[These notices do not govern our collection or use of personal information through any means other than through engagement in digital tool/ product research studies. There are separate, different, more detailed Privacy Notices on our therapy sites relevant to the collection and use of personal data in connection with receiving our online cognitive behavioural therapy (CBT) services delivered by therapists. In addition, there is a separate, different, Privacy Notice on our main website (www.iesohealth.com) relevant to the collection and use of personal data when using our website.]
Research study: Evaluating engagement and acceptability of ieso’s 6-week digital programme for adults experiencing symptoms of anxiety
Approved by NHS West of Scotland Research Ethics Committee (REC).
Ieso Digital Health Limited is committed to protecting and respecting your personal data and privacy.
These Privacy Notices describe the privacy practices of the Ieso Digital Health group of companies (Ieso Digital Health Ltd, Ieso Digital Health (UK) Ltd and Ieso Digital Health, Inc.) (collectively, “ieso”, “we”, “us”, or “our”), and how we handle your personal data that we collect via participation in our user experience and study programmes and reflect legal requirements and regulations. We are data controllers of your personal data and are registered with the Information Commissioner (registration numbers Z5383093 and ZA239229). If you require further information on anything below, please contact our Privacy team: firstname.lastname@example.org. Full details on how to contact us can be found below.
Here, we explain what personal data we collect, how it is used, shared, secured, stored, and how you can exercise choices and manage your personal data.
As part of ieso’s engagement and acceptability study , we will collect the following information directly from you, including:
To become a volunteer of this study, you will either:
1. Sign up to the study via the website after viewing one of our online adverts, in which case, we will collect additional information, including:
2. Have been invited to take part in this study having been referred by your NHS provider, or self-referred, to ieso for typed therapy, and having met the initial eligibility criteria for participation. If you are eligible and consent to take part in the study, some of your personal data will be collected from your ieso record
You are under no obligation to provide any information. However, if you should choose to withhold requested information, we may not be able to include you in the research study.
NB – We recognise that participants may include personal data in responses within our digital tools/ products when not necessarily required, so we will treat all responses as personal data for data protection purposes.
After collecting your demographic information, we will use your postcode to obtain socioeconomic index using publicly available look-up data.
As above, if you were referred to ieso from an NHS provider, some of your personal data will be collected from them via your ieso record.
Certain information is collected automatically from your use of this Service:
As the device uses the information you enter to make a conversational response, the digital tool will collect and categorize your comments to help better support you.
For example, if you tell the digital guide that you are worried about work, that may fit a category of ‘work concerns’ which the digital tool will use to learn how to respond to you in the future. This is known as ‘intent classification’ and ‘machine learning’.
New data that is collected through this process is known as ‘inferred data’ or ‘profiling’, which is not data you have provided to us directly, however, the digital tool has drawn conclusions from the content of your discussions.
You can ask for information from our Privacy team at email@example.com
You always have the right to refuse to submit your personal data to us, but note that without this information, you will not be able to participate in this study.
We use your personal data to:
Online interviews may be recorded (audio or video), with your consent, as a record of fact to revisit when writing up findings.
We are passionate about learning from data by conducting high-quality scientific research, including the use of machine learning, natural language processing (NLP) and artificial intelligence (AI), to inform product development, and ultimately improve outcomes and help more people get treatment earlier. We have internal procedures in place to safeguard your privacy so that only the minimum necessary information is used to conduct the research on the most de-identified data possible, including anonymisation where possible.
We use your Personal Data only as permitted by law, for the purposes for which we collected it. Under the UK General Data Protection Regulations, the processing is legally permitted under Article 6 (1) (f) legitimate interests. You may withdraw from the study up until database lock, which will be within 4-6 months of our recruitment start date. Where you consent to publishing quotes externally, this will be processed under Article 6 (1) (a) consent.
We will process special category data during your interactions with us under Article 9 (2) (j) - scientific research.
ieso works hard to ensure that only the right people have access to your personal data, we have internal procedures in place to safeguard your privacy and anyone within ieso receiving information about you will be under an equal legal duty to keep it confidential.
Within ieso, your data collected during this research study will be available to researchers, data scientists, and clinically qualified advisers on a need to see basis, dependent on their specific role and as deidentified as possible. Your personally identifiable information is only accessible to the team managing the study, clinicians involved in your assessment and eligibility check, as well as our Patient Services team for administrative purposes. If you are invited and consent to be in our user experience sub-sample, our user researchers will also have access to your personally identifiable information.
Outside of ieso, if you were referred to ieso via an NHS service, we will update NHS Digital and your NHS Talking Therapies service provider with your questionnaire scores, and your local NHS Talking Therapies service with your clinical notes, see Therapy Site privacy notice here.
We share your personal data with Mayden House, provider of the iaptus patient management system (used by over 200 NHS customers and vetted by ieso), to store your research record and for the development and maintenance of this service.
We will always seek your permission ahead of disclosing any information that identifies you directly to any other person or organisation (including your GP, when applicable), or for any other reason than those set out in this policy without your knowledge or permission, unless we have an overriding legal duty to do so.
We seek where possible to prevent any transfers of your personal information to countries which do not have adequate data protection standards. However, It may sometimes be necessary for subsets of information to be stored in well-known SaaS (Software as a Service) providers, see section below on “How we store your personal data”.
The UK Information Commissioner makes decisions on adequacy of the protection of personal data in other countries and we have selected providers located in countries that the Commissioner has approved or, where the provider is based in a country that hasn’t received adequacy, have used safeguards that mean the transfer is lawful and appropriate.
We place great importance on the security of personal information. We have put controls in place to safeguard your personal information, applying physical, technical and procedural measures against unauthorised access, loss, misuse and alteration of personal information under our control.
We use deidentified data for research where possible, we limit access to your personal data to those who have a genuine reason to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
We have been certified under the International Standard certification for Information Security (ISO 27001) since 2017, and maintain the Cyber Essentials Plus certification.
ieso’s headquarters are in the United Kingdom (UK), and your personal data is stored securely in the UK and managed by ieso. Until our change of patient management system is complete, the storage will be hosted by Microsoft Azure; after a successful integration and migration stage, your data will be stored in the iaptus patient management system which is hosted by Amazon Web Services (in the UK). We have a Data Processor Agreement with Mayden House who develop and own iaptus. As detailed in the Security section of this Privacy Notice, such information is stored in an encrypted state, both in transit and at rest.
We may also use a small number of well-known SaaS (Software as a Service) providers (for example, to host questionnaire responses) to store smaller subsets of your information and enable the uses of information described in these notices , and if this is the case we will have/ put in place Data Processor Agreements with each. Where possible these providers store the data in the UK or EEA. If these are located outside the UK / EEA we ensure they are either party to an adequacy decision or have in place one of the additional safeguards necessary to make the transfer such as Binding Corporate Rules or Standard Contractual Clauses (with additional technological and organisational controls as necessary or appropriate) to uphold your legal data protection rights.
Research records and data are kept for up to 20 years in accordance with NHSX Records Management Code of Practice and/ or best-practice recommendations for research, except for video and audio recordings of user feedback, which will only be retained for up to 4 weeks.
If you’re deemed ineligible for this study, we will delete your data within two weeks.
A list of those who have opted out of involvement in all user experience communications and research projects will be held perpetually to ensure no further contact.
Data protection legislation provides with the following rights that ieso is committed to supporting you with:
Several of these rights are not absolute, however, and restrictions may apply with respect to research exemptions where exercising such right would prejudice the study. For example, your right to access and/ or to rectification may be restricted insofar that your data has been anonymised, isn’t linked to you, or has been erased. Your right to rectification, and other rights, may be restricted once the database has been locked. If you’d like further information or to exercise your rights, please contact our Privacy team.
For more detailed information on your rights visit https://ico.org.uk/for-the-public/
If you wish to withdraw your data, you are free to do so until database lock at the end of the study. This will be within 4-6 months of our recruitment start date.
Computers and mobile devices may automatically accept cookies, but you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser. Please note however, that by blocking or deleting cookies you may not be able to take full advantage of this study or future products and services provided by ieso.
Questions, comments and requests regarding these privacy notices or data protection should be addressed to our Privacy team firstname.lastname@example.org
We reserve the right to change these privacy notices from time to time. If the change affects the way we process your personal data, then we will notify you by reasonable means. By continuing to volunteer after this notification, you confirm your acceptance of this revised privacy notice.
These privacy notices are effective from July 25th, 2023.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during this relationship with ieso.