Last Revision Date: September 2020
Purpose: This Privacy Notice describes our privacy practices to help you understand what personal data we collect, use, share and transfer and to inform you about the choices you can make regarding your personal data.
Table of contents
- Who we are (identity of the data controller)
- What do we mean when we say ‘personal’ and ‘sensitive’ data and processing?
- How do we collect personal data?
- How do we use personal data?
- Legal basis for data processing
- National Data Opt-out
- Collection and processing of personal data in relation to the Juno service for customers, users, and patients
- Information for healthcare professionals working with the Juno Service (collection, processing, and security)
- Where do we store and process your personal data?
- Sharing of information
- Security measures and storage of personal data
- Device. Usage Data, Cookies, Tracking and Beacons
- Log Data
- Disclosure of your Personal Data to third parties
- How long we retain your Personal Data
- Touch ID/Fingerprint/Facial recognition
- Data subject rights
- How to exercise your rights
- Questions and Complaints
- Changes to this privacy notice
As a responsible healthcare provider, Forward Clinical Ltd trading as Juno value the trust you place in us when you share your personal and sensitive data. We are committed to protecting the privacy of everyone who uses our services: as patients and parents or as employees and contracted clinicians; and that of anyone who supports our work through our supplier network.
It is our promise to you that we will be open and honest about how we use the information you have entrusted us with and how we recognise the importance of treating your data with care.
This policy explains who we are, what personal and sensitive personal data we process, how and why we collect it, and who we share it with and why we do so. We will also explain the steps we take to keep your information safe and secure.
Juno, as both a data controller and processor, are mandated by data protection legislation to process your personal and/or sensitive personal data safely and securely. We take our duty to be transparent seriously, particularly around the way we use your information and are committed to ensuring that we do so in a manner that is both lawful and respects your privacy.
2. Who we are (identity of the data controller)
For the purposes of this privacy notice, Forward Clinical Ltd (“us”, “we”, or “our”, “Juno”) is the data controller and operates the Juno mobile application (the “Service”) and the website https://hellojuno.co.uk/
Our registered office address is: 300 St John Street, London EC1V 4PA.
Our company number is: 10420044
Our ICO registration is: ZA237861
3. What do we mean when we say ‘personal’ and ‘sensitive’ data and processing?
By personal data we mean any information that might allow you to be identified, such as your name, email address, address, date of birth, credit card details, NHS number, I.P. computer address, photo or video image or voice recording. For patients, some of this data may be sensitive and relate to their health and wellbeing, for example, ethnicity and religious views.
Processing means any function that is performed with or on data, i.e. the collection of, the manipulation of, the use of, the sharing of and the storage/archiving of information that has been shared with us or collected on the behalf of Juno.
4. How do we collect personal data?
We may collect personal data about you when you complete a form on our website or make an enquiry via our Live Chat service. If you are referred to one of our clinical services, we will collect data from you and may also receive it from other healthcare providers.
We will never acquire your contact details from private organisations, nor will we sell your personal data. We may on occasion work with carefully selected organisations for the purpose of conducting market research activities, to gain a better understanding of our customer demographics and to update your contact details such as your address.
If you use our clinical services we will need to collect all the personal data we’ve outlined already, plus sensitive or ‘special category’ information that relates to your physical and/or mental health and any other information deemed as relevant such as your religious beliefs or sexual orientation. This data goes on to form your healthcare record, together with additional information such as the personal details of your family and your children.
We may also need to contact your previous health or social care providers for additional background information which may include not only your GP but hospital Trusts and other community care providers, but only with your explicit consent.
From time to time, care staff may be asked to take clinical photographs of your body for medical purposes, such as in the case of a rash. Such photographs would form part of your medical record and would not be made publicly available (without your explicit consent).
Using our website
When you visit our website our servers record data about your internet browser, I.P. computer address (which is the unique numerical address given to every computer connected to the internet), the time and duration of your visit and which pages you looked at.
We also collect information about how our website is used and track which pages users visit when they follow links in Juno emails.
Like many other websites, the https://hellojuno.co.uk/ website uses ‘cookies’ which are small files stored on your computer that allow websites to recognise you when you visit the next time. They store data about your browsing history but do not identify you as an individual. We use this information to monitor and improve our website, services and activities which helps us to deliver a better more personalised service.
You can switch off cookies in your browser preferences but doing so may result in a loss of functionality when using our website.
By using our website and services you agree to be bound by the terms of this statement.
Links to other websites
The https://hellojuno.co.uk/ website may include links to other sites, not owned or managed by us. We cannot be held responsible for the privacy of information collected by websites not owned and managed by Forward Clinical Ltd.
5. How do we use personal data?
The way we use your data largely depends upon why we have collected it in the first place. We only collect information about you that:
- Enables us to record your purchases so that we can invoice you and retain the information required by HMRC.
- Helps us to keep in touch with you so we can let you know about our products, services and updates.
- Helps us to answer your questions, queries and follow up feedback should you decide to leave us.
- We process your personal data in accordance with the law, as stated, where you have either given us prior consent or we believe we have a legitimate reason for doing so. By giving us consent to process your personal data, you will have opted in to share specific details with us and to receiving communications. From time to time, we will then send you information about our services and we will always provide a clear and easy mechanism to opt out.
- When you use our secure online payment pages you will be directed to a specialist supplier company, who will receive your credit card number and contact information to process the transaction. We, however, do not retain your credit or debit card details.
- We may occasionally use research and profiling to help us to identify any potential customers, help us better understand our current customers and improve our services. Such information is compiled using the information you have provided and publicly available data. External sources could include Companies House, social media platforms and newspaper articles.
We always seek to ensure that any research or profiling is done in a way that does not unreasonably or unexpectedly intrude on an individual’s privacy. We also endeavour to make sure that in accordance with fair and lawful processing requirements under current legislation, individuals are made aware of the purposes for which we may collect and process their personal data at the earliest reasonable opportunity.
We respect your rights of privacy and are happy to provide further information about any ‘profile’ details that we may hold about you in accordance with your data subject access rights under current legislation.
In accordance with those rights, you may also at any time request that we update, correct or delete any ‘profile’ information that we may hold about you and/or no longer use it for direct marketing or purposes (EU GDPR Article 21(2)).
Employees, contracted clinicians, and job applicants
We collect personal data about our Employees, contracted clinicians, and job applicants foradministrative purposes and to comply with employment and safeguarding legislation, such as referrals to the Disclosure and Barring Service (DBS).
When we collect personal sensitive data from patients/service users and their families and about their children we do so to provide care to them and protect their wellbeing. We also collect and store it for the purposes of audit, quality control, complaints, and incident reporting. We will not disclose your personal information to any third party without your consent, except in circumstances where we are required to by law or for the vital interests or safety of you or other person(s)
Except where your information is anonymised (where all personal data is redacted), we will not use your information for other purposes without your permission. Anonymised data is used to monitor and improve the quality of care received by patients/service users, to ensure that treatments and services meet the needs of the communities we serve and our clinical commissioners and for training and education purposes.
It’s important to note that health and social care information differs from direct marketing and profiling in that withdrawal of consent to process this type of data could result in Juno no longer being able to provide you with a health or care service.
Certain processing, such as how long we keep your healthcare data for, is mandated under different legislation which means we are duty bound to keep your healthcare records for a specified amount of time. Therefore, the withdrawal of your consent in these cases does not necessarily mean all processing activities will cease.
6. Legal basis for data processing
The lawful basis we rely upon for processing all this data varies depending upon the way it has been collected, and the purpose of the processing. We either process your data with your consent (unambiguous or explicit as outlined in Articles 4 & 6 of the EU 2016 General Data Protection Regulations (GDPR)) or when it is necessary for a legal obligation, a task carried out in the public interest, necessary for the vital interests of you or another person, necessary for legal proceedings or for preserving yours or someone’s legal rights, necessary for medical purposes or for our own legitimate interests or the interests of a third party with whom we might disclose data to, except where there is unwarranted prejudice to yours or others legitimate interests.
Patient data is considered to be a special category of data under the General Data Protection Regulation (EU) 2016/679 (GDPR) and is processed under section 6(1)(c) “necessary for compliance with a legal obligation to which the controller is subject “and 9(2)(h) “(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or member State law pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”
We may also process patient data, when it is necessary, for the performance of a task carried out in the public interest or in the exercise of official authority…’in accordance with GDPR 6(1)(e).
For all individuals, users, and non-user contacts we rely on separate, explicit consent for direct marketing. You may withdraw your consent for further processing, fully or for specific purposes at any time by emailing email@example.com
It is important to note that this may affect the services we are able to offer you, and we may need to continue to process data relating to your request to withdraw consent.
7. National Data Opt-out
Information about your health and care helps the NHS to improve your individual care, speed up diagnosis, plan your local services and research new treatments.
In May 2018, the strict rules about how this data can and cannot be used were strengthened. The NHS is committed to keeping patient information safe and always being clear about how it is used. The NHS, local authorities, university and hospital researchers, medical colleges and pharmaceutical companies researching new treatments can use your confidential patient information for research and planning. You can choose whether your confidential patient information is used for research and planning.
Type 1 Opt-out: medical records held at your GP practice
You can tell your GP practice if you do not want your confidential patient information held in your GP medical record to be used for purposes other than your individual care. This is commonly called a type 1 opt-out. This opt-out request can only be recorded by your GP. If you choose a Type 1 opt-out, you should ask your GP for a National Type 1 Data Opt-out Form.
Type 2 Opt-out: information held by NHS Digital
A Type 2 opt-out is an objection that prevents your personal confidential information from being shared outside of NHS Digital, that is used for research and planning.
Previously you could tell your GP surgery if you did not want NHS Digital to share confidential patient information that is collected from across the health and care service for purposes other than your individual care. This was called a type 2 opt-out.
From 25 May 2018 the type 2 opt-out has been replaced by the national data opt-out. Type 2 opt-outs that have been recorded previously have been automatically converted to national data opt-outs.
You do not need to do anything if you are happy about how your confidential patient information is used. If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service.
You can change your choice at any time. To find out more or to make your choice visit https://nhs.uk and/or view the NHS Digital patient Leaflet
Forward Clinical Ltd expects the clinicians that are contracted to Juno, whether solely or jointly with another organisation, to be responsible for ensuring that national data opt-outs are applied in line with the policy.
8. Collection and processing of personal data in relation to the Juno service for customers, users, and patients
While using our service, we may ask you to provide us with certain personal data that can be used to contact or identify you. This includes:
- Full name
- Email address
- NHS number
- Mailing address
- Telephone number
- Name and age of your child or children
Providing Juno with your personal data is an obligation of using the Service. This is because your personal data is required to confirm your identity as a user, to maintain accurate clinical records for you and to introduce you to the clinicians that will provide you with advice and care.
Whilst using the Service, personal data is generated relating to your professional and/ or clinical advice and treatment. This includes user ID/time/date stamps relating to messages or files sent, tasks created and edited, patient profiles created and edited, photos taken. These are obtained by taking any action within the app and form part of the audit trail generated by the Service.
We may also collect information from individuals, users, and non-users, who contact us, via email, telephone, or web submission. This will include name, email address and in some cases telephone number, and details related to your place of work.
We may use your personal data for providing the Service, including to:
- Maintain and improve the Service
- Contact individuals for the purposes of preventing or addressing service, security, or technical issues
- To answer queries from users directly
- Maintain the service of the platform
Calling our helpline
When you call our main helpline (+44 (0) 3300 970 165), we collect Calling Line Identification (CLI) information. This is the phone number you are calling from (if it is not withheld). We hold a log of the phone number, date, time, and duration of the call, but do not audio record the call itself. We hold this information in our CRM system (HubSpot) in accordance with our data retention schedules.
We use this information to understand the demand for our services and to improve how we operate. We may also use the number to call you back if you have asked us to do so, if your call drops, or if there is a problem with the line. We may also use it to check how many calls we have received from it.
We do not audio record any calls, but we might make notes to help us answer your query. Sometimes other staff from Juno may also listen in during your call for training or quality assurance purposes.
We sometimes conduct surveys on our helpline to help us identify trends in the enquiries we receive and improve how we operate If you require a follow up call we will also ask you to provide us with your contact details.
We also hold statistical information about the calls we receive for several years, but this does not contain any personal data.
We use a third-party provider, Slack, to manage our social-media interactions. If you send us a private or direct message via social media, it will be stored according to our retention schedules. It will not be shared with any other organisations by Juno but will remain in the public domain on Twitter, Instagram, LinkedIn, Facebook etc.
We see all this information and decide how we manage it. For example, if you send a message via social media that needs a response from us, we may process it in our case management system (HubSpot) as an enquiry, a support request, or a complaint. When contacting Juno through a social media platform, we suggest you also familiarise yourself with the privacy information of that platform.
We use a third-party provider, Intercom, to supply and support our live chat service.
If you use our live chat service, we will collect the contents of your live chat session and if you choose to provide it your name and email address. Juno retains this data in HubSpot CRM according to the relevant retention schedules.
We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government guidance on email security.
We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. You must ensure that any email you send is within the bounds of the law.
Purpose and lawful basis for processing
Article 6(1)(b) GDPR provides a lawful basis for the processing of personal data to the extent that “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.
9. Information for healthcare professionals working with the Juno Service (collection, processing, and security)
This section of the privacy notice explains how we handle your data and the data of the users and patients of the Juno service:
Healthcare professionals using the Juno Apps must ensure that they are following the correct guidance which is provided as part of the onboarding process.
The healthcare organisation is the Data Controller (Forward Clinical Ltd) who have developed the Juno Apps. Patients are the Data Subjects.
We have NHS Data Security and Protection Toolkit assurance to the ‘standard exceeded level’ (under NHS ODS code 8JP98). We always follow the principles of secure development and ‘privacy by design’.
The Juno service is fully secure and compliant with GDPR and DCB0129. The messages and images are only visible to participants in the session and transmitted over an encrypted connection.
Our Juno servers are hosted in the London Amazon Web Data Centre (AWS). We follow best practice guidance from NHS Digital, the UK National Cyber Security Centre (NCSC) and AWS. All data sent is encrypted when in transit (when it is sent) and at rest
Cyber Essentials is a scheme run by the UK government and the National Centre for Cyber Security to provide an external reassurance that you can trust us to manage your data safely and securely. We maintain the Cyber Essentials and Cyber Essentials Plus certification and are retested on an annual basis. We also undergo regular penetration testing.
To facilitate communication with our users/customers/patients we process patient data and healthcare staff data on our secure servers. The patient data typically includes name, identifiers, contact details, demographic data, message content (including documents and images and patient replies to messages and other application-use related data. We only process this data when you send a communication to patients.
We also process healthcare staff data who are users of Juno and employed by us to work on Juno shifts. This typically includes role, organisation, contact details, identifiers including gender and date-of-birth, messages, metadata, signatures, login, and other application-use related data. We will also store documents that prove your identify, qualifications etc. when you are engaged as a Juno worker.
The GDPR, enacted by the UK Data Protection Act 2018 allows six different legal bases for processing data, of which consent is one. The Information Governance Alliance advises healthcare organisations to process patient data for the delivery or administration of care under the following legal bases:
6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
The ICO has warned against the use of consent as a legal basis for the processing of patient data by public authorities and healthcare providers.
If you have any other questions about the GDPR and how it affects the Juno service (or your use of it), please get in touch
10. Where do we store and process your personal data?
The personal data that we collect from you is stored in the European Union on (Europe) Cloud Servers of Amazon Web Services with all primary processing taking place in London, UK. This data may, however, be processed by sub-processors operating outside of the European Economic Area (“EEA”) based on a data processing agreement if the additional requirements of Art. 44 et seq. GDPR for processing in third countries are compliant with an appropriate level of protection in the third country and appropriate guarantees under Art. 46 GDPR (such as standard data protection clauses, or exceptional circumstances under Art. 49 GDPR). A full list of our third-party sub-processors and details of their privacy policies can be found below.
Where we process data on behalf of any UK NHS service, we ensure that data will always be stored and processed on the Cloud Servers of Amazon Web Services within the London Cluster and will not leave the EEA.
Sensitive information between your browser and our Website is transferred in encrypted form using Transport Layer Security (“TLS”). When transmitting sensitive information, you should always make sure that your browser can validate our certificate.
Please contact our Data Protection Officer if you would like further details on the specific safeguards applied to the export of your personal data outside the EEA – firstname.lastname@example.org
Processors and sub-processors
- Amazon Web Services, Inc. https://aws.amazon.com/privacy/
Customer feedback, engagement and analytics
- Amazon Web Services, Inc. https://aws.amazon.com/privacy/
- Google Firebase https://firebase.google.com/support/privacy
- MailChimp https://mailchimp.com/legal/privacy/
- MixPanel https://mixpanel.com/legal/privacy-policy/
- Wootric https://www.wootric.com/company/privacy/
- Slack https://slack.com/intl/en-gb/privacy-policy
- HubSpot https://legal.hubspot.com/privacy-policy
- Intercom https://www.intercom.com/legal/privacy
- Patchwork Health https://www.patchwork.health/privacy
11. Sharing of information
We do not share your information with anyone outside Juno without your express permission to do so.
Under no circumstances will your information be sold or passed on to third parties for the purposes of marketing, sales, or other commercial uses without your prior express consent.
We may disclose information to third parties where it is necessary, such as where there is an overriding legal obligation, where permitted under Data Protection Legislation or for the purposes of the prevention and/or detection of fraud or crime.
12. Security measures and storage of personal data
Where you communicate with us via our site, the nature of the Internet is such that we cannot guarantee or warrant the security of any information that you transmit as no data transmission over the internet can be guaranteed to be 100 % secure. However, we will take all reasonable steps (including appropriate technical and organisational measures) to protect your Personal Data.
13. Device. Usage Data, Cookies, Tracking and Beacons
Our site uses “cookie” technology to enhance your user experience. A cookie is a small piece of text stored by your browser on your computer, at the request of our server.
We use common information-gathering tools, such as tools for collecting usage data, cookies, web beacons and similar technologies to automatically collect information that may contain Personal Data from your computer or mobile device as you navigate our websites, our services or interact with emails we have sent to you.
As is true of most websites, we gather certain information automatically on connection with the use of the website by individual users. This information may include IP address (or proxy server), device and application identification numbers, location, browser type, Internet service provider and/or mobile carrier, the pages and files viewed, searches, operating system and system configuration information and date/time stamps associated with your usage. This information is used to analyse overall trends, to help us provide and improve our websites and Apps and to guarantee their security and continued proper functioning.
In addition, we gather certain information automatically as part of your use of the cloud products and services. This information may include IP address (or proxy server), device and application identification numbers, location, browser type, Internet service provider and/or mobile carrier, the pages and files viewed, searches and other actions you take, operating system and system configuration information and date/time stamps associated with your usage. This information is used to maintain the security of the services, to provide necessary functionality, as well as to improve performance of the services, to assess and improve customer and user experience of the services, to review compliance with applicable usage terms, to identify future opportunities for development of the services, to assess capacity requirements, to identify customer opportunities and for the security of Juno generally (in addition to the security of our products and services). Some of the device and usage data collected within the services, whether alone or in conjunction with other data, could be personally identifying to you. Please note that this device and usage data is primarily used for the purposes of identifying the uniqueness of each user logging on (as opposed to specific individuals), apart from where it is strictly required to identify an individual for security purposes or as required as part of our provision of the services to our customers (where we act as a Processor).
Cookies, web beacons and other tracking technologies on our website and in email communications
When you visit our websites, we or an authorised third party may place a cookie on your browser and/or device, which collects information, including Personal Data, about your online activities over time and across different sites. Cookies allow us to track usage, determine your browsing preferences and improve and customise your browsing experience.
We also use web beacons on our websites and in email communications. For example, we may place web beacons in marketing emails that notify us when you click on a link in the email that directs you to one of our websites. Such technologies are used to operate and improve our websites and email communications. All our communications include easy instructions about how to unsubscribe or you can email our Data protection Officer and invoke your right to be forgotten.
The following describes how we use different categories of cookies and similar technologies and your options for managing the data collection settings of these technologies:
Type of Cookies Description Manage Settings
Required Cookies Required cookies are necessary for basic website functionality. Some examples include session cookies needed to transmit the website, authentication cookies, and security cookies.
If you have chosen to identify yourself to us, we may place on your browser a cookie that allows us to uniquely identify you when you are logged into the websites and to process your online transactions and requests because required cookies are essential to operate the websites and the Juno desktop web App, there is no option to opt out of these cookies.
Functional Cookies Functional cookies enhance functions, performance, and services on the website. Some examples include cookies used to analyse site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Functional cookies may also be used to improve how our websites function and to help us provide you with more relevant communications, including marketing communications. These cookies collect information about how our websites are used, including which pages are viewed most often.
We may use our own technology or third-party technology to track and analyse usage information to provide enhanced interactions and more relevant communications, and to track the performance of our advertisements.
For example, we use Google Analytics (“Google Analytics”), a web analytics service provided by Google, Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. You can learn about Google’s privacy practices by going to www.google.com/policies/privacy/partners/ .
Juno may also utilise HTML5 local storage or Flash cookies for the above-mentioned purposes. These technologies differ from browser cookies in the amount and type of data they store, and how they store it. You can choose to opt out of functional cookies. To change your cookie settings and preferences, click the Cookie Preferences link
To opt out from data collection by Google Analytics, you can download and install a browser add-on, which is available here.
To learn how to control functional cookies via your individual browser settings, click here.
To learn how to manage privacy and storage settings for Flash cookies, click here.
Targeting or Advertising cookies Targeting or advertising cookies track activity across websites in order to understand a viewer’s interests, and to direct specific marketing to them. Some examples include: cookies used for re-marketing, or interest-based advertising.
14. Log Data
When you access the Service by or through a mobile device (such as a smartphone or a tablet), we may collect certain data automatically, including, but not limited to, the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile internet browser you use and other statistics (“Log Data”).
15. Disclosure of your Personal Data to third parties
We disclose your Personal Data to various recipients to improve our Service, including.
- to third parties who we engage to provide services to us, such as outsourced service providers, IT service providers;
- to comply with any applicable law or regulation, a summons, search warrant, court regulatory order, or another statutory requirement.
For direct and continuity of care purposes, we may ask if we can share some of your healthcare data with other healthcare providers in line with best practices.
We may sometimes also be legally required to share it with local authorities and regulators such as the Care Quality Commission.
16. How long we retain your Personal Data
We will not retain your Personal Data for longer than is necessary under the principle of data minimisation. User account details are stored for the duration of you maintaining an account. We will only retain your personal data for as long as it is required to fulfil the original purpose for which it was collected, including the purposes of satisfying any legal, accounting, or reporting requirements.
If you ask us to delete your data, then we may not be able to provide you with all of the services offered from this website.
17. Touch ID/Fingerprint/Facial recognition
Users may choose to use Fingerprint/Facial recognition/Touch ID as part of the Service. This data is not collected, stored, or processed in any manner by Juno. We advise that users should review the privacy notice relating to their device and its operating system before setting up any fingerprint or facial recognition systems.
18. Data subject rights
Under the General Data Protection Regulation (GDPR), data subjects whose data is processed by Juno are entitled to exercise certain rights against their personal data. These rights are designed to put Data Subjects in the driving seat when it comes to how their personal data is handled by organisations.
The right to be informed
Juno is obliged to ensure that any communications regarding our data processing activities between ourselves and any Data Subjects is provided is a clear and transparent manner. This is provided by this Privacy Notice.
The right of access
You are entitled to request a copy of the all personal data currently held about you as well as the following information about your data:
1. The purpose of processing;
2. The categories of personal data concerned;
3. The recipients to whom the personal data has been disclosed;
4. The retention/envisioned retention period for that personal data;
5. The source of the personal data if it has been collected from a third-party.
Access to health records requests
Current data protection legislations grant individuals the right of access to their personal data, which includes information held in health and social care records.
You can request access to your healthcare records by contacting our Data Protection Officer at email@example.com.
Current data protection legislations grant individuals the right of access to their personal data, which includes information held in health and social care records. Access requests are formally known as Subject Access Requests (or SAR’s for short). Juno’s SAR’s are processed in accordance with the EU General Data Protection Regulations 2016 and the Information Commissioners Office (ICO) ‘Subject Access Request Code of Practice’. Juno are passionate about respecting your data protection access rights, but they can be a little complex. So, we have listed a few questions you might have about this process and your rights which we hope you will find both informative and helpful.
1. What records can I see?
A health record is one which relates to the physical or mental health of an individual which has been made by or on behalf of a health professional in connection with the care of that individual.
2. Will there be a charge?
Current legislation states that copy information will be free of charge. However, a ‘reasonable fee’ may be charged when a request is considered either ‘manifestly unfounded or excessive’, particularly if it is repetitive. Note: Current advice states that ‘excessive’ is currently anything that takes more than 18 hours to complete which Juno Care will apply whilst waiting for further guidance. In addition, a ‘reasonable fee’ may be charged to comply with repeat requests (i.e. copies of the same information already supplied to the requester). The reasonable fee will only be based on the administrative cost of providing the information.
3. How do I apply for access to my records?
Applications should be made in writing which is why we ask you to contact firstname.lastname@example.org to ensure that we can address any questions we require to deal with your request as efficiently and effectively as possible.
4. Who has the right of access?
- The patient/service user.
- A person authorised in writing to apply on behalf of the patient/service user.
- The person that has parental responsibility for a child service user. The term “parental responsibility” means all the rights, duties, powers, responsibilities, and authority which by law a parent of a child has in relation to that child or their property. Proof of parental responsibility may be requested, such as birth certificate, court award, etc.
- Any person appointed by the Courts to manage the affairs of a patient/service user who is deemed to be incapable.
- Where a patient/service user has died, the patient’s personal/legal representative (usually the executor of the will, or person granted probate or administration), or any person having a claim arising from the death.
5. Do I need to provide identification documents?
Current legislation states that we have to take all ‘reasonable measures’ to ensure we’re sending the information to the right person. This is so we can protect you from somebody gaining unlawful access to your personal data and you will need to provide appropriate ID (driving licence, birth certificate, passport or marriage certificate and something that confirms your home address such as a recent utility bill or council tax letter.
6. Can I be denied access?
There are sections within the current legislation which state that under certain conditions, access can be refused. Instances of where this could apply are: – Where inappropriate or inadequate identification has been supplied. – Where the patient has died, and it is recorded in the notes that they did not wish to grant access to anyone, including family, personal representative, or someone with a claim (as confidentiality continues after death). – Where in the opinion of the record holder, the information may cause serious harm to the physical or mental health of the requester or another individual. – Where information is provided by a third party, who would be identified from that information. This is where we would look to provide you with the information but with redactions.
7. Do I have the right to confidentiality?
Juno takes positive action to maintain the confidentiality of its patients/service user’s personal information. All individuals have a right to confidentiality, even after death. Juno are obliged by law to be satisfied that an applicant is entitled to access the requested records which involves us at least checking your identity or the identity/powers of someone acting on your behalf. 8. How long does the process take? Legislation states that information must be provided without delay and at the latest within one month of receipt of the request. However, this can be extended to a further two months where requests are complex or numerous. If this is the case, you will be informed within one month of the receipt of the request with an explanation as to why the extension has been applied. 9. What if I do not agree with what is written in the records? Legislation covers your right to rectification of inaccurate personal data. However, this does not extend to the sensitive information that has been recorded by a healthcare professional in their capacity as a care giver. So, in other words, we can alter information such as your address or the name of your next of kin, but we cannot alter what a clinician has written about you during the treatment process. However, if you have a strong objection, we can file this in your records, so the reader is clear that you have raised an objection. But please note, the original information cannot and will not be removed or replaced.
We are legally required to provide you with a copy of your personal data within one month of receipt or advise you if we are unable to comply for any reason.
For further information see the Information Commissioners Office link on how to access your information – https://ico.org.uk/your-data-matters/your-right-of-access/
The right to rectification
If you believe the personal data we hold about you is either inaccurate or incomplete, you may exercise this right to correct or complete this data. This right can be used with ’the right to restrict processing ‘to ensure that any inaccurate or incomplete data is not processed until corrected.
The right to erasure (right to be forgotten)
You may request erasure of any personal data we hold on you without undue delay where one of the following grounds apply:
1. The personal data are no longer necessary in relation to the purposes they were collected or otherwise processed;
2. The data subject withdraws consent and no other legal ground for processing exists;
3. The data subject exercises the right to object and no overriding legitimate grounds for processing exist;
4. The personal data has been unlawfully processed;
5. The personal data has to be erased for compliance with an overriding legal obligation;
6. The personal data has been collected in relation to the offer of information society services.
The right to restrict processing
As an alternative to the right to erasure, you may ask us to cease processing your data, but not erase it entirely where one of the following grounds apply:
1. The accuracy of the personal data is contested;
2. Processing of the personal data is unlawful;
3. Personal data is no longer needed for processing, but is still required as part of a legal process;
4. The right to object has been successfully exercised and processing is temporarily halted pending a decision on the status of the processing.
The right to data portability
You may request your personal data be transferred to another controller or processor in a commonly used, machine-readable format. This right can only be exercised when all of the following grounds apply:
1. The processing was on the basis of consent
2. The processing is by automated means
3. The processing if for the fulfilment of a contractual obligation
The right to object
You may exercise the right to object in instances where:
1. Processing is based on either the performance of a public task or legitimate interest;
2. Processing is for direct marketing purposes;
3. Processing is for the purposes of scientific or historical research;
4. Processing involves automated decision-making, including profiling.
19. How to exercise your rights
You may request to exercise any of the above rights, free of charge by contacting: dpo@helloJuno.co.uk
Any data subject request will be responded to within one month, however we reserve the right to refuse or charge an administrative fee for the furthering of any of the above requests if they are done so in a frivolous, vexatious or excessive manner. We will inform you if an administrative charge is being applied before fulfilling your request, so you can decide whether or not to proceed. Typically, in order to further one of the following requests, we will ask for you to provide a form of identification for verification purposes.
20. Questions and Complaints
Should you wish to discuss a complaint, please contact email@example.com who will be happy to assist you.
Alternatively, if you are unsatisfied with the DPO’s response to your concern, Under Article 77 of the GDPR you have the right to lodge a complaint directly with the Information Commissioner’s Office. Under Article 80, you may authorise certain third parties to make a complaint on your behalf (such as legal representation).
21. Changes to this privacy notice
We reserve the right to make changes to this Privacy Notice at any time without prior consultation. Any changes to this Privacy Notice will be posted on our site so that you are always aware of what Personal Data we collect, how we use it, and under what circumstances, if any, we disclose it. If at any time we decide to use Personal Data in a manner significantly different from that stated in this Privacy Notice, or otherwise disclosed to you at the time it was collected, we will notify you by email.