We understand that when you provide your personal data to us, we must look after it and we are committed to keeping your personal data safe and secure.
We respect the data protection laws in the UK and EU, and this Privacy Notice tells you information about your personal data that we collect and use in our company, how it is being collected, what allows us to do this (called the legal bases), how long we are keeping it and it tells you about your rights. This privacy notice applies to our software systems, our website, and the services that we provide.
The data protection laws are the EU General Data Protection Regulation and the UK General Data Protection Regulation (collectively referred to here as ‘GDPR’) and the UK Data Protection Act 2018 (‘DPA18’).
Who are we?
Medloop Ltd is a UK company (Company Registration No. 11380035). We provide a range of services and applications (‘apps’) for health care professionals, medical practitioners and patients. Under the data protection laws, Medloop is known as the ‘Controller’ of the personal data you provide to us. Where we are contracted by a GP or commissioning body to provide some services, we are known as ‘Data Processor’.
We have appointed a Data Protection Officer and their contact details are:
Data Protection Officer
9 Mandeville Place
Marylebone, London W1U 3AY
We are registered with the Information Commissioner’s Office (ICO) ZA499556 and on the NHS Data Security and Protection Toolkit with our organisation code 8K943. We are regulated by the Care Quality Commission (CQC).
What data do we need and why?
We collect personal data in different ways. This may be when you register on our website as a patient, or from the Cookies (small text files) downloaded onto the device you are using to access our website.
Your personal data is provided by you when you register as a patient or medical practitioner on our website to receive more information about our app and dashboard application.
As part of the registration process, we collect the data you provide in the registration form:
- email address;
- name of your medical or GP practice.
We need this to provide you with the information about our App and the Medloop dashboard by email. We will also inform you if one or more patients who you have identified as your patients are also registered with us. We will tell patients who have identified you as their medical practitioner when they register with us, that you are registered as a medical practitioner with Medloop.
Where you use our app or dashboard, or you ask us to support communications with your patients, we will also collect data about the communications and the content of these. We will also collect a contact number for you.
We need this additional data to be able to provide the services you ask us to provide. These will be outlined in the contract and Data Processing Agreement for the Medloop app, dashboard and services.
We may also contact you to tell you about other services or products we develop. This is marketing and you do have the right to withdraw consent to marketing from us at any time.
We collect your data as a patient in a few different ways.
When you register on our system or app as a patient, we will collect:
- email address
- name of medical practitioner you wish to be informed about
We need to know this personal data to provide you with information and to enable the app to work and be useful to you. We will email you to tell you if the medical practitioner that you have identified is already registered with us. We will also tell the medical practitioner that you have identified that a patient registered with us has named them, but we will not pass on your personal data to them.
When your medical practitioner or GP practice uses our system and app to communicate with you, they will provide us with your personal data. This will vary but as a minimum will include:
- NHS Number
- Data or Birth
- Mobile Phone number
- Other contact number (if applicable)
- Email address
We need this personal data to enable the communications from your medical practitioner or GP practice to be sent via SMS or email, using our system. The communications may be messages from your medical practitioner or GP practice, links to an appointment booking system, links to secure video consultations and where necessary communications including surveys.
We will also collect special types of information including health information when your medical practitioner uses our services to support your direct health care. On these occasions, your medical practitioner will give us explicit consent to use information from your health record held in other systems that they use. We may ask you to complete a patient survey form which helps us manage consultations with you.
We have Data Processor Agreements in place to ensure that these processes are clear, and we only undertake tasks that your medical practitioner asks us to do. For these tasks we are called a Data Processor.
To help us improve our app and tailor our services to the needs of our customers, we analyse app usage behaviour. Content data (e.g. health data) are not processed and only pseudonymised evaluations are created. No personal data will be passed on to other service providers for the evaluations. The data will not be used for advertising purposes.
Our website – cookies
We collect information every time you visit our website. Our systems automatically collect data from device you are using such as a PC, laptop, smartphone or tablet. This is generally collected by Cookies which are small text files that are downloaded to your device. The information collected includes some personal data such as the IP address of the devices being used.
We will not collect any personal data from you we do not need to provide the information and services to you.
The legal or lawful bases
We have obligations and specific requirements for processing of personal data to enable us to provide services. These obligations form what are known as the lawful bases for the processing.
Where a medical practitioner or patient registers an interest with Medloop to receive more information the lawful basis that applies is:
- You have provided consent to the processing for the purpose or reason we have described (article 6(1)(a) of GDPR).
The specific lawful bases that apply to the processing of patient’s personal data are:
- We are required to perform a public task carried out in the public interest (article 6(1)(e) of GDPR);
- You have provided consent to the processing for the services such as when you provide responses to the patient survey (article 6(1)(a) of GDPR);
- The personal data is necessary for the performance of a contract directly with you to provide the specific service such as a consultation (article 6(1)(b) of GDPR);
- The processing is necessary for the purpose of preventative medicine, the provision of health care and the treatment or management of health care systems and services (article 9(2)(h) of GDPR);
- For vaccination programmes – The processing is necessary for public health and ensuring the high standards of quality and safety of health care (article 9(2)(i) of GDPR).
For medical practitioners who take out a contract with us, the lawful basis is:
- The data is necessary for the performance of a contract and to take the steps necessary to enter a contract with you (article 6(1)(b) of GDPR).
We do have a Legitimate interest to collect certain personal data to enable us to provide some services, enable our website to work and operate our business interest. This also applies to analysis of the app usage (article 6(1)(f) of GDPR), except where your rights override these legitimate interests.
How we store your data and security
All the personal data we process is being processed in the UK and EU. We are using secure electronic storage facilities located in the UK and EU to store this data for the purpose of providing the services to you.
Any the transfers of your data take place using all available technical and secure services such as encrypted emails or the NHS secure network (HSCN) that we have been approved to use.
In addition, Medloop has implemented a range of appropriate technical and organisational measures to ensure data protection and security.
How long we keep your data for
For any patient data, we keep this in line with the Records Management Code of Practice for Health and Social Care 2021. We delete personal data sooner if we are told that the conditions in GDPR that allowed us to keep it, no longer apply.
The purpose of our app is to keep your health data permanently available for you. Medloop stores your data for as long as you are using the app or are registered with us. If you or Medloop end the use or you withdraw your consent, Medloop will delete your data immediately, unless we are obliged to keep it longer. To avoid an unintentional loss of your data, you have the possibility to retrieve the contents of your electronic health record in a common electronic format within 14 days. Until the deletion of the data after the retrieval by you, the processing of the data will be restricted (blocking).
Where you are a patient and you provide an image to our clinicians for the purpose of a consultation, this image will be held for up to 8 years to comply with NHS obligations.
Data that you have transferred to medical practitioner or GP practice usually becomes part of the patient record kept about you and is processed by them. Ending your use of the Medloop app or withdrawing your consent do not affect the processing of personal data by your medical practitioners.
Contracts with medical practitioners or GP practices are kept for 6 years from the end date of the contract.
For HMRC (Tax) purposes and financial records, we are required keep financial data for 6 years after the end of the current financial year, after which time it will be destroyed.
If you have consented to your information being used for marketing purposes, it will be kept until you inform us that you no longer wish to receive this marketing.
You can find out more about how long we keep it for in our retention schedule by contacting us at DPO@medloop.co
Sharing your data
We do not allow third parties to have access to your personal data unless we are required to share your data with them by law or we are ordered to do so by a Court.
For Medical Practitioners:
We will share your details with your patients registered to use our system and app.
With your knowledge, we share your limited data with the medical practitioner you have named to enable us all to provide you with services or to meet our obligations.
If we have a technical problem, we may need to allow access to our systems by our technical support team who work within our confidentiality policies, and we restrict access to a ‘need to know’ basis to enable them to resolve the technical issues only.
We do not intend to transfer your personal data to third countries outside of the EU. If we do have to, for example, to obtain technical support, we will ensure that we have all appropriate security and safeguards in place as required by the data protection laws in the UK and EU, and in line with our obligations as a responsible Data Processor or Controller of your personal data.
If we are required to transfer your personal data to countries outside the EU, we will only do this if that country has an adequate level of protection for personal data, or for the US, we have appropriate International Data Transfer Agreements and Clauses in place as these provide similar protections.
Automated decision making
We make automated decisions on your data using an algorithm within our systems where we are provided support for direct care or health communications. You can ask for a person to be involved in the decision if you are not happy with the outcome and you should contact your medical practitioner or GP to discuss this further.
What are your rights?
You have a number of rights relating to the processing of your personal data.
o A right of access to your personal data held by us, also called a Subject Access Request.
o A right to rectify any personal data held by us that you believe is incorrect.
o A right to erase any personal data that we no longer have a legitimate purpose to process (right to be forgotten).
o A right to restrict the processing of your personal data subject to certain condition and obligations.
o A right of access to a machine-readable version of your data (data portability). There are conditions that apply to this right, but we will endeavour to give you a portable version of any of your data where possible.
o A right to object to us processing any of your data that we do not have a legal or contractual obligation to process.
o Rights linked to automated decisions or profiling involving your data.
You should contact us at DPO@medloop.co or write to us at our London address if you wish to exercise these rights.
Where you have provided personal data with consent, you can withdraw this consent at any time.
This may mean that we are unable to provide all services to you or your GP. We recommend speaking to your GP first.
If you wish to do this, please send an email to DPO@medloop.co with the subject “withdraw consent”.
You can ask to see the personal data that we hold about you (known as a Subject Access Request), or even as us to correct it or have it deleted. You should contact us at DPO@medloop.co or write to us at our London address if you wish to exercise these rights.
More information on your rights can be found on the Information Commissioner’s website at www.ico.org.uk.
If you wish to raise a complaint on how we have handled your personal data, we would like to try to resolve any complain with you and you can contact our Data Protection Officer who will investigate the matter.
If you are not satisfied with our response or believe we are processing your personal data in a way that is not in accordance with the law you can complain to the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, Telephone 0303 123 1113 (local rate) or by completing their online form at https://ico.org.uk/make-a-complaint/your-personal-information-concerns/
Reviews of this Privacy Notice
This privacy notice will be reviewed annually, or when there are any changes to our processing, or the data protection laws. It will be published on our website and we recommend that you check it periodically.For any patient data, we keep this in line with the Records Management Code of Practice for Health and Social Care 2021. We delete personal data sooner if we are told that the conditions in GDPR that allowed us to keep it, no longer apply.