Privacy Notice
Who are we?
We are the University of Exeter and we are representatives of the REACH-HF programme and are responsible for delivery of this website which you are using as part of your care from your hospital and their care team.
Health and Care Innovations Limited (HCI) are the representative of the University of Exeter in the delivery of the REACH-HF programme and body operating the Digital REACH-HF platform on behalf of the University of Exeter.
Under the UK General Data Protection Regulation (UK GDPR), Health and Care Innovations Limited is the data controller and responsible for your personal data. Health and Care Innovations Limited are required to register with the Information Commissioner’s Office and our registration number is ZA281329.
Our trading address: the Queens Drive, Exeter, EX4 4QJ
To contact us, please contact us here reach-hf@exeter.ac.uk.
In this document the REACH-HF team (the University of Exeter and Health and Care Innovations Limited) may be referred to as “we”, “us”, or “our”.
About our Privacy Notice
This Privacy Notice has been produced to help you understand everything you need to know about the way we collect, use, and share personal data, what your legal rights are, and how to exercise them.
We regularly review and where necessary update this Privacy Notice. We reserve the right to update this Privacy Notice at any time, and we will provide you with a new Privacy Notice on the website when we make any substantial changes.
We take our responsibility for protecting your data very seriously and we hope you’ll take some time to read this document; we’ve tried to keep it all as simple as possible and to avoid, or explain, jargon. If there’s anything here you don’t understand, or if you want to ask any questions, please feel free to contact us.
Why do we collect your personal data and what do we use it for?
We collect your personal data for the reasons described below. These are our ‘purposes’ for processing (using) your personal data. We ensure that our data processing activities are conducted in accordance with the requirements of the UK GDPR.
We only ever collect and store personal data required to provide our services to you.
What do we use REACH-HF for (our ‘purposes’)?
REACH-HF is used by care providers to help their patients manage their health and to benefit from treatment. This includes the sharing of information about your health with your healthcare professionals.
It is important to understand that where we provide this service, we provide it under a contract with your care provider under which your care provider becomes responsible in law for your personal data.
If you have any questions about how they use your personal data, you should refer to their privacy notice on their website. This will explain how they use your data and how you can exercise your rights in respect of your data.
What information do we share when you agree?
Name, date of birth, email, medical data (including details about your medications,, your symptoms, your treatment, other health issues and any questionnaires or other information your care provider has asked you to record).
What is our lawful basis?
We have a contract in place with your healthcare provider which is compliant with Article 28 of the UK General Data Protection Regulation in order to provide this service to you.
What happens if I switch off sharing with my healthcare provider?
If you switch off your data sharing we will no longer share any more information with your healthcare provider but the data you have already provided to them will be available as it may form a part of your clinical record. You should contact your healthcare provider about what they use your personal data for.
Personal data we collect to run our websites, our business systems and to manage our customers and members of the public
What do we use our websites and systems for (our ‘purposes’)?
We capture data from our websites, our business systems and other public sources such as LinkedIn, Twitter and other public registers for the purposes of running our business, our websites, managing our financial accounting, and the account management of new and existing customers,
What data do we collect?
We may collect name, address, organisation, role, email and phone number.
What is our lawful basis?
Our lawful basis is the management of our business and our relationship with our customers, including managing business interactions and managing our website in order to run our business effectively and efficiently (Article 6(1)(f)).
Where we collect email addresses from the website and enter people onto our mailing lists or contact database, we rely on consent under Article 6(1)(a).
Other information you need to know about your rights in respect of your personal data
Your rights are enshrined in UK GDPR. If you want to exercise any of your rights that are listed below, please contact us using the details provided at the bottom of this section.
The Right of Access
This grants you the right to confirm whether or not your personal data is being processed, and to be provided with relevant details of what those processing operations are and what personal data of yours is being processed, including access to copies of the data.
The Right to Rectification
If you notice that the data we have about you is inaccurate or incomplete, you can request we rectify the mistake. We will make every effort to respond to requests of this type immediately.
The Right to Erasure
Otherwise known as the ‘right to be forgotten’; this gives you the right to request that your personal data is deleted.
The Right to Objection
You have the right to object to how we use your information.
The Right to Data Portability
This is a legal right afforded to you that states we must pass on all of the details you have provided to us in a machine-readable format, either to your or to another provider of your choosing.
This right is only available when it is technically feasible to do so and, as our platform is proprietary software, this is not currently an option.
Rights related to automated decision-making including profiling
No automated decision making is used in our products or services.
The Right to Complain
We will always try to maintain the highest standards and encourage the confidence our customers have in us as an organisation. In order that we can achieve this we do request that you raise any complaints with us so we can properly investigate matters.
If however you would like to complain about us to a supervisory authority you may do so by contacting the Information Commissioner's Office on 0303 123 1113, or anyone of the other reporting methods listed on their website – https://ico.org.uk/concerns
How long will we keep your personal data?
We will keep your personal data only for as long as required to achieve the purposes for which it was collected, in line with this Privacy Notice.
The following criteria are what determine the period for which we will keep your personal data:
We will consider the amount of and sensitivity of the personal data we have, the amount of harm that could be caused by a data breach, the benefits of the purposes the data is being used for and any legal requirements that we are bound to,
Until we are no longer required to do so to comply with regulatory requirements or financial obligations,
Until we are no longer required to do so by any law we are subject to,
Until all purposes for which the data was originally gathered have become irrelevant or obsolete,
Until it has been requested that we no longer process the data and that it is erased; in some cases, where there is a remaining relevant or legal reason why we are required to keep this data, we may opt to restrict the amount of processing being conducted to what is absolutely necessary, rather than erase it.
When data is deleted at your request or in line with our retention policy, it will be securely destroyed in our backups and live systems in accordance with applicable laws and industry best standards.
Who do we share your information with?
The following table describes the organisations or organisation types we share your personal data with in order to be able to manage our business and deliver our services including the REACH-HF platform.
| Name | Role | Security | Location |
| Amazon Web Services (AWS) | AWS cloud data services | Your data is protected by HCI and AWS using best practice to meet current industry best standards such as FIPS 140-2 and FIPS 197. All data are encrypted both in transit and at rest. | UK datacenter |
| Google Workspace | Email, word processing, and non-personal data storage | Mandatory Multi Factor Authentication for all user accounts, minimum 16 character password changed annually | US and Europe
|
| Sentry.io | Application monitoring | https://sentry.io/trust/privacy/ Sentry data is hosted on Google Cloud Platform, which encrypts all data at rest by default, in compliance with the Privacy Rule within HIPAA Title II. Sentry also exercises strong access control and technical and administrative safeguards in compliance with HIPAA’s Security Rule.
| USA |
| Xero | Provision of our finance solution | Mandatory Multi Factor Authentication on all accounts. Encrypted at rest and in transit to industry standards | New Zealand and worldwide. For third countries Xero use EU Standard Contractual Clauses
|
| Mailchimp | Provision of our marketing software | Mandatory Multi Factor Authentication on all accounts | USA |
| Google Analytics | Analytic data for our websites and platforms | Mandatory Multi Factor Authentication on all accounts | USA |
Please note, there is a UK International Data Transfer Agreement in place to protect personal data where the companies listed in the table above transfer personal data to countries outside the European Economic Area.
We may also share your data with:
- Other members of our group of companies, which includes any subsidiary, investing or the holding company (each as defined by the Companies Act 2006) of the University of Exeter and Health and Care Innovations Limited,
- The founding organisations and funders of REACH-HF who are represented by the University of Exeter,
- In the event that we sell or reorganise our business, or if otherwise required by law or by an authorised regulator, we may transfer your personal data as a part of the general business data to the relevant parties.
Who is our Data Protection Officer?
Kaleidoscope Consultants Limited
East Side
Kings Cross
London
N1C 4AX
Email: dpo.hci-digital@kdpc.uk
https://kaleidoscopeconsultants.com
How you can contact us
If you wish to get in touch with us please use any of the following contact details.
The REACH-HF programme direct: reach-hf@exeter.ac.uk
As noted above Health and Care Innovations Limited are the representative of the University of Exeter in the delivery of the the REACH-HF programme and body operating the Digital REACH-HF platform on behalf of the University of Exeter:
Health and Care Innovations Limited
Teignbridge Business Centre
Cavalier Road
Heathfield
Newton Abbot
TQ12 6TZ
Telephone: +44 (0)330 053 1862
Online: www.hci.digital/contact-us
Email: info@hci.digital