[These notices do not govern our collection or use of personal information through any means other than through engagement with the user experience team. There are separate, different, more detailed Privacy Notices on our therapy sites relevant to the collection and use of personal data in connection with receiving our online cognitive behavioural therapy (CBT) services, and further sets for employees, recruitment purposes and the therapist training site etc.]
ieso (”We”) are committed to protecting and respecting your personal data and privacy.
These Privacy Notices cover personal information processing of data collected via participation in our user experience program, and reflect legal requirements and regulations. Here we explain what personal information we collect about you, how it is used, shared, secured, stored, and how you can exercise relevant choices. For the purpose of data protection legislation, the data controller is Ieso Digital Health Ltd of The Jeffreys Building, Cowley Road, Cambridge, CB4 0DS, registered with the Information Commissioner (ZA239229). Under the General Data Protection Regulations, the different purposes of processing your data are legally permitted under Article 6 (1) (a) consent, and any special category data under Article 9 (2) (a) explicit consent.
Information we collect from you
As a result of consenting to being contacted in relation to our user experience program via the relevant question on the Patient Evaluation Questionnaire (PEQ) we will contact you with details of one or more specific user experience project. If you consent to involvement, we will collect your feedback and/or opinions on some or all of: parts of our current therapy site, proposed upgrades to it, your improvement suggestions, ease of use/ accessibility, experiences of living with mental health issues, experiences of using ieso and/ or other mental health products/ services digitally or otherwise accessed. (Your patient record is totally separate from this program and will not be accessed by user experience researchers)
Any wish to withdraw consent.
These are/ will be maintained alongside your name and contact data.
You are under no obligation to provide any information. However, if you should choose to withhold requested information, we may not be able to include you in the program.
Information we collect from other sources
Whenever user experience program participants are required, a query will be sent to the therapy site which will automatically extract personal data from patients who have recently consented to their inclusion in the PEQ. These personal details will be some or all of: name, email address, gender, postcode, age group, diagnosis, and severity (questionnaire scores).
To improve patient experience and interactions with our therapy service to improve recovery rates; and to develop new hypotheses for the research lab regarding other factors we could incorporate into our service that might improve engagement/ improvement/ recovery
Online interviews may be recorded (audio or video) as a record of fact to revisit when writing up the findings.
ieso works hard to ensure that only the right people have access to your personal data, we have internal procedures in place to safeguard your privacy and anyone within ieso receiving information about you will be under an equal legal duty to keep it confidential.
We will always seek your permission ahead of disclosing any information that identifies you directly to any other person or organisation or for any other reason than those set out in this policy without your knowledge or permission unless we have an overriding legal duty to do so.
Transferring data outside the UK:
We seek where possible to prevent any transfers of your personal information to countries which do not have adequate data protection standards.
The European Commission makes the decisions on the adequacy of the protection of personal data in third countries and have decided that personal data can flow safely between countries in the European Union, the European Economic Area (EEA), and 11 other territories without any further safeguards being necessary. (https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en).
When the UK leaves the EU at the end of 2020 the UK will be considered a third country without an adequacy decision. This will not affect the transfer of data from the UK to the EU. For transfers from the EU to the UK we will rely on standard contractual clauses. Currently the UK is waiting for the European Data Protection Board (EDPB) to decide whether the UK can be added to list of territories that do not need further safeguarding. We will update our privacy policy once further guidance is available.
Transfers outside these areas are only made when the data is stored/ processed by the SaaS providers we use – see ‘How we store your personal data’ below.
We place great importance on the security of personal information. We have put controls in place to safeguard your personal information, applying physical, technical and procedural measures against unauthorised access, loss, misuse and alteration of personal information under our control.
We limit access to your personal data to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
We have achieved the International Standard certification for Information Security (ISO 27001) and maintain the Cyber Essentials Plus certification.
We use a small number of well known SaaS providers to store your information and we have Data Processor Agreements in place with each. These providers either store the data in the UK or EEA or have in place Binding Corporate Rules, EU-US Privacy Shield self certification, or EU Model Clauses to uphold your legal data protection rights.
Retention details:
Potential participant lists are extracted each time participants are required.
Personal data held for a user experience project will be retained for between 12 and 24 months. A list of those who have opted out of involvement in all user experience communications and projects will be held perpetually to ensure no further contact.
Our retention practices are reviewed at least annually in conjunction with industry standards and best practice.
Data protection law provides you with rights that ieso is committed to supporting you with:
Right to Access
You have the right to obtain:
confirmation that your information is being used, stored or shared by the company
a copy of information held about you
If you only require only a particular part of your record, tell us and this can reduce the time it takes to provide it
We will respond to your request within one month of receipt or will tell you when it might take longer.
We are required to validate your identity including the identity of someone making a request on your behalf
If you feel there is an error of fact within your personal details held by us, please contact us. If we agree the information is incorrect, the alteration will be made, but if we are not satisfied the information is factually incorrect, a note will be made of the information you consider is inaccurate, and you will be notified of either the correction or the note.
Data protection law also includes the right to make other requests to seek to erase, port, object to and restrict personal data processing where certain limited grounds apply.
For more detailed information on your rights visit https://ico.org.uk/for-the-public/.
If you need any assistance in these areas, please contact our Data Protection Officer (DPO).
Questions, comments and requests regarding these privacy notices or data protection should be addressed to our Data Protection Officer: Helen Simpson [h.simpson@iesohealth.com]
We reserve the right to change these privacy notices from time to time. If the change occurs whilst we are processing your personal data then we will notify you by reasonable means. By continuing to participate in the user experience program, you confirm your acceptance of the revised privacy policy.
These privacy notices became effective on 1 September 2020
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with the user experience team.