UKGDPR Privacy Policy

Learn how we safeguard your personal information and ensure data security.

Introduction

This policy applies to all employees, contractors, and vendors while doing business with Heidi Health Ltd (Heidi) company registered in England and Wales under the Companies Act 2006 with company number 15878893 and others who have access to United Kingdom (UK) data subject information ("personal data") in connection with Heidi's operating activities.

This policy should be read in conjunction with our wider Privacy Policy found here https://www.heidihealth.com/legal/privacy-policy. In the event of any contradictions or inconsistencies between the wider Privacy Policy and this policy, the terms of this policy shall prevail and be the governing document for individuals covered by the Data Protection Act 2018 (UKGDPR) and associated privacy laws.

As part of our service, we provide the Heidi Platform application (Platform) to qualified medical practitioners (including their relevant medical clinic) and other health professionals (Practitioners).

The Platform facilitates the delivery of healthcare services including by:

  • Heidi, we, our or us – we mean Heidi Health Ltd , and our related bodies corporate identified below.
  • ‍our services – we mean the provision of the Platform to you as a Practitioner and related services that we provide.
  • you - we mean you, the reader of this policy.
  • your information – we mean your personal information.
  • privacy laws – we mean all privacy and data protection laws that apply to us when we handle your information.

You can get in touch with us at any time about the way we handle and safeguard your information.

If you want to:

  • ask questions
  • update your information
  • update or delete your Heidi Platform account
  • change your user preferences
  • register a concern
  • opt out of marketing
  • anything else…

We're just a call or a few clicks away. If you have any questions or complaints about how we handle your information you can get in touch with us at support@heidihealth.com

Background

Heidi is committed to protecting the security, confidentiality, and privacy of its information resources including UK, EU and EEA personal data in accordance with the requirements set forth in the UKGDPR. Personal data shall only be processed when there is a legal basis to do so, data shall be managed to ensure that security, confidentiality, and privacy are maintained, and data will be used only for authorized purposes. All employees and contractors of Heidi share the responsibility for safeguarding personal data to which they have access.

When performing commercial activities in support of Heidi products and services that impacts UK personal data, Heidi may engage in certain activities which may require it to receive, store, process, transmit, create, or access and use data which may trigger compliance requirements with the provisions applicable to UKGDPR. This policy and the UKGDPR Policies adopted hereunder are intended to support the mission of Heidi and to facilitate data processing activities that are important to Heidi by:

  • Ensuring compliance with requirements imposed by UKGDPR and Heidi's regulatory obligations.
  • Providing for the establishment of UKGDPR Policies that set forth, among other things, the required technical, physical, and administrative safeguards to maintain the security, confidentiality, and privacy of personal data.
  • Setting forth the roles and responsibilities necessary for Heidi to meet its obligations with respect to activities related to the processing of personal data in accordance with GDPR.

What information do we collect?

When you access and use our website, Platform, or other services, we collect and hold categories of information. Additionally, we may collect other types of information from you to further tailor and secure our offerings, adhering to all requirements under the UKGDPR, ensuring transparency and giving you control over your personal data.

The personal information we handle is provided directly by you for reasons such as:

  • You have submitted an enquiry to us.
  • You have started or completed a business transaction with us.
  • We are delivering services to you or the organization/entity you represent.
  • You have applied for a position with us.
  • You are employed by or collaborate with us.
  • You visit our website and agree to our use of cookies.
  • You have filed a complaint with us.

We also obtain personal information indirectly in these instances:

  • When offering services to the organisation/entity you work for or represent, and they share your information with us.
  • When your contact details are publicly available on your organisation’s website, and we use them to get in touch with you and your organisation.
  • When your contact information is accessible via social media platforms, and we use it to contact you and your organisation.

Why do we process your information?

Below is an overview of the personal data we collect and the legal basis for processing it. When processing data based on legitimate interests, we apply the following criteria:

  • Purpose – is the purpose of processing personal data legitimate?
  • Necessity – Is the processing necessary to achieve that purpose?
  • Balance – do the individual’s interests, rights or freedoms override the legitimate interest?

The collection of personal data via our website serves the following purposes:

  • When providing information about products and services you requested through email subscriptions, the lawful basis for processing is consent.
  • When providing related information about identified areas of interest, the lawful basis is legitimate interests.
  • When enabling individuals to exercise their rights over personal data, the lawful basis is compliance with a legal obligation.

Organisations such as Heidi which provide services to the NHS, may rely on the following legal bases for processing data:

  • To support data processing for NHS services, using legal powers provided by:
    • The National Health Service and Community Care Act 1990
    • The NHS Act 2006
    • The Health and Social Care Act 2012
  • To process personal and special category data in accordance with UK GDPR:
    • Art. 6(1)(e) – Public task
    • Art. 9(2)(h) – healthcare purposes
  • To process personal data in line with the Data Protection Act 2018:
    • Condition 2 of Schedule 1 – Health and Social Care Purposes.  
  • To handle confidential information under the Common Law Duty of Confidentiality:
    • Implied consent

We may de-identify and/or aggregate your personal information, to provide certain functionalities and improve Heidi's performance. However, no user data will be used to train any third-party large language models. In the event of any inconsistencies between this privacy policy and any other policies, this policy will take precedence for residents of the United Kingdom.

Heidi also does not undertake any automated decision-making or profiling in relation to your personal data as defined under Article 22 of the GDPR. Personal and special category data processed by Heidi will be retained in line with the retention periods specified in the NHS England Records Management Code of Practice.

Do we store or share your information outside of the UK?

We do not disclose your information to third parties for direct marketing purposes.

We engage third-party service providers, known as data processors, to perform services on our behalf. These processors are bound by data processing agreements that restrict them from using your personal information for any purpose other than those we specify. They cannot share your data with other organizations unless explicitly instructed by us. These processors are required to securely store your personal data and retain it only for the duration we specify.

If we need to transfer your personal data outside of the UK, we will ensure that it is done in compliance with the UKGDPR and the Data Protection Act 2018. In all cases, we will ensure that there is a lawful basis for the data sharing and will document our decision-making process.

Roles and Responsibilities

Policy Adoption

Heidi Health Trading Pty Ltd shall, in cooperation with relevant stakeholders, develop and adopt necessary and appropriate UKGDPR as well as GDPR Policies, which will include, among other things, the technical, physical, and administrative safeguards required to ensure the confidentiality, integrity, and privacy of personal data, and protect personal data against reasonably anticipated threats or hazards and unauthorized uses or disclosures.

All relevant Heidi stakeholders shall cooperate with Heidi Health Trading Pty Ltd in the development and implementation of the GDPR Policies.

The Heidi Information Security and Data Privacy Policies are a component of the GDPR Policies and implement controls which support GDPR compliance.

Responsible Person

Our Head of Legal and Regulatory Affairs, has been assigned responsibility for overall oversight of Heidi's UKGDPR/GDPR compliance program.

Data Protection Officer

The Data Protection Officer (DPO) shall have the responsibilities set forth in this Policy and GDPR Article 39. The DPO is tasked with daily and ongoing oversight and management of Heidi's GDPR Compliance Program, which includes the following responsibilities:

  • Monitoring Heidi's internal compliance with GDPR
  • Providing guidance at the earliest stage possible on all aspects of data protection
  • Keeping Heidi's stakeholders appraised of changes to GDPR and other relevant laws and regulations
  • Assisting the controller or processor in monitoring internal compliance with the Regulation, including:
    • Collecting information to identify processing activities
    • Analysing and checking the compliance of processing activities
    • Informing, advising and issuing recommendations to the controller or the processor
  • Acting in an independent manner, and ensuring there is no conflict of interest in other roles or interests that the DPO may hold
  • Maintaining inventories of all personal data stored on behalf of the data controller or processor
  • Responding to security, privacy, and data access requests and complaints from data subjects
  • Managing data security and critical business continuity issues that could impact personal data
  • Providing guidance, as requested, to the data controller to complete a data protection impact assessment ("DPIA")
  • Providing guidance on responding to accidental or malicious activity that could impact personal data
  • Cooperate with the supervisory authority as needed
  • To act as the contact point for the supervisory authority on issues relating to processing, and to consult, where appropriate, with regard to any other matter

The Data Protection Officer is: Yassin Omar, Head of Legal and Regulatory Affairs, yassin@heidihealth.com.

Implementation

Breach Notification

Notification of any reportable unauthorized use or disclosure of personal data will be sent to affected parties in accordance with the GDPR notification requirements and the Incident Response Policy.

Data Subject Access Requests DSAR/SAR

Subject to the exceptions noted below in this policy, Heidi Health Trading Pty Ltd will comply with any SAR concerning the following rights of the data subject:

  • Access (a copy of the personal data undergoing processing)
  • Rectification of personal data (correction of data stored or processed)
  • Erasure ('right to be forgotten')
  • Restriction of processing
  • Notification regarding rectification or erasure
  • Data portability In the event of a Data Portability Request, Heidi will export the customers data in an industry standard format and make it internet accessible for download only by the data subject)
  • Objection to processing (withdrawal of consent to processing)
  • Automated individual decision-making, including profiling
  • Do Not Sell requests under the CCPA

SAR when Heidi Health Trading Pty Ltd is the data controller:

  • A SAR must be made through the Intercom modal on the Heidi platform or by emailing us at support@heidihealth.com
  • Where required, the data subject must provide reasonable evidence of their identity in the form of valid identification of identity, for example, email verification.
  • When submitting the SAR via the interface, the data subject must identify the SAR type that is being requested, e.g., erasure.
  • If a SAR is submitted by an agent, the submission must include the identification of the data subject.

SAR when Heidi Health Trading Pty Ltd is the data processor:

  • The SAR must be submitted via the user interface in the Heidi Services.
  • The controller must identify the SAR that is being requested.

SAR requirements

  • The date by which the SAR is submitted, identification is verified, and the specification of the SAR request type must be recorded; Heidi Health Trading Pty Ltd will acknowledge any manual requests within 3 business days.
  • Heidi Health Trading Pty Ltd has one month from the initial request date to complete the request. There are very limited circumstances in which an extension to that one month will be provided.
  • The SAR application will be documented and can be audited using the process or Heidi Health Trading Pty Ltd's internal processes.

Heidi as the data processor

  • Customers will be provided instructions on how to access the data through the user interface or APIs.
  • To the extent the customer is unable to access the data or has issues with accessing the data, Heidi will assist the customer in accessing their data.
  • Heidi will collect the data specified by the data subject and process according to the instructions provided by the data controller.
  • Heidi will maintain a record of requests for data and of its receipt, including dates..

Heidi as the data controller

  • Collect the data specified by the data subject
  • Search all databases and all relevant filing systems (manual files) in Heidi, including all back up and archived files, whether computerised or manual, and including all email folders and archives. Heidi maintains a record that identifies where personal data in Heidi is stored.
  • Heidi will maintain a record of requests for data and of its receipt accessible by Heidi's Data Protection Officer, and/or any other designated Heidi Health Trading Pty Ltd representatives. Heidi will also keep a record of processing to include dates.
  • Provide data subjects an online mechanism to making request and all such requests will be logged.
  • Heidi will acknowledge the SAR within three 3 days of the initial request and respond to any SAR within 25 days of the initial request.
  • SARs from employees or previous employees will be coordinated with HR and the employees' current or previous departmental leadership.

SAR Exemptions

Heidi Health Trading Pty Ltd may withhold information requested under SAR in accordance with Article 23 of the GDPR or any similar exemption under applicable law. Any such exemption must be reviewed and approved by the Data Protection Officer.

SAR Limits

Where permitted by law, such as Article 15 of the GDPR, for any further copies of personal data collected by Heidi that are requested by the data subject, Heidi may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic format.

Compelled Disclosure

Heidi Health Trading Pty Ltd governs the compelled disclosure of customer Personally Identifiable Information pursuant to valid third-party legal demands for such information, such as court orders, search warrants, subpoenas, government investigations, and similar demands, and is incorporated by reference into Heidi Health Trading Pty Ltd's Privacy Policy.

Upon receipt of legal demands for information,Heidi Health Trading Pty Ltd will immediately notify the, and Data Protection Officer. Heidi Health Trading Pty Ltdwill investigate the demands, and if it is determined at Heidi Health Trading Pty Ltd's sole discretion that they are valid, we will search for and disclose the information that is specified and that we are reasonably able to locate and provide. We are unable to process overly broad or vague demands, and we will not disclose information that is not specifically demanded, except in response to follow-up demands.

Heidi may contact customers if we are compelled to disclose their information pursuant to valid legal demands for such information, but we are not required to do so, and in some instances, we may be legally prohibited from doing so.

All external communications with customers, regulators and law enforcement shall be approved by Heidi Health Trading Pty Ltd

Enforcement

The Head of Legal and Regulatory Affairs and, Chief Technology Officer are responsible for the enforcement of this policy.

Employees who may have questions should contact the Head of Compliance as appropriate.

Disciplinary Action

Failure to comply with any provision of this policy may result in disciplinary action, including, but not limited to, termination.

Reporting

All suspected violations or potential violations of this policy, no matter how seemingly insignificant, must promptly be reported either to  Heidi's Data Privacy Officer immediately, or via the incident reporting process at support@heidihealth.com.

As long as a report is made honestly and in good faith, Heidi will take no adverse action against any person based on the making of such a report. Failure to report known or suspected wrongdoing of which you have knowledge may subject you to disciplinary action up to and including termination of employment.

Effective: 22 July 2024