification confirmations)

In order to perform the Services, Customers’ Users Account Data is processed byTwilio for the purpose of account registration and appointment confirmations. No communications are retained once sent. The data is encrypted using AES-256 technology.

 

Video Conferencing: Video data
Service Provider: Vonage Business Inc
Hosting: Peer-to-Peer

Purpose: Video conferencing software is provided by Vonage Business Inc, to facilitate the consultation between the patient and the medical professional and enable the video consultations. The video consultations are not recorded by Clanwilliam Health or the service provider Vonage Business Inc. Media is encrypted end-to-end (E2E) using WebRTC security protocols.

 

6. Third Party Links and Services

The iMedPatient/iMedDoc PP Services may contain links to third party websites and services. Only cookies which are necessary for the functioning of the iMedPatient platform/application are deployed by default. All other cookies, including third party require your explicit consent (Opt-in) before being applied.

Please refer to our Cookie Policy, which is available here for further information

 iMedPatient Cookie Policy

Please remember that when you use a link to go from our iMedPatient Services to a third party website or you request a service from a third party, this Privacy Statement no longer applies. Your browsing and interaction on any third party website, or your dealings with any other third party service provider, is subject to that website’s or third party service provider’s own rules and policies.

We do not monitor, control, or endorse the privacy practices of any third parties. We encourage you to become familiar with the privacy practices of every website you visit or third party service provider that you deal with and to contact them if you have any questions about their respective privacy policies and practices.

This Privacy Statement applies solely to personal information collected by Clanwilliam Health through our iMedPatient Services and does not apply to third party websites and third party service providers.

For a list of associated Third Party Services please CLICK HERE

7. How long do we keep personal information for?

7.1 Customers Data

 

Clanwilliam Health will retain Customer Data based on performance of contract, legal obligations and legitimate interests. This is to comply with the Data Protection Laws and fulfil our obligations in the licence agreement for the provision of the Services to the Customer. The personal data will be deleted based on the terms of that licence agreement.

When assessing what retention period is appropriate for your personal data, the following have been taken into consideration:

1. The requirements of our business and the services provided
2. Any statutory or legal obligations under the Data Protection Laws
3. The purposes determined by our customers (healthcare professional(s)) for which the personal data was originally collected

 

7.2 Customers’ Users Data

 

Clanwilliam Health does not retain Customers’ Users Data. Any retention policies for this data would be the responsibility and defined by the Data Controller (healthcare professional).

 

8. Transfer of personal data

We process personal data obtained for the provision of the iMedPatient application within United Kingdom through the use of Amazon Web Services data centres located in United Kingdom (AWS EU-WEST-2) and United States (AWS US-EAST).

9. Confidentiality and security of personal data

Clanwilliam Health is committed to complying with our obligations under the Data Protection Laws and ensuring the personal information which you provide is protected. Therefore, we have implemented a full suite of technical and organisation measures that seek to prevent unauthorised access, alteration, deletion or disclosure of your personal data. Obligations in maintaining confidentiality are outlined in the service agreement with the Customer.

All employees, data processors and sub-processors (i.e. those who process personal information on our behalf, for the purposes listed above), who have access to, and are associated with the processing of personal information, are obliged to respect the confidentiality of the personal information of all users of the Services and we only store personal information in secure compliant data centres. Personal data is protected by a variety of technical controls and safeguards to ensure security and privacy including AES 256 encryption at rest and in transit.

A suite of technical and organisational measures have been implemented, for more information please refer to the Data Processing Agreement that is in place with Customers for full details on the technical and organisation measures.

10. Tracking technologies

Customers and Customers Users can only use the iMedPatient mobile app and iMedPatient web services with a valid login. We use analytics tools to monitor Customers behaviour in the iMedPatient mobile app and iMedPatient web services. This is as described for ‘Analytic Data’ above:

We analyse Customers interactions with the iMedPatient Services (such as the functions of the iMedPatient Services which the customer uses, error messages received, and the availability of the service to the Customers). This information is used to gain an understanding of our Customers’ use and adoption of the Services and aids Clanwilliam Health in improving the iMedPatient Services.

Cookies are in use. Please refer to our Cookie Policy, which is available here for further information

 iMedPatient Cookie Policy

11. Data Subject rights

Under Data Protection Law, you (Customers) are granted certain rights.

Subject to certain restrictions, which are set out below, you can exercise these rights in relation to your personal data that is processed by the Clanwilliam Health

For Customers’ users of the iMedPatient mobile app and iMedPatient web services, you are entitled to exercise your rights by contacting your Health Professional.

The data subject rights are:

1. The right to be informed about the processing of your personal data;
2. The right to access your personal data;
3. The right to rectification of your personal data;
4. The right to erasure of your personal data;
5. The right to data portability;
6. The right to object to processing of your personal data;
7. The right to restrict processing of your personal data;
8. Rights in relation to automated decision making, including profiling.

 

11.1 Restriction of data subject rights in certain circumstances

 

Article 23 of the GDPR allows for data subject rights to be restricted in certain circumstances. In addition, the 2018 Act contains certain provisions dealing with the restriction of rights of data subjects, in particular Sections 59, 60 and 61, which give further effect to the provisions of Article 23.  General guidance in relation to the application of Article 23 and the related provisions of the Data Protection Act 2018 is available here.

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/data-sharing-a-code-of-practice/the-rights-of-individuals/

For Customers’ Users of the iMedPatient mobile app and iMedPatient web services, you are entitled to exercise your rights by contacting your Health Professional.

If you would like to access, review, update, rectify, and delete any Personal Data that Clanwilliam Health holds about you, or exercise any other data subject right available to you under the Data Protection Laws, contact our data protection representative via GDPR@clanwilliamhealth.com.

12. Changes to this Privacy Statement

We may make changes to this Privacy Statement from time to time. To ensure that you are always aware of how we use the Account Data and Video Data, we will update this Privacy Statement to reflect any changes to our use of Personal Data. We may also make changes as required to comply with changes in applicable law or regulatory requirements. We will notify you, your partnership, practice or your organisation by e-mail of any significant changes. However, we encourage you to review this Privacy Statement periodically to be informed of how we use Personal Data.

13. How to contact us

If you have any questions about this Privacy Statement, please contact us by phone or email at GDPR@clanwilliamhealth.com 

Tel: +353 (1) 463 3000

You also have the right to make a complaint to the Information Commissioner’s Office (ICO), the United Kingdom supervisory authority for data protection issues, at any time. The ICO’s contact details are as follows:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone – 0303 123 1113

Website https://ico.org.uk