Privacy and Data Protection Policy
Medli Health is committed to protecting your personal information and being transparent about what information we hold. This policy is designed to give you a clear explanation about how we collect and use the personal information you provide to us and ensure that we are honest and clear about your privacy and personal information at all times.
Who are we?
In our policies, ‘we’, ‘us’ and ‘our’ refers to Medli Health Ltd, which is administered by Medli Health.
Medli Health is a wholly owned subsidiary of The Brain Tumour Charity.
Medli Health is registered as a Data Controller with the Information Commissioner’s Office under the reference ZB486969.
Your acceptance of this policy and our right to change it
By using our app, websites, and services or providing your information to us, we will collect and use your information in the way(s) set out in this policy. If you do not agree with this policy, please do not use our app, sites, or services.
We may make changes to this policy from time to time. If we do so, we will post the changes on this page and they will apply from the time we post them. If the purposes of our data collection change, we will contact you to let you know. This policy was last updated and published on 11/10/2022.
What is personal data?
Personal data is information that can be used to identify an individual, such as name, address, phone number or email address. Some categories of data are more sensitive and are referred to as special category data, including health information. Non-personal data is data that can’t identify you personally, but can provide us with information to improve our services.
This policy applies to our app, the websites we operate, our use of emails and any other methods we use for collecting information. It covers what we collect and why, what we do with your information, what we won’t do with your information and what rights you have.
The information we collect
We collect three kinds of information
- Non-personal information such as IP addresses (the location of the computer on the internet), web & app pages accessed and files downloaded. This helps us to understand how many people use our services, how many people visit on a regular basis and how popular/useful our services are. This information doesn’t tell us anything about who you are or where you live.
- Personal information. We will ask you for information in order to provide you with the services requested, for example we’ll ask for your name and date of birth when you sign up to the app.
- Sensitive personal information or special category data. Our app is designed to help you track your healthcare and treatment. As such any information you enter into the app about your demographics, condition(s), symptoms, fitness, medications and appointments is considered special category data. Medli Health also receives de-identified health record information of patients who have been diagnosed with a health condition from NHS Digital. This information consists of diagnosis and treatment codes, along with data on sex, ethnicity and a broad indicator of locality per patient. This de-identified information is pseudonymised, which means it is of a good enough standard to support statistical analysis while maintaining patient privacy. Medli Health cannot identify individuals from the pseudonymised data it receives but applies the same organisational and technical controls as it does to other personal and special category data it processes.
The information our app collects is used so that the app can function, and to share with researchers (both academic and commercial). We only collect and share the minimum amount of information required for these purposes.
We are committed to protecting the privacy of young people. If you are under 16 and would like to get involved, please ask a parent or guardian to sign up for an account on your behalf. We do not send any marketing communications directly to children under 16.
How we collect your information
We collect information about you in the following ways:
Information you give to us directly, for example when you:
- Visit our websites, we collect technical information such as the IP address you use to visit the website, your browser type and version and your browsing history.
- Sign up to use our app
- Use our app, we collect technical information such as IP address, operating system, device type, etc.
- Use our app to track your treatment and care
- Link your fitness account (e.g. Fitbit) we will automatically receive a copy of the more common fitness data points such as step count, sleep duration, etc.
- Apply to work with us
- Contact us or become involved with us in any other way not listed above.
Information from third parties
- We have a data sharing agreement in place to obtain healthcare information for statistical analysis purposes from NHS Digital, including:
- Hospital Episode Statistics (in/outpatient appointments, A&E records)
- Diagnostic imaging (no actual image data, but information on appointments and procedures carried out)
- Civil registration (records of deaths of patients within the other NHSD datasets)
- NCRAS (formerly maintained by PHE, national cancer statistics used to monitor trends and inform policy)
- If you’ve linked your fitness account (Fitbit, Apple Health, Google Fit, Garmin) to your app account, we will periodically obtain common fitness indicators from those organisations.
How we use your data
We will mainly use the information we collect about you to:
- Allow you to access and use our app
- Share with other app users in an aggregated, anonymous format such as graphs and charts, so that users can compare themselves to others
- Share with organisations and charities to which you have affiliated in-app in anonymous and pseudonymous formats, so that they can analyse their user community and use the information for their strategic goals
- Share your contact details with organisations and charities to which you have affiliated in-app
- Share with researchers, both academic and commercial, in a pseudonymous format for healthcare research
- Help us identify how the app can be improved in future
- Carry out any obligations arising from any contract entered into by you and us
- Process a job application
Keeping a record of your relationship with us
We record contact we have with you, so we have a clear understanding of our relationship. We may also collect and retain your information if you send us feedback about our services, give us a compliment or make a complaint.
Understanding how we can improve our services
We believe it’s important to make sure that all of our services are the very best they can be, which is why we evaluate them. Once you’ve used one of our services, we may get in touch to ask you about your experience. You don’t have to take part but it’s really valuable to help us improve in the future.
Safeguarding is everyone’s responsibility, and therefore we have a duty, wherever possible, to share any concerns that we have about conversations, emails, posts, messages or comments that indicate you or someone else might be at risk, with the relevant services. This includes reference to abuse or neglect.
Though we will always try to share our concerns with you, we reserve the right to share information with external agencies without checking first; especially if it is thought that by sharing our concerns this might put others at risk, or increase the risks identified.
Legal bases for processing
The law requires us to set out the lawful grounds on which we collect and process your personal information as described in this policy. Depending on the purposes for which we use your data, one or more of the grounds listed below may be relevant.
In certain instances, we collect and use your personal information by relying on the legitimate interest legal basis. In broad terms, our ‘legitimate interests’ means our interest in being able to run Medli Health effectively in pursuit of our aims and ideals. This includes:
- Setting up and allowing access to your app account
- Capturing the healthcare data you provide in the app via features like medications, symptom tracker, appointments
- Sharing the healthcare data you provide with approved researchers
- Sharing the healthcare data you provide with charities with whom you are affiliated
- Contacting you to let you know about changes to the app, future improvements or other information we feel is useful
- Allowing you to provide electronic consent or share your data with a clinical trial through the app
If we rely on the ‘legitimate interests’ basis to use your personal information, we will only use the information in accordance with the purposes described in this policy.
When we legitimately process your personal information in this way, we also consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. We will not use your personal information for activities where our interests are overridden by the impact on you, for example, where collection and use of your information would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).
If you wish to withdraw your consent for us to process your data at any stage, we are more than happy to help. Please let us know using the ‘contact us’ area of the app.
Scientific or Historical Research Purposes or Statistical Purposes
The information we collect through our app is made available by application to researchers. Applications are reviewed by Medli Health’s Data Access Board (DAB), which ensures the purposes for which researchers wish to use the data are in line with our goals of improving healthcare, and the data requested is proportional and relevant to the research.
Researchers accessing our app’s data will enter into a data sharing agreement with us, that will set out the terms of what they can and cannot do with the data.
We will publish information about data access requests on our website.
We may need to collect, process and disclose personal information to comply with a legal obligation. For example, where we are ordered by a court or regulatory authority. We may also use personal information to cross check and prevent known malicious activities on Medli Health’s websites.
Performance of a contract
If, for example, you agree to work for us, we need to be able to process your information for the purpose of meeting our contractual obligations.
Communicating with you
Once you’ve signed up to our app, we may email you directly with information about the app and our other services. We do not ask for consent to write or call you about these things, because these activities are fundamental to how we work, so we have a legitimate interest to contact you. However, you have the option to opt-out of receiving marketing communications within the app.
Our mass email service allows us to track who has opened our emails and what links have been clicked on. This allows us to monitor what information is most useful to improve our content and information in future.
If you have indicated you do not wish to be contacted by us for marketing purposes, we will retain your details on a ‘do not contact’ list to help ensure that we do not contact you accidentally. However, we may still need to contact you if you carry on dealing with us, including (but not limited to):
- Explaining and apologising where we have made a mistake
- Dealing with future legal claims in connection with a contract we have with you.
Storing your data
When you give us your details, you agree to us recording your details on our secure database, so we can provide you with the best possible service. We hold your personal information for as long as required to provide you with access to the App, to administer your relationship with us, to share with researchers, to comply with the law or to ensure we do not communicate with people who no longer wish to hear from us.
We have adopted a data retention policy that sets out the different periods we retain personal information for in respect of these relevant purposes. The criteria we use for determining these retention periods is based on various legal requirements; the purpose for which we hold data and whether there is a legitimate reason for continuing to store it (such as in order to deal with any future legal disputes); and guidance issued by relevant regulatory authorities including, but not limited to, the Information Commissioner’s Office (ICO).
Personal information that we no longer need is securely disposed of and/or anonymised so you can no longer be identified from it. Some personal information may be retained by us in archives for statistical or historical research purposes although we will do this in a manner that complies with applicable data protection law.
We continually review the information and records that we hold, personal or otherwise, and delete what is no longer required.
Medli Health holds its data on secure databases which are hosted in the UK or EU. Access to this system is limited and there is restricted access to data based on a person’s role in the organisation.
The app stores your name, date of birth, gender and email address in a secure, encrypted storage location on your device. When data moves between the app and our servers, it is encrypted during transit.
Where we engage with organisations outside of the UK or EU, we will endeavour to ensure that the processing of your data is subject to appropriate security measures.
In line with the principles defined in the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR), Medli Health will ensure that personal data will be processed in ways that are:
- Lawful, fair and transparent
- Collected only for specific explicit and legitimate purposes
- Adequate, relevant and limited
- Accurate and up-to-date
- Not kept for longer than necessary
Your details will be kept securely and only shared with trusted partners, who have a contract with us, for example, a charity that wants to make use of our app and that you have affiliated with, or if required to by law, i.e. with the police or a regulatory body. At all times we remain legally accountable for your data.
Cookies, web beacons and similar technologies
We use the information we gather to help improve the experience and personalisation of our website. For example, they help us to identify and resolve errors, or to determine the most relevant information and services to show our visitors in the future.
Our cookie and tracking policy can be found here.
Under UK data protection law, you have rights over personal information that we hold about you. These are summarised below.
Right to be informed
You have the right to be told how your personal information will be used. This policy and other policies and statements used on this website and in our communications are intended to provide you with a clear and transparent description of how your personal information may be used.
Right to access your personal information
You have a right to access certain personal data being we keep about you, either physically or digitally. Personal information you enter into the App can be accessed via the App. In addition to this you have the right to request access to any other personal information which may be held. Anyone who wishes to exercise this right should apply, in writing, to the Senior Information Risk Officer at Medli Health , Fleet 27, Rye Close, Fleet, Hampshire GU51 2UH or email@example.com. Please include details of the information you wish to access. We will respond within 30 days, providing that the request includes appropriate contact details, proof of identity from the individual and we can validate the request.
Right to have your inaccurate personal information corrected
You have the right to have inaccurate or incomplete information we hold about you corrected. If you believe the information we hold about you is inaccurate or incomplete, please update or correct this directly via the App, or provide us with details and we will investigate and, where applicable, correct any inaccuracies. If the information has been provided to us by the NHS as part of our data sharing agreement you will need to contact them to have their records amended.
Right to restrict use of your personal information
You have a right to ask us to restrict the processing of some or all of your personal information in the following situations: if some information we hold on you isn’t right; we’re not lawfully allowed to use it; you need us to retain your information in order for you to establish, exercise or defend a legal claim; or you believe your privacy rights outweigh our legitimate interests to use your information for a particular purpose and you have objected to us doing so.
Right to erasure of your personal information
You may ask us to delete some or all of your personal information and in certain cases, and subject to certain exceptions (i.e. if we have to hold on to it to meet a legal obligation), you have the right for this to be done.
Right for your personal information to be portable
If we are processing your personal information (1) based on your consent, or in order to enter into or carry out a contract with you, and (2) the processing is being done by automated means, you may ask us to provide it to you or another service provider in a machine-readable format.
Right to object to the use of your personal information
If we are processing your personal information based on our legitimate interests or for scientific/ historical research or statistics, you have a right to object to our use of your information. If we are processing your personal information for direct marketing purposes, and you wish to object, we will stop processing your information for these purposes as soon as reasonably possible.
If you want to exercise any of the above rights, please contact our Senior Risk Information Officer at Medli Health, Fleet 27, Rye Close, Fleet, Hampshire GU51 2UH or by email: firstname.lastname@example.org We may be required to ask for further information and/or evidence of identity. We will endeavour to respond fully to all requests within 30 days of receipt of your request, however if we are unable to do so we will contact you with reasons for the delay.
Please note that exceptions apply to a number of these rights, and not all rights will be applicable in all circumstances. For more details we recommend you consult the guidance published by the Information Commissioner’s Office in their ‘Your Data Matters’ guidance for individuals.
Right not to be subject to a decision based solely on automated processing
We do not conduct any automated processing, profiling, or decision making using your data.
Keeping your information up-to-date
We really appreciate it if you let us know if your contact details or circumstances change. You can do this using the ‘contact us’ feature within the app.
How to change the way we contact you
Your personal preferences and keeping your data accurate is of utmost importance to us.
If at any stage you do not want to hear from us, want to change your contact preferences or want to update your details, you can use the ‘contact us’ feature within the app to let us know..
Any marketing email we send you will contain information about how to unsubscribe from email marketing communications. During any phone, email or LiveChat conversation you have with us, please feel free to let us know how you prefer to be contacted.
What to do if you if you have any concerns
If you are unhappy at any time about the way we process and/or use your personal information, or have concerns about a child using our app who is providing personal data without consent, please contact Liam Heffernan, The Company’s Data Protection Officer, who will investigate your concerns. Please write to them at Medli Health, Fleet 27, Rye Close, Fleet, Hampshire GU51 2UH, email email@example.com or call 01252 413163.
If we are relying on Legitimate Interests to process your data, or we are implementing a new project or system relating to personal data, we carry out a Legitimate Interest Assessment or a Data Protection Impact Assessment. If you would like to see a copy of a specific assessment, please get in touch with our Senior Risk Information Officer at Medli Health, Fleet 27, Rye Close, Fleet, Hampshire GU51 2UH, email firstname.lastname@example.org or call 01252 413163.
We appreciate the opportunity your feedback gives us to learn and improve. Find out more in our Complaints Policy.
If you are unhappy with the way your data are being processed, and we have been unable to satisfactorily resolve your concern, you have the right to complain to the Information Commissioner’s Office (ICO): www.ico.org.uk