PRIVACY POLICY
Welcome to Melo, your trusted digital partner in helping make sense of complex patient behaviours.
We understand that you may have questions about the data we collect and how you use it, so we have put together the following policy content with details about our privacy practices.
Introduction
Decently Limited; with registered address at Manchester Tech Incubator, 103 Oxford Road, Manchester, M1 7ED in England, United Kingdom and company registration number 13604268 (the ‘Processor’).
Melo has been designed by Decently Ltd. to digitise the collection of data relating to patients who have experienced behavioural change after a neurological event. Personal data is processed to provide individual insights and an overview of a patient over time. This information will also be used to provide insights for multiple patients across wards to bring to light insights of behaviour within this setting. Melo aims to build an appropriate AI model that will provide insights and risk levels into potential future behavioural events.
This product will be used by Decently’s Customers, which are hospitals, NHS trusts and Private Care organisations.
For the Melo product, Decently Ltd. has access to personal data from data subjects for which the Customer is responsible as a Controller. For the purposes of this Privacy Policy and with regards to data processed through the Melo product, the Customer acts as the “Controller” and Decently Ltd. acts as the “Processor” as defined by the GDPR.
This privacy policy will set out the details of data processing in the context of Melo. Data will not be used for any other purpose than providing care.
For any questions regarding the legal context of the data processing, please contact The Information Commissioner’s Office (ICO).
Definitions
Personal data from the Data Subjects will be Processed by Processor’s customer (Controller) and Decently (Processor) and shared with Third Parties in the context of the following definitions:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘Data subject’: An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
For the purposes of this Privacy Policy, the following laws are applicable:
For UK citizens or residents, the UK GDPR 2020 and the UK Data Protection Act 2018;
For European citizens or residents, the EU GDPR 2018; the EU e-privacy directive 2002 (soon to be replaced by the EU e-privacy regulation);
National Health Service and Community Care Act 1990
Health and Social Care (Community Health and Standards) Act 2003
NHS Act 2006
Health and Social Care Act 2012
Personal data, legal basis and purpose
Data subject: Private care group, Hospital / Trust staff members
Type: Email address
Legal basis: 6(1)(b)GDPR ‘Performance of a contract’
Purpose: Users of the Melo system will use their email address to identify themselves and perform administrative functions such as resetting their password.
Data subject: Patients
Type: Name
Legal basis: 9(2)(h)GDPR ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
Purpose: To ensure that the correct records are being amended or added to when a patient is being assessed by a clinical expert.
Data subject: Patients
Type: Date of Birth
Legal basis: 9(2)(h) GDPR ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
Purpose: Matching and linking data sets to ensure data quality.
Data subject: Patients
Type: NHS number
Legal basis: 9(2)(h) GDPR ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
Purpose: Matching and linking data sets to ensure data quality.
Data subject: Patients
Type: Gender
Legal basis: 9(2)(h) GDPR ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
Purpose: Identify patterns of challenging to manage behaviours and interventions provided.
Data subject: Patients
Type: Information related to health (physical or mental)
Legal basis: 9(2)(h) GDPR ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
Purpose: Make more informed decisions which will affect patient care as well as staff wellbeing
Third party services:
If a single sign-on service is connected with Melo, Decently may receive the username and email address of authorised users, along with additional information that the application has elected to make available to Decently to facilitate the integration for the purposes of single sign-on (SSO). Authorised users should check the privacy settings and notices in these Third-Party Services to understand what data may be disclosed to Decently. Through the use of single sign on, Decently does not receive or store passwords for any of these Third-Party Services when connecting them to Decently services or products.
How we collect, store or otherwise process your data:
Personal Data from Patients will be entered manually by members of the direct care team and checked against the clinical record into the Melo application.
This personal data is hosted by Processor’s sub processor within the UK.
Members of the direct care team will use Melo and the personal data contained therein to provide better care to the data subjects and fellow patients.
Processor further processes staff personal information to administer an account and provide Melo to the user, including:
Creating and managing the account
To improve our Services
To ensure legal compliance
Information about minors
Decently may collect personal data from minors under the age of 16 only with parental consent. If you are a parent or guardian and believe that your child has provided us with their personal data without your consent, please contact us immediately. We will take appropriate steps to verify the child's age and, if necessary, delete their personal data.
Data storage
Data is stored on cloud servers within the United Kingdom.
Sharing data with third parties
Data is shared with third parties by Processor. Processor requires third parties to respect the security of data and to treat it in accordance with the law.
Name: Microsoft Azure
Purpose: Hosting
Used by: Processor to host personal data
Storage and protection of data
Your data is protected by Processor and its sub-processors in pursuance to all legal requirements set by the relevant data processing laws. Processor has taken technical and organisational security measures to protect your data and requires its data processors to meet the same requirements. Processor has signed processing agreements with its processors to ensure an adequate level of data protection. The following security measures are taken by Processor to protect your personal data in the course of the listed business processes:
Organisational security measures
Staff
Processor staff members are required to conduct themselves in a manner consistent with Processor’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. All staff members undergo appropriate background checks prior to hiring and sign a confidentiality agreement outlining their responsibility in protecting customer data. We continuously train staff members on best security practices, including how to identify social hacks, phishing scams, and hackers.
Policies and procedures
We have information security related policies and procedures which we make available to our staff and require annual renewal. These include procedures on GDPR requests, incidents involving confidential data, and business continuity threats. We furthermore have all policies required under the GDPR, including this Privacy Policy as well as an art. 30 Registry of Processing. These policies are updated annually and all staff members are required to read and sign these.
Access controls
Processor maintains your data privacy by allowing only authorised individuals access to information when it is critical to complete tasks for you. Processor’s staff members will not process customer data without prior authorisation.
Data hosting
All personal data is hosted in data centres within the United Kingdom.
Data minimisation
Decently processes only the minimum data necessary to fulfil the purposes which Decently has set out to reach with its data processing.
Purpose limitation
Decently will update and amend this privacy policy if any changes in purposes warrant amending this policy. If data processing was based on consent, Decently will re-obtain consent in the event of changed purposes.
Technical security measures
All devices which are used to access personal data for which we are responsible are secured with antivirus software, firewalls, encryption and access management. We regularly update operating systems and software to ensure vulnerabilities cannot be exploited. We carry out regular vulnerability scanning of our website and have engaged credentialed external auditors to verify the adequacy of our security and privacy measures.
Physical security
The data centres on which personal data is hosted are secured and monitored 24/7 and physical access to facilities is strictly limited to select staff.
Encryption
All data is encrypted at rest and in transit.
Your rights regarding information
Each data subject has the right to information on and access to, and rectification, erasure and restriction of processing of his personal data, as well as the right to object to the processing and the right to data portability. Where data is based on your consent, you have the right to, at any time, withdraw consent for the use of your personal data.
You have the right not to be subjected to automated decision making, including profiling, especially where this could have legal or otherwise significant effects. Decently does not carry out any automated decision making. You can exercise these rights by contacting us at the following email address: jb@decently.co.uk. Each request must be accompanied by a copy of a valid ID, on which you put your signature and state the address where we can contact you. Ensure that you write “Data Request” in the subject line of your email.
Within one month of the submitted request, you will receive an answer from us. We will not charge you for submitting your request unless the request is manifestly unfounded or otherwise unreasonable in its nature. Depending on the complexity and the number of the requests this period may be extended to two months.
Data retention
At the end of the contract period, you can request deletion of personal data. All personal data will be deleted from the cloud servers, as per our agreed Exit Plan.
Applicable law
These conditions are governed by the laws of England and Wales. The court in the district where the collector has its place of business has the sole jurisdiction if any dispute regarding these conditions may arise, save when a legal exception applies.
Contact
Our Data Protection Officer is James Burch jb@decently.co.uk
For questions about this privacy policy, product information or information about the website itself, please contact: jb@decently.co.uk.