Privacy Policy
Data Protection Laws
There are rules in place that control how your personal information is used by organisations, businesses or the government. Everyone responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- accurate
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the UK without adequate protection
There is stronger legal protection for more sensitive information, such as:
- ethnic background
- political opinions
- religious beliefs
- health data including sexual health
- criminal records
The Company
Patchs Health is the trading name of “Spectra Analytics Limited”.
We provide private wellbeing services through our Patchs Health website (www.patchshealth.com) via our partner TELUS Health (https://www.telus.com/en/health).
We provide also healthcare technology solutions, such as Patchs (www.patchs.ai), that power healthcare communications. This is delivered to the NHS in collaboration with our partner Advanced Health & Care (https://www.oneadvanced.com/solutions/solutions-by-sector/health-and-care/).
If you are an NHS patient looking for information about the use of data for Patchs please go to the NHS section below. Please never send personal information directly to Patchs Health or Spectra Analytics, as we can only process your data with instruction from your GP practice.
Patchs Health Website Data
Patchs Health will collect certain information or data about you when you visit the Patchs Health website (www.patchshealth.com)
Who Controls Your Data
Patchs Health is the Data Controller for any data inputted, submitted or generated via our website. You are considered to be the Data Subject.
If you use our private wellbeing services, we share data with our partner TELUS Health (https://www.telus.com/en/health). This is so that they can provide their service to you. TELUS Health is a separate Data Controller, which means that TELUS Health is fully responsible for its own processing of your personal data. Their privacy policy is accessible here (https://help.lifeworks.com/hc/en-gb/articles/209973963).
Payments are processed via Stripe who are a Data Processor on our behalf. This means that we are responsible for ensuring that they protect your personal data appropriately. Their privacy policy is accessible here (https://stripe.com/en-gb/privacy).
What Data Do We Collect
W collect different categories of personal data, which we use for different purposes.
Wellbeing Services
We collect the following personal information if you use the Patchs Health website to book wellbeing services with TELUS Health:
- Name, telephone number, email address, address, date of birth, modality of counselling, presenting issue, availability for counselling.
- Payment details including debit or credit card details. We do not store these details. Payments are processed by Stripe.
We pass this data to TELUS Health to enable them to provide their wellbeing services.
General Website Information
This includes:
- Questions, queries or feedback you leave, including your email address if you send an email to any Patchs Health or Spectra Analytics emails
- Your IP address, and details of which version of web browser you used
- Information on how you use the site, using cookies and page tagging techniques to help us improve the website
This helps us to:
- Review and respond to any feedback you send us
- Improve the site and our digital services by monitoring how you use them
- Provide you with information about other services if you want it
We will make every effort to not personally identify you using your data but where this is not possible, your data will be covered by our commitment to this privacy policy and our data protection principles.
Cookies
Our website (www.patchshealth.com) puts small files (known as ‘cookies’) onto your computer to collect information about how you browse the site.
Cookies are used to:
- measure how you use the website so it can be updated and improved based on your needs
- remember the notifications you have seen so that we do not show them to you again
These cookies are not used to identify you personally.
You’ll normally see a message on the site before we store a cookie on your computer.
Purpose for Processing the Data
We process personal information that you provide in connection with booking wellbeing services to:
- Share with TELUS Health to enable them to provide their wellbeing services
- Collect payment from you
This information is only collected when you submit data to us. We process it on the basis that is is necessary to do so in order for us and TELUS Health to take steps at your request before entering into a contract with you. Where the data includes sensitive data, such as health data, we process it on the basis that is its necessary to do so to provide the wellbeing service that you have requested.
General website information helps us to:
- Review and respond to any feedback you send us
- Improve the site and our digital services by monitoring how you use them
Retention Period
Patchs Health retains health data or periods specified by current NHS guidelines. For non-health data we may keep your data on file for up to ten years.
Where Your Data is Stored
We store your data securely within the European Economic Area (EEA).
Data Sharing
We only share your personal information with TELUS Health and Stripe, in order to allow TELUS Health to provide the wellbeing service that you request. TELUS Health will confirm to us when you have booked and appointment with them and who that appointment has been booked with.
We do not and will not share your information with any other organisations for marketing, market research or commercial purposes.
We do not pass on your details to other websites.
NHS Services
If you are using the Patchs Online or Telephone Assistant software – together called ‘Patchs’ – as a patient to communicate with your GP Practice or allied health provider, the full terms and conditions, and details on how we process and use your data, are detailed in the End User License Agreement (EULA) available here (Patchs-Patient-EULA.pdf)
In this section, we summarise the important aspects but please refer to the EULA for full details.
Who Controls Your Data
The GP Practice is the Data Controller of Your Personal Data and any other data inputted or submitted via Patchs. You are considered to be the Data Subject. Accordingly any requests by you for information will be dealt with by the GP Practice pursuant to their own privacy policy.
Advanced Health & Care are the Data Processor (they are contracted to deliver the service), and Patchs Health are the Data Sub-Processor (they develop and maintain the software), in delivering the Patchs services.
Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS login’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.
What Data We Collect
Patchs collects basic ‘personal data’ about you such as your name, address and contact details. It might also hold your email address, marital status, occupation, place of birth, preferred name or maiden name and power of attorney, advocate or carer information. This information would be held in digital form. In addition to the above it may also process more sensitive personal data, called ‘special category data’ which could include:
- Notes and reports about your health, treatment and care
- Medical condition
- Results of investigations, such as x-rays and laboratory tests
- Future care you may need
- Personal information from people who care for and know you, such as relatives and health or social care professionals
- Smoking status and any learning disabilities
- Your religion and ethnic origin
- Whether or not you are subject to any protection orders regarding your health, wellbeing and human rights (safeguarding status)
- Sexual history including partners, sexual orientation where relevant
- School information and information about your family health or social history
- Images and recordings
- Medical Documents
- Any special needs or preferences for receiving information
- Any of the above for a child for whom you have parental responsibility or a third party who has given you consent to act as their proxy
Our services are not intended for use by those under the age of 16 but data and information about such individuals may be processed by the GP Practice and the Patchs pursuant to the legitimate and vital interest of providing and managing health and care services to all the GP Practice’s patients, service users and clients. Accordingly if you have parental responsibility at your GP Practice for a child (or act on behalf of a third party with consent as their proxy) their personal data will also be processed in the same manner as Your Personal Data.
Purpose for Processing the Data
Your GP’s legal basis for processing your personal information falls under one of the following legal bases:
- legitimate interests of providing and managing health and care services to the GP Practice’s patients, service users and clients;
- performance of a task carried out in the public interest or in the exercise of official authority
- necessary for a legal obligation such as responding to a request from a coroner
- necessary for reasons in the area of public health such as in the event of an outbreak of a disease or pandemic
Your GP’s legal basis for processing special category data falls under one of the following legal bases:
- the provision of health or social care;
- social protection law for safeguarding purposes;
- where it is necessary to protect your vital interests when you are physically or legally incapable of providing consent.
Your GP Practice itself does not require your consent to process Your Personal Data. However, you do have the right to say “no” to our processing of your information but this could have an impact on your GP Practice’s ability to provide you with care. Your GP Practice wishes to share Your Personal Data with us solely to ensure that their services can meet patient needs in the future, to develop better quality services, provide more flexible arrangements for communicating with you and maximise technology to assist with the workload of its clinicians at the GP Practice.
We will ensure that we only process Your Personal Data in accordance with the terms of the End User Licence Agreement and any lawful instructions received from the GP Practice. Should you wish us to stop processing your data please contact your GP Practice to request it.
Retention Period
For GP Practices using Patchs we retain your data for periods specified by current NHS guidelines.
If your GP practice stops using Patchs we may retain the data for up to 12 months and then it is securely deleted. The period of 12 months is necessary to ensure all data is transferred to the GP practice and any outstanding requirements have been resolved.
If your GP practice requests that we remove your data – following a request from yourself – we will delete the data as soon as possible. This is usually the same day but may be up to 1 week.
Where Is Your Data Stored
We store data with Amazon Web Services in the London region. By using Patchs you are deemed to consent to Amazon Web Services a sub-processor. Data is held encrypted in transit and at rest to keep the data secure. Encrypted backups are also held in additional locations.
We will ensure that Amazon Web Services complies in full with our commitments in this End User Licence Agreement (and Advanced Health & Care and Patchs Health are liable for any non-compliance by Amazon Web Services or any other permitted sub-processor in relation to the obligations under the End User Licence Agreement and/or the Data Protection Legislation)
We will not transfer Your Personal Data outside of the UK (other than to and from the EEA) unless your GP Practice has given us its prior written consent and the relevant conditions in the Data Protection Legislation are fulfilled. You acknowledge that it is technically possible for hosted systems to be accessed by you from outside the UK or EEA.
Data Sharing
We conduct research to evaluate the use of Patchs as a tool in primary care for triage and workflow optimisation. This is to ensure it is safe to use and it is benefitting patients and GP Practices. This research is conducted internally and in partnership with the University of Manchester. We collect consent for sharing the data during Patchs registration but only share the data where NHS ethical approval is in place. Patients can remove consent at any time from the settings in their Patchs account or by emailing datasharing@patchs.ai.
What data do we share?
- Personal Data: the only personal data we share with the University of Manchester is patient contact details when patients’ opt-in to sharing them. Patients can opt-out of sharing this information at any time and the information can be removed.
- Anonymised Data: ‘Anonymised’ means that patients who have shared data cannot be identified. Information such as name, address, date of birth are all removed. Anonymised data may include information such as age, sex, ethnicity, and medical information. This may be reviewed by researchers and external GPs evaluating the software’s safety and effectiveness.
Whilst Anonymised data is not subject to the same restrictions placed on the processing of personal data under the General Data Protection Regulation (GDPR), we want to be completely open with patients how we are using data and allow them to opt out of anonymised data sharing. Patients can remove consent from the settings in their Patchs account or by emailing datasharing@patchs.ai. It is not possible to remove consent retrospectively because the data is anonymised we are unable to identify it ourselves to remove it.
Links to Other Websites
www.patchshealth.com and www.patchs.ai contain links to and from other websites. This privacy policy applies to this website and the services and products that we offer. It does not cover other services and transactions that we link to.
Following a link to another website:
If you go to another website from this one, read the privacy policy on that website to find out what it does with your information.
Following a link to www.patchshealth.com or www.patchs.ai from another website:
If you come to www.patchs.ai from another website, we may receive personal information about you from the other website. You should read the privacy policy of the website you came from to find out more about this.
Disclosing Your Information
We may pass on your personal information if we have a legal obligation to do so, or if we have to enforce or apply our terms of use and other agreements. This includes exchanging information with government departments or agencies for legal reasons.
Your Rights
You can find out what information we hold about you, ask us not to use any of the information we collect, ask us to correct any inaccurate personal data we hold, and ask us to delete your data. To do this:
- Patchs Health Customers: please email SAR@patchshealth.com
- Patchs Patients: You must contact your GP practice and they will inform us. Your GP practice is the Data Controller for your data and we can only comply with their instructions.
You can opt in to or out of data sharing from the settings in your Patchs account or by emailing datasharing@patchs.ai.
If you are not happy with this response then you can make a complaint to the Information Commissioner’s Office (ICO) – See Section below.
Making a Complaint
If you think your data has been misused or that the organisation holding it has not kept it secure, you should contact them and tell them.
If you are unhappy with their response or if you need any advice you should contact the Information Commissioner’s Office (ICO).
ICO Helpline: 0303 123 1113
Call charges may apply. You can also chat online with an advisor. The ICO can investigate your claim and take action against anyone who has misused personal data.