[These notices do not govern our collection or use of personal information through any means other than through engagement in digital tool/ product research studies. There are separate, different, more detailed Privacy Notices on our therapy sites relevant to the collection and use of personal data in connection with receiving our online cognitive behavioural therapy (CBT) services delivered by therapists. In addition, there is a separate, different, Privacy Notice on our main website (www.iesohealth.com) relevant to the collection and use of personal data when using our website.]
Ieso Digital Health Limited are committed to protecting and respecting your personal data and privacy.
These Privacy Notices describe the privacy practices of the Ieso Digital Health group of companies (Ieso Digital Health Ltd, Ieso Digital Health (UK) Ltd and Ieso Digital Health, Inc.) (collectively, “ieso”, “we”, “us”, or “our”), and how we handle your personal data that we collect via participation in our user experience programs and reflect legal requirements and regulations. We are data controllers of your personal data and are registered with the Information Commissioner (registration numbers Z5383093 and ZA239229). If you require further information on anything below, please contact our Data Protection Officer: firstname.lastname@example.org. Full details on how to contact us can be found below.
Here, we explain what personal data we collect, how it is used, shared, secured, stored, and how you can exercise choices and manage your personal data.
Information we collect
Information we collect from you
As a volunteer in one of our digital tool/ product research studies, we will collect:
You are under no obligation to provide any information. However, if you should choose to withhold requested information, we may not be able to include you in the research study.
To become a volunteer one of our digital tool/ product research studies, you will either:
You will also have been deemed suitable for participation and given written informed consent to participate.
NB – We do not want to collect unnecessary personal data, so each study will contain a specific Participant Information Sheet explaining what is being studied. We recognise that participants may include personal data in responses within our digital tools/ products when not necessarily required, so we will treat all responses as personal data for data protection purposes.
Information we collect from other sources
Deprivation indices information is added to the demographic information obtained from you.
Where this isn’t collected directly from you, demographic information will be collected from another source (The Participant Information Sheet will have further information).
We use your personal data to:
We are passionate about learning from data by conducting high-quality scientific research, including the use of machine learning, natural language processing (NLP) and artificial intelligence (AI), to inform product development, and ultimately improve outcomes and help more people get treatment earlier. We have internal procedures in place to safeguard your privacy so that only the minimum necessary information is used to conduct the research on the most de-identified data possible, including anonymisation where possible.
Online interviews may be recorded (audio or video) as a record of fact to revisit when writing up findings.
Within ieso, your data collected during the digital tool/ product research study will be available to researchers, AI scientists, and clinically qualified advisers on a need to see basis, dependent on specific role and Study, in a deidentified state when possible.
ieso works hard to ensure that only the right people have access to your personal data, we have internal procedures in place to safeguard your privacy and anyone within ieso receiving information about you will be under an equal legal duty to keep it confidential.
We will always seek your permission ahead of disclosing any information that identifies you directly to any other person or organisation or for any other reason than those set out in this policy without your knowledge or permission unless we have an overriding legal duty to do so.
Legal basis for processing your personal data
We use your Personal Data only as permitted by law, for the purposes for which we collected it. Under the UK General Data Protection Regulations, the processing is legally permitted under Article 6 (1) (a) consent. You may withdraw this consent at any time.
If you chose to provide any special category data during your interactions with us, this will be deemed explicit consent. We process special category data under Article 9 (2) (a) explicit consent, or 9 (2) (j) - scientific research - where the research has been approved by NHS ethics.
Transferring data outside the UK:
We seek where possible to prevent any transfers of your personal information to countries which do not have adequate data protection standards. However, this is sometimes necessary for subsets of information stored in well-known SaaS (Software as a Service) providers, see section below on “How we store your personal data”.
The European Commission makes decisions on the adequacy of the protection of personal data in third countries and have decided that personal data can flow safely between countries in the European Union, the European Economic Area (EEA), and other listed countries without any further safeguards being necessary.
Post UK departure from the EU, the UK has been granted adequacy by the EU, and the UK has accepted the European Commission’s adequacy decisions for the UK too, and also included Gibraltar.
If we transfer your Personal Data out of the EEA/ UK to a country not deemed by the relevant regulatory authority to provide an adequate level of personal information protection, the transfer will be performed (i) pursuant to the recipient’s compliance with standard contractual clauses or Binding Corporate Rules; (ii) pursuant to your consent; or (iii) as otherwise permitted by applicable data protection requirements.
We intend to make participation in the studies available to some individuals located in the United States of America. For US participants, please be aware that we are not a covered entity under the Health Insurance Portability and Accountability Act of 1996 and related laws and regulations (collectively, “HIPAA”), so HIPAA does not apply to any of the information you supply to us. We intend to comply with any applicable US state laws with respect to US participant data. We may process your information in the UK or EEA (or otherwise as provided in these privacy notices), but any such processing will be in accordance with these privacy notices.
We place great importance on the security of personal information. We have put controls in place to safeguard your personal information, applying physical, technical and procedural measures against unauthorised access, loss, misuse and alteration of personal information under our control.
We use deidentified data for research where possible, we limit access to your personal data to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
We have achieved the International Standard certification for Information Security (ISO 27001) and maintain the Cyber Essentials Plus certification.
We use a small number of well-known SaaS (Software as a Service) providers to store subsets of your information and enable the uses of information described in these notices. We have Data Processor Agreements in place with each. Where possible these providers store the data in the UK or EEA. Where they are located outside the UK / EEA we ensure they are either party to an adequacy decision or have in place one of the additional safeguards necessary to make the transfer such as Binding Corporate Rules or Standard Contractual Clauses (with additional technological and organisational controls as necessary or appropriate) to uphold your legal data protection rights.
Retention details: Research records and data are kept for up to 20 years in accordance with NHSX Records Management Code of Practice.
A list of those who have opted out of involvement in all user experience communications and research projects will be held perpetually to ensure no further contact.
Data protection legislation provides with the following rights that ieso is committed to supporting you with:
Several of these rights are not absolute, however. There are some conditional exemptions to rights in regard to research and health data, for example.
For more detailed information on your rights visit https://ico.org.uk/for-the-public/.
If you need any assistance in these areas, please contact our Data Protection Officer.
Questions, comments and requests regarding these privacy notices or data protection should be addressed to our Data Protection Officer: Helen Simpson email@example.com
These privacy notices are effective from 21 March 2023.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during this relationship with ieso.