Privacy Policy
1. Important information about your privacy
1.1 During the course of our activities we collect, store and process two categories of data:
(a) Personal data, meaning any data or information which identifies a person (e.g. a name, a phone number or an email address); and
(b) Non-personal data, meaning any data or information which does not identify a person (i.e. anonymised data or statistical data).
1.2 In addition to the data that we collect, store and process about our current, former and prospective employees, contractors, collaborators, clients and other third parties, we also collect data about persons who use our mobile application (Apps).
1.3 Our Apps are divided into two categories:
(a) Apps which collect personal data (i.e. using a live email address which identifies a person) (Consumer Apps); and
(b) Apps which collect non-personal data only and which do not collect personal data (i.e. our Pain Clinic, MyTeleDiary and Phorganiser Apps which use anonymised accounts that can never identify a person) (Simple Apps).
1.4 All data (personal data and non-personal data) collected, stored and processed by the Apps is held on servers within the UK and no such data is ever transferred outside the UK. All data data transfers are encrypted.
2. The Consumer Apps
2.1 We recognise that the correct and lawful treatment of personal data is of paramount importance and will maintain confidence in us and in the services we provide and accordingly where we process personal data via Consumer Apps we will comply with the terms of this policy and the Data Protection Legislation.
3. The Simple Apps
3.1 The use of the Simple Apps is completely anonymised. We never request any personal data from users and users should never input any personal data into the Simple App. The anonymised data that a user inputs into the Simple Apps is the only data collected by the Simple Apps.
3.2 This anonymised data collected by the Simple Apps may be used by the person who provided the user with access to the Simple App such as the user's healthcare provider (Account Provider) and other relevant experts.
3.3 The anonymised data collected by the Simple Apps may be used for the purpose of evaluating the Simple Apps and using the Simple Apps in connection with the provision of healthcare, wellbeing and research services provided by the Account Provider and other relevant experts. The anonymised data collected by the Simple Apps may also be aggregated and used for research or commercial purposes.
3.4 The use of the Simple Apps is completely voluntary and users may request deletion of their account with the Simple App via the Account Provider. The users of the Simple Apps may also request a copy of their data via the patient portal in the Simple Apps or via the Account Provider.
3.5 We will have no obligations under this policy or the Data Protection Legislation in respect of the anonymised data that we collect, store and process via Simple Apps and any questions or complaints regarding the Simple Apps should always be made via the Account Provider so that the users of the Simple Apps are never identified to us. However, if a user contacts us directly (rather than the Account Provider) and as a result we process certain personal data relating to that user (e.g. their name and contact details) we will comply with the terms of this policy and the Data Protection Legislation in respect of that personal data only.
4. About this policy
4.1 The types of personal data that TIYGA (NI) Limited (trading as TIYGA Health) (we) may be required to handle include names, physical addresses, email address, telephone numbers, social media account details, financial information relating to our employees, contractors, clients, prospective clients and other third parties. We may also be required to process special categories of personal data including personal data concerning health. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the Data Protection Act 1998 and the General Data Protection Regulation (GDPR) (unless and until the GDPR is not applicable in the UK), each as amended and/or updated from time to time, and other regulations (Data Protection Legislation).
4.2 This policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources. This policy sets out rules on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store personal data.
4.3 The Data Protection Compliance Manager [0844 414 8624; [email protected]] is responsible for ensuring compliance with the Data Protection Legislation and with this policy. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Data Protection Compliance Manager.
5. Definition of data protection terms
5.1 Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
5.2 Data is any information which is stored electronically on a computer or in certain paper-based filing systems.
5.3 Data subjects for the purpose of this policy include all living individuals about whom we hold personal data. A data subject need not be a UK or a European Economic Area (EEA) national or resident.
5.4 Data controllers are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with the Data Protection Legislation. Where we determine the purposes for which, and the manner in which, any personal data is processed in relation to our employees, contractors, collaborators, clients, persons and other third parties, we are a data controller.
5.5 Data users are those of our employees and contractors whose work involves processing personal data. Data users must process the personal data they handle in accordance with this policy at all times.
5.6 Data processors include are the people who or organisations which process personal data on behalf of a data controller or on its instructions. Employees of data controllers are excluded from this definition, but it could include suppliers, contractors and other data users who process personal data on behalf of the data controller or on its instructions. Where we process person data on behalf of a data controller, we are a data processor.
5.7 Non-personal data means any data which relates to a living individual or a group of living individuals who cannot be identified from that data (or from that data combined with other information in our possession or control). Non-personal data may include anonymised data and statistical data.
5.8 Personal data means any data relating to a living individual who can be identified from that data (or from that data combined with other information in our possession or control). Personal data may include factual data about a person (e.g. a name, address or date of birth) and opinions about a person, their actions and behaviour.
5.9 Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
5.10 Processing is any activity that involves the use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
5.11 Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person
5.12 Special categories of personal data or sensitive personal data includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings.
6. Data protection principles
When processing personal data we will comply with the enforceable principles of good practice. These principles provide that personal data must be:
(a Processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency).
(b Processed for specified, explicit and legitimate purposes and not further processed in a manner that is in compatible with those processes (purpose limitation).
(c Adequate, relevant and limited to what is necessary in relation to the purpose for which the data is processed (data minimisation).
(d Accurate and where necessary kept up to date (every reasonable step must be taken to ensure that personal data that is inaccurate having regard to the purpose for which it was processed is erased or rectified without delay) (accuracy).
(e Kept in a form which permits the identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed (storage limitation).
(f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures (integrity and confidentiality).
(g Processed in line with data subjects' rights.
(h Not transferred to people or organisations situated in countries without adequate protection.
7. Lawfulness, fairness and transparency
7.1 The Data Protection Legislation is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.
7.2 For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the Data Protection Legislation, including:
(a the data subject's consent to the processing;
(b that the processing is necessary for the performance of a contract with the data subject;
(c for the compliance with a legal obligation to which the data controller is subject; or
(d in connection with a legitimate interest of the data controller or the party to whom the data is disclosed.
7.3 Special categories of personal data can only be processed under strict conditions, including where the data subject has given consent to such processing, where such processing relates to personal data which has been manifestly made public by the data subject or where such processing is necessary for reasons of substantial public interest which are proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject..
7.4 When processing personal data we will ensure that we do so on the basis of one of the legal grounds set out in the Data Protection Legislation as set out in the Schedule.
8. Purpose limitation
8.1 In the course of our business we collect and process the personal data set out in the Schedule for the purposes set out in the Schedule. This may include data we receive directly from a data subject (e.g. where an employee provides us with their personal data) and data we receive from other sources (e.g. where a prospective client is referred to us by a third party).
8.2 We only process personal data for the specific purposes set out in the Schedule or for any other purposes specifically permitted by the Data Protection Legislation.
9. Data minimisation
We only collect and process personal data to the extent that it is required for the specific purpose notified to the data subject as set out in the Schedule.
10 Accuracy
We use reasonable endeavours to ensure that personal data we hold is accurate and kept up to date. We check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We use reasonable endeavours to destroy or amend inaccurate or out-of-date data.
11 Storage Limitation
We do not keep personal data longer than is necessary for the purpose or purposes for which it was collected. We use reasonable endeavours to destroy, or erase from our systems, all data which is no longer required.
12 Integrity and confidentiality
12.1 Taking into account the current state of technology, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, we will, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, which are designed to implement data-protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the Data Protection Legislation and to protect the rights of data subjects.
12.2 In order to ensure data protection by design and by default, we will:
(a take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
(b put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if they agree to comply with those procedures and policies, or if they put their own adequate measures in place.
(c maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
(i Confidentiality means that only people who are authorised to use the data can access it.
(ii Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
(iii Availability means that authorised users should be able to access the data if they need it for authorised purposes.
(d Ensure that all personal data is processed within our secured and managed hosting services. Unless otherwise agreed with the data subjects in writing in advance, all data processing takes place within the EEA and all personal data remains within the EEA.
12.3 In particular, the following technical and organisational measures and processes are in place:
(a intrusion detections and prevention measures and processes;
(b malware protection measures and process;
(c appropriate firewall controls and port/IP blocking;
(d backup provision; and
(e pseudonymisation and/or encryption of data (where possible).
13 Processing in line with data subject's rights
13.1 We process all personal data in line with data subjects' rights, in particular the right to:
(a Request access to any data held about them by a data controller or a data processor (right to make a subject access request).
(b Request that any in accurate data held about them by a data controller or a data processor be amended (right to request rectification).
(c Request that any data held about them by a data controller or a data processor be deleted in certain circumstances (right to be forgotten).
(d Request that processing of any data held about them by a data controller or a data processor be restricted in certain circumstances (right to request restriction of processing).
(e Request that any data held about them by a data controller or a data processor be transferred to another data controller (right to data portability).
(f Object to the processing of any data about them by a data controller or a data processor where such processing is based solely on automated processing (including profiling) (right to object to automated individual decision-making, including profiling).
(g Object to the processing of any data about them by a data controller or a data processor where such processing is for the purpose of direct marketing (right to object to direct marketing).
13.2 Where processing is based on consent:
(a We will be able to demonstrate that the data subject has consented to the processing of his or her personal data.
(b If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent will be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of the Data Protection Legislation will not be binding.
(c The data subject will have the right to withdraw his or her consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject will be informed accordingly. It will be as easy to withdraw as to give consent.
(d When assessing whether consent is freely given, we will take account of whether the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
(e Where processing person data relating to a child on the basis of consent, the processing of that personal data will be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing will be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child (and we will make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology).
13.3 Where processing is based on legitimate interests pursued by the data controller or a third party:
(a We will be able to demonstrate that there is a legitimate interest pursued by us or by a third party which justifies the processing of personal data.
(b We will be able to demonstrate that the processing of personal data is necessary for the purposes of the legitimate interest pursued by us or by a third party.
(c We will be able to demonstrate that the legitimate interest pursued by the data controller or by a third party is not overridden by the interests or fundamental rights and freedoms of the data subject.
14 Transferring personal data to a country outside the EEA
14.1 Personal data may be transferred outside the EEA, provided that one of the following conditions applies:
(a The country to which the personal data are transferred ensures an adequate level of protection for the data subjects' rights and freedoms.
(b The data subject has given his consent.
(c The transfer is necessary for one of the reasons set out in the Data Protection Legislation, including the performance of a contract between us and the data subject, or to protect the vital interests of the data subject.
(d The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
(e The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects' privacy, their fundamental rights and freedoms, and the exercise of their rights.
14.2 We will only transfer personal data outside the EEA where one of the conditions set out in clause 12.1 has been complied with.
15 Notifying data subjects
15.1 Where personal data is collected directly from data subjects, we will inform them about:
(a the identity and contact details of the data controller and where appropriate the data controller's data protection representative;
(b the contact details of the data protection officer, where applicable;
(c the purposes of the processing for which the personal data is intended as well as the legal basis for processing (e.g. the consent of the data subject or the legitimate interests pursued by the data controller or a third party);
(d the legitimate interests pursued by the data controller or a third party, where processing is carried out on that basis;
(e the recipients or categories of recipients of the personal data, if any;
(f the fact that the data controller or the data processor intent to transfer the data outside the EEA and the basis for that transfer, where applicable;
(g the period for which the personal data will be stored or if that is not possible the criteria used to determine that period;
(h the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
(i the existence of the right to withdraw consent to the processing of personal data relating to the data subject (without affecting the lawfulness of processing based on consent before its withdrawal), where processing is carried out on the basis of consent;
(j the right to lodge a complaint with a supervisory authority (including the Information Commissioner's Office);
(k whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of the failure to provide such data;
(l the existence of any automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
15.2 If we receive personal data directly from the data subject, clause 13.1 shall not apply where and insofar as we can demonstrate that the data subject already has the information.
15.3 If we receive personal data from other sources (e.g. from third parties), clause 13.1 shall not apply where and insofar as we can demonstrate that the data subject already has the information, where the provision of such information proves impossible or would involve a disproportionate effort or in accordance with any other exception to this obligation expressly provided for in the Data Protection Legislation.
15.4 Where we are a data controller, we will notify the data subject and the supervisory authority within 72 hours of becoming aware of a personal data breach. Where we are a data processor, we will notify the data controller within 72 hours of becoming aware of a personal data breach.
16 Disclosure and sharing of personal information
16.1 We may share personal data we hold with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries.
16.2 We may also disclose personal data we hold to third parties:
(a In the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets.
(b If we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets.
16.3 If we are under a duty to disclose or share a data subject's personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject or other agreements; or to protect our rights, property, or safety of our employees, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
16.4 We may also share personal data we hold with selected third parties but only for the purposes set out in the Schedule.
17 Dealing with requests by the data subject
17.1 Data subjects may make a request regarding any of the rights set out in clause 11.
17.2 All such requests should be made in writing and sent to the Data Compliance Manager as specified in clause 2.5 (our employees will refer a request to the Data Protection Officer).
17.3 When receiving telephone enquiries, we will only disclose personal data we hold on our systems if the following conditions are met:
(a We will check the caller's identity to make sure that information is only given to a person who is entitled to it.
(b We will suggest that the caller put their request in writing if we are not sure about the caller's identity and where their identity cannot be checked.
17.4 Persons who are users of the Simple Apps should contact their Account Provider with any queries relating to their anonymised accounts and/or their anonymised data.
18 Changes to this policy
This policy may change from time to time. Where appropriate, we will notify data subjects of those changes by mail or email.
TIYGA (NI) Limited
Last updated: 30 April 2018
Version 1.0
Review due: 30 October 2018
- Data processing activities of TIYGA (NI) Limited
Category of data subject? |
Current, former and prospective employees |
What personal data is processed? |
Name; date of birth; contact details; financial details; correspondence; opinions and analysis |
What is the source of the personal data? |
The data subject |
Is personal shared with third parties? |
Legal and other advisors; HMRC; Cloud storage service providers |
Where is the information stored and processed? |
Within the EEA; Outside the EEA (the US for Cloud storage service providers only) |
Purpose(s) for processing |
Maintenance of the data subject's employment file; Payment of the employee's salary; Other purposes directly connected with the data subject's employment |
Retention period |
Personal data deleted six years after the completion of the employment |
Legal basis for processing |
Processing is necessary for the performance of a contract to which the data subject is a party |
Category of data subject? |
Current, former and prospective contractors who are not employees |
What personal data is processed? |
Name; contact details; financial details; correspondence; opinions and analysis |
What is the source of the personal data? |
The data subject or third-party sources |
Who is the information shared with? |
Employees; legal and other advisors; Cloud storage service providers |
Where is the information stored and processed? |
Within the EEA; Outside the EEA (the US for Cloud storage service providers only) |
Purpose(s) for processing |
Maintenance of records of services provided by the data subject to the data controller; Payment of service fees for services provided by the data subject to the data controller; Other purposes directly connected with the data subject's provision of services to the data controller |
Retention period |
Personal data deleted six years after the completion of the services |
Legal basis for processing |
Processing is necessary for the performance of a contract to which the data subject is a party (for current contractors who are not employees) and legitimate interests pursued by the data controller (for former and prospective contractors who are not employees) |
Category of data subject? |
Current, former and prospective clients |
What personal data is processed? |
Name; contact details; financial details; correspondence; opinions and analysis |
What is the source of the personal data? |
The data subject |
Who is the information shared with? |
Employees; contractors who are not employees; legal and other advisors; Cloud storage service providers |
Where is the information stored and processed? |
Within the EEA; Outside the EEA (the US for Cloud storage service providers only) |
Purpose(s) for processing |
Maintenance of records of services provided by the data controller to the data subject; Processing of service fees for services provided by the data controller to the data subject; Other purposes directly connected with the data controller's provision of services to the data subject |
Retention period |
Personal data deleted six years after the completion of the services |
Legal basis for processing |
Processing is necessary for the performance of a contract to which the data subject is a party (for current clients) and legitimate interests pursued by the data controller (for former and prospective clients) |
Category of data subject? |
Persons who are users of the Consumer Apps |
What personal data is processed? |
Name; contact details; medical details; correspondence; opinions and analysis |
What is the source of the personal data? |
The data subject |
Who is the information shared with? |
Employees; contractors who are not employees; clinical practitioners who are users of the Consumer Apps; legal and other advisors |
Where is the information stored and processed? |
Within the EEA (UK) |
Purpose(s) for processing |
Maintenance of records of services provided by the data controller to the data subject via the Consumer Apps; Processing of service fees for services provided by the data controller to the data subject via the Consumer App; Other purposes directly connected with the data controller's provision of services to the data subject via the Consumer App. |
Retention period |
Personal data deleted immediately after the person ceases use of the Consumer Apps |
Legal basis for processing |
The consent of the data subject |