Data Processing Policy
V&V Health Innovations Ltd
DATA PROCESSING POLICY
Introduction
The protection of data subjects (i.e. patients and health professionals) via the lawful, legitimate and responsible processing and use of their personal, health and business data is a fundamental human right. Individuals may have a varying degree of understanding or concern for the protection of their data, but V&V Health Innovations must respect their right to have control over their data and ensure it acts in full compliance with legislative and regulatory requirements at all times. If individuals feel that they can trust V&V Health Innovations as a custodian of their data, this will also help V&V Health Innovations to fulfil its wider objectives.
The General Data Protection Regulation (GDPR), as supplemented by the Data Protection Act DPA 2018 (DPA), is the main piece of legislation that governs how V&V Health Innovations collects and processes personal data. Failure to comply with this legislation may have severe consequences for V&V Health Innovations, including potential fines of up to £20 million or 4% of V&V Health Innovations’s total worldwide annual turnover, whichever is higher.
Purpose of this Policy
This Policy sets out how V&V Health Innovations will process the personal, health and business data of its customers,their patients, suppliers and other third parties.
This Policy applies to all data that V&V Health Innovations processes regardless of the format or media on which the data is stored or who it relates to.
A glossary of the terms used throughout the Policy can be found in Schedule 1.
Scope of this policy
This Policy applies to all staff of V&V Health Innovations, including honorary staff/associates, contractors, hourly paid employees or interns who are carrying out work on behalf of V&V Health Innovations (referred to herein as “you/your”) involving the handling of personal, health and business data.
You have a crucial role to play in ensuring that V&V Health Innovations maintains the trust and confidence of the individuals about whom V&V Health Innovations processes data, complying with V&V Health Innovations’s legal obligations and protecting V&V Health Innovations’s reputation. This Policy therefore sets out what V&V Health Innovations expects from you in this regard.
Compliance with this Policy and any related policies is mandatory.
The Data Protection Officer (the “DPO”) is responsible for overseeing the implementation and review of this Policy (and any related policies and procedures). They can be contacted on [email protected].
If you do not feel confident in your knowledge or understanding of this Policy, or you have concerns regarding the implementation of this Policy, it is important that you raise this issue with the director of the company (also serving as a DPO) as soon as possible or use the contact details above to seek advice.
Further advice regarding this Policy
The Data Protection Officer, or other relevant local contacts, can be contacted for general advice and if you:
- wish to process data for any purpose and you are unsure whether V&V Health Innovations has a lawful basis for doing so
- need to rely on consent and/or require explicit consent
- need to prepare a fair processing notice
- are unsure whether to delete, destroy or keep any data
- are unsure about what security or other measures you need to take to protect data
- know or suspect that there has been a data breach
- are unsure on what basis to transfer personal data outside of the European Economic Area (EEA)
- if you need assistance in dealing with the exercise of any rights by data subjects
- if you plan to use data for any purposes other than those they were originally collected for
- if you are considering the processing of data in a new or different way, where a Data Protection Impact Assessment may be necessary
- if you plan to undertake any activities involving automated processing including profiling or automated decision-making
- if you are unsure of the legal requirements relating to any direct marketing activities
- if you need help with contracts or any other areas in relation to sharing data with a third party
Data Protection Principles
The GDPR is based on a set of core principles that V&V Health Innovations must observe and comply with at all times from the moment that data is collected until the moment that data is archived, deleted or destroyed.
V&V Health Innovations must ensure that all data are:
- Processed lawfully, fairly and in a transparent manner (“Lawfulness, fairness and transparency”)
- Collected only for specified, explicit and legitimate purposes (“Purpose limitation”)
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is to be processed (“Data minimisation”)
- Accurate and where necessary kept up to date (“Accuracy”)
- Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed (“Storage limitation”)
- Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (“Security, integrity and confidentiality”)
Additionally, V&V Health Innovations must ensure that:
- Personal data are not transferred outside of the UK or the EEA (which includes the use of any website or application that is hosted on servers located outside of the UK or the UK or the EEA) to another country without appropriate safeguards being in place (see Transfers of personal data outside of the UK or the UK or the EEA)
- V&V Health Innovations allows data subjects to exercise their rights in relation to their data (see Data subject rights and requests)
V&V Health Innovations is responsible for, and must be able to demonstrate compliance with, all of the above principles (see Accountability and record-keeping).
Lawfulness, fairness and transparency
Lawfulness and fairness
In order to collect and process data for any specific purpose, V&V Health Innovations must always have a lawful basis for doing so. Without a lawful basis for processing, such processing will be unlawful and unfair and may also have an adverse impact on the affected data subjects. No data subject should be surprised to learn that their data has been collected, consulted, used or otherwise processed by V&V Health Innovations.
Processing data will only be lawful where at least one of the following lawful bases applies:
- The data subject has given their consent for one or more specific purposes;
- The processing is necessary for the performance of a contract to which the data subject is a party (for instance a contract of employment or registration with V&V Health Innovations);
- To comply with V&V Health Innovations’s legal obligations;
- To protect the vital interests of the data subject or another person (this will equate to a situation where the processing is necessary to protect the individual’s life);
- To perform tasks carried out in the public interest or the exercise of official authority;
- To pursue V&V Health Innovations’s legitimate interests where those interests are not outweighed by the interests and rights of data subjects (only available to V&V Health Innovations in some circumstances);
V&V Health Innovations must identify and document the lawful basis relied upon by it in relation to the processing of personal data for each specific purpose or group of related purposes.
Consent as a lawful basis for processing
There is no hierarchy between the lawful bases for processing above, of which a data subject’s consent is only one. Consent may not be the most appropriate lawful basis depending on the circumstances.
In order for a data subject’s consent to be valid and provide a lawful basis for processing, it must be:
- specific (not given in respect of multiple unrelated purposes)
- informed (explained in plain and accessible language)
- unambiguous and given by a clear affirmative action (meaning opt-in: silence, inactivity or pre-ticked boxes will not be sufficient)
- separate and unbundled from any other terms and conditions provided to the data subject
- freely and genuinely given (there must not be any imbalance in the relationship between V&V Health Innovations and the data subject and consent must not be a condition for the provision of any product or service)
A data subject must be able to withdraw their consent as easily as they gave it.
Once consent has been given, it will need to be updated where V&V Health Innovations wishes to process the data for a new purpose that is not compatible with the original purpose for which they were collected.
Unless V&V Health Innovations is able to rely on another lawful basis for processing, a higher standard of explicit consent (where there can be no doubt that consent has been obtained, for example a signed document or a Yes/No option accompanied by clear consent wording) will usually be required to process special categories of personal data (see glossary for definition), for automated decision-making and for transferring personal data outside of the UK or the EEA.
Where V&V Health Innovations needs to process special categories of personal data, it will generally rely on another lawful basis that does not require explicit consent; however, V&V Health Innovations must provide the data subject with a fair processing notice explaining such processing.
If V&V Health Innovations is unable to demonstrate that it has obtained consent in accordance with the above requirements, it will not be able to rely upon such consent.
Transparency
The concept of transparency runs throughout the GDPR and requires V&V Health Innovations to ensure that any information provided by V&V Health Innovations to data subjects about how their personal data will be processed is concise, easily accessible, easy to understand and written in plain language. Where V&V Health Innovations has not been transparent about how it processes data, this will call the lawfulness and fairness of the processing into question.
V&V Health Innovations can demonstrate transparency through providing data subjects with appropriate privacy notices or fair processing notices before it collects and processes their data and at appropriate times throughout the processing of their personal data.
The GDPR sets out a detailed list of information that must be contained in all privacy notices and fair processing notices, including the types of data collected; the purposes for which they will be processed; the lawful basis relied upon for such processing (in the case of legitimate interests, V&V Health Innovations must explain what those interests are); the period for which they will be retained; who V&V Health Innovations may share personal data with; and, if V&V Health Innovations intends to transfer personal data outside of the UK or the EEA, the mechanism relied upon for such transfer (see Transfers of personal data outside of the UK or the EEA).
Where V&V Health Innovations obtains any personal data about a data subject from a third party it must check that it was collected by a third party in accordance with the GDPR’s requirements and on a lawful basis where the sharing of personal data with V&V Health Innovations was clearly explained to the data subject.
All privacy notices and fair processing notices should be reviewed by the Data Protection Officer or any appointed external consultant.
Purpose limitation
V&V Health Innovations must only collect and process data for specified, explicit and legitimate purposes that have been communicated to data subjects before the business data have been collected.
V&V Health Innovations must ensure that it does not process any data obtained for one or more specific purposes for a new purpose that is not compatible with the original purpose. Where V&V Health Innovations intends to do so, it must inform the data subjects before using their data for the new purpose and, where the lawful basis relied upon for the original purpose was consent, obtain such consent again.
Data minimisation
The data that V&V Health Innovations collects and processes must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is to be processed.
You must only process data when necessary for the performance of your duties and tasks and not for any other purposes. Accessing data that you are not authorised to access, or that you have no reason to access, may result in disciplinary action and in certain circumstances, may constitute a criminal offence.
You may only collect data as required for the performance of your duties and tasks and should not ask a data subject to provide more data than is strictly necessary for the intended purposes.
You must ensure that when certain data are no longer needed for the specific purposes for which they were collected, that such data is deleted, destroyed or anonymised.
Accuracy
The data that V&V Health Innovations collects and processes must be accurate and, where necessary, kept up-to-date and must be corrected or deleted without delay when V&V Health Innovations discovers, or is notified that the data are inaccurate.
You must ensure that you update all relevant records if you become aware that any personal data is inaccurate. Where appropriate, any inaccurate or out-of-date records should be deleted or destroyed.
Storage limitation
The personal data that V&V Health Innovations collects and processes must not be kept in a form that identifies a data subject for longer than is necessary in relation to the purposes for which it was collected (except in order to comply with any legal, accounting or reporting requirements).
Storing personal data for longer than necessary may increase the severity of a data breach and may also lead to increased costs associated with such storage.
V&V Health Innovations will maintain policies and procedures to ensure that personal data are deleted, destroyed or anonymised after a reasonable period of time following expiry of the purposes for which they were collected.
You must regularly review any personal data processed by you in the performance of your duties and tasks to assess whether the purposes for which the data were collected have expired. Where appropriate, you must take all reasonable steps to delete or destroy any personal data that V&V Health Innovations no longer requires in accordance with V&V Health Innovations’s Records Management Policies.
All privacy notices and fair processing notices must inform data subjects of the period for which their personal data will be stored or how such period will be determined.
Security, integrity and confidentiality
Security of data
The data that V&V Health Innovations collects and processes must be secured by appropriate technical and organisational measures against accidental loss, destruction or damage, and against unauthorised or unlawful processing.
V&V Health Innovations will develop, implement and maintain appropriate technical and organisational measures for the processing of data taking into account the:
- nature, scope, context and purposes for such processing
- volume of data processed
- likelihood and severity of the risks of such processing for the rights of data subjects
V&V Health Innovations will regularly evaluate and test the effectiveness of such measures to ensure that they are adequate and effective.
You are responsible for ensuring the security of the data processed by you in the performance of your duties and tasks. You must ensure that you follow all procedures that V&V Health Innovations has put in place to maintain the security of data from collection to destruction.
You must ensure that the confidentiality, integrity and availability of personal data are maintained at all times:
- Confidentiality: means that only people who need to know and are authorised to process any personal, health and business data can access it
- Integrity: means that personal data must be accurate and suitable for the intended purposes
- Availability: means that those who need to access the personal, health and business data for authorised purposes are able to do so
You must not attempt to circumvent any administrative, physical or technical measures V&V Health Innovations has implemented as doing so may result in disciplinary action and in certain circumstances, may constitute a criminal offence.
Reporting data breaches
In certain circumstances, the GDPR will require V&V Health Innovations to notify the ICO, and potentially data subjects, of any data breach.
V&V Health Innovations has put in place appropriate procedures to deal with any data breach and will notify the ICO and/or data subjects where V&V Health Innovations is legally required to do so.
If you know or suspect that a data breach has occurred, you must contact the Data Protection Officer, and IT Services if relevant, immediately to report it and obtain advice, and take all appropriate steps to preserve evidence relating to the breach.
You must ensure that you observe and comply with V&V Health Innovations’s data breach procedure.
Sharing data
You are not permitted to share data with third parties unless V&V Health Innovations has agreed to this in advance, this has been communicated to the data subject in a privacy notice or fair processing notice beforehand and, where such third party is processing the personal data on our behalf, V&V Health Innovations has undertaken appropriate due diligence of such processor and entered into an agreement with the processor that complies with the GDPR’s requirements for such agreements.
The transfer of any data to an unauthorised third party would constitute a breach of Lawfulness, fairness and transparency principle and, where caused by a security breach, would constitute a personal data breach. Do not share any personal data with third parties, including the use of freely available online and cloud services for work-related purposes, unless you are certain that the conditions outlined above apply. Seek advice from the Data Protection Officer, or IT Services, if you are unsure.
Transfers outside of the United Kingdom or the European Economic Area (EEA)
The GDPR prohibits the transfer of personal data outside of the UK or the EEA in most circumstances in order to ensure that personal data is not transferred to a country that does not provide the same level of protection for the rights of data subjects. In this context, a “transfer” of personal data includes transmitting, sending, viewing or accessing personal data in or to a different country.
V&V Health Innovations may only transfer personal data outside of the UK or the EEA if one of the following conditions applies:
- the European Commission has issued an “adequacy decision” confirming that the country to which we propose transferring the personal data ensures an adequate level of protection for the rights and freedoms of data subjects (this applies to only a small number of countries)
- appropriate safeguards are in place, such as binding corporate rules, standard contractual clauses that have been approved by the European Commission, an approved code of conduct or certification mechanism which, in each case, can be obtained from the Data Protection Officer
- the data subject has given their explicit consent to the proposed transfer, having been fully informed of any potential risks
- the transfer is necessary in order to perform a contract between V&V Health Innovations and a data subject, for reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the data subject in circumstances where the data subject is incapable of giving consent
- the transfer is necessary, in limited circumstances, for V&V Health Innovations’s legitimate interests
You must ensure that you do not transfer any personal data outside of the UK or the EEA except in the circumstances set out above and provided that V&V Health Innovations has agreed to this in advance.
Data subject rights and requests
The GDPR provides data subjects with a number of rights in relation to their personal data. These include:
- Right to withdraw consent: where the lawful basis relied upon by V&V Health Innovations is the data subject’s consent, the right to withdraw such consent at any time without having to explain why
- Right to be informed: the right to be provided with certain information about how we collect and process the data subject’s personal, health and business data (see Transparency)
- Right of subject access: the right to receive a copy of the data that we hold, including certain information about how V&V Health Innovations has processed the data subject’s data
- Right to rectification: the right to have inaccurate personal data corrected or incomplete dated completed
- Right to erasure (right to be forgotten): the right to ask V&V Health Innovations to delete or destroy the data subject’s data if: the data are no longer necessary in relation to the purposes for which they were collected; the data subject has withdrawn their consent (where relevant); the data subject has objected to the processing; the processing was unlawful; the data have to be deleted to comply with a legal obligation;
- Right to restrict processing: the right to ask V&V Health Innovations to restrict processing if: the data subject believes the personal data are inaccurate; the processing was unlawful and the data subject prefers restriction of processing over erasure; the data are no longer necessary in relation to the purposes for which they were collected but they are required to establish, exercise or defend a legal claim; the data subject has objected to the processing pending confirmation of whether V&V Health Innovations’s legitimate interests grounds for processing override those of the data subject
- Right to data portability: in limited circumstances, the right to receive or ask V&V Health Innovations to transfer to a third party, a copy of the data subject’s personal data in a structured, commonly-used machine-readable format
- Right to object: the right to object to processing where the lawful basis for processing communicated to the data subject was V&V Health Innovations’s legitimate interests and the data subject contests those interests
- Right to object to direct marketing: the right to request that we do not process the data subject’s personal data for direct marketing purposes
- Right to object to decisions based solely on automated processing (including profiling): the right to object to decisions creating legal effects or significantly affecting the data subject which were made solely by automated means, including profiling, and the right to request human intervention
- Right to be notified of a data breach: the right to be notified of a data breach which is likely to result in a high risk to the data subject’s rights or freedoms
- Right to complain: the right to make a complaint to the ICO or another appropriate supervisory authority
You must be able to identify when a request has been made and must verify the identity of the individual making a request before complying with it. You should be wary of third parties deceiving you into providing personal data relating to a data subject without their authorisation.
You must immediately forward any request made by a data subject (even if you are uncertain whether it represents a request as set out above) to the Data Protection Officer. V&V Health Innovations will only have 30 days to respond in most circumstances.
You must observe and comply with V&V Health Innovations’s data subject access requests procedure.
Research exemption
Some of the rules outlined above do not apply when business and personal data is being used for research purposes due to an exemption contained in the GDPR and DPA 2018. This exemption applies if the following conditions are met:
(a) Appropriate technical and organisational safeguards exist to protect the data e.g. data minimisation, pseudonymisation, or access controls.
(b) There is no likelihood of substantial damage or distress to the data subjects from the data processing.
(c) The research will not lead to measures or decisions being taken about individuals (except for ethically approved interventional medical purposes).
- d) Compliance with the requirements that the exemption negates would prevent or seriously impair the research purpose.
If these conditions apply then the following rules can be applied:
(a) Data originally collected for other purposes can be used for the research and can be kept indefinitely.
(b) The right of individuals to access their data does not apply if the research results will be made public in a form that does not identify them.
(c) The right of rectification, erasure, restriction and objection do not apply.
Accountability and record-keeping
V&V Health Innovations is responsible for and must be able to demonstrate compliance with the data protection principles and V&V Health Innovations’s other obligations under the GDPR. This is known as the ‘accountability principle’.
V&V Health Innovations must ensure that it has adequate resources, systems and processes in place to demonstrate compliance with V&V Health Innovations’s obligations including:
- appointing a suitably qualified and experienced Data Protection Officer (DPO) and providing them with adequate support and resource
- ensuring that at the time of deciding how V&V Health Innovations will process personal data, and throughout its processing, implementing appropriate technical and organisational measures that are designed to ensure compliance with the data protection principles (known as ‘Data Protection by Design’)
- ensuring that, by default, only personal data that are necessary for each specific purpose are processed both in relation to the nature, extent and volume of such personal data, the period of storage and the accessibility of the personal data (known as ‘Data Protection by Default’)
- ensuring that where any intended processing presents a high risk to the rights and freedoms of data subjects, V&V Health Innovations has carried out an assessment of those risks and is taking steps to mitigate those risks, by undertaking a ‘Data Protection Impact Assessment’ (see below)
- integrating data protection into V&V Health Innovations’s internal documents, privacy policies and fair processing notices
- regularly training V&V Health Innovations’s staff on the GDPR, this policy and V&V Health Innovations’s related policies and procedures, and maintaining a record of training completion by members of staff
- regularly testing the measures implemented by V&V Health Innovations and conducting periodic reviews to assess the adequacy and effectiveness of this policy, and V&V Health Innovations’s Related policies and procedures (Schedule 2)
V&V Health Innovations must keep full and accurate records of all its processing activities in accordance with the GDPR’s requirements.
You must ensure that you have undertaken the necessary training provided by V&V Health Innovations and, where you are responsible for other members of staff, that they have done so.
You must further review all the systems and processes under your control to ensure that they are adequate and effective for the purposes of facilitating compliance with V&V Health Innovations’s obligations under this policy.
You must ensure that you observe and comply with all policies and guidance which form V&V Health Innovations’s Information Governance Framework (This policy along with any documents mentioned in Schedule 2).
Direct marketing
In addition to V&V Health Innovations’s obligations under the GDPR, it is also subject to more specific rules in relation to direct marketing by email, SMS or telephone.
V&V Health Innovations must ensure that it has appropriate consent from individuals to send them direct marketing communications, and that when a data subject exercises their right to object to direct marketing it has honoured such requests promptly.
You must ensure that you understand or consult with the Company Director on V&V Health Innovations’s legal obligations in relation to direct marketing before embarking upon any direct marketing campaign.
Data Protection Officer
According to the Information Commissioner Office, the Company is required to appoint a Data Protection Officer (“DPO”). The details of the current officer are as follows:
Dr Vassiliki Somaraki, email: [email protected], phone: 07388048523
The DPO is responsible for following the provisions of the Data Protection Policy and the applicable public Privacy Policy along with any applicable data laws.
Data Storage
All data provided voluntarily by the Company’s users is stored on a secure server located in the London area using Amazon Web Services.
Information Commissioner’s Office
V&V Health Innovations Ltd is registered with ICO. Our registration number is ZB514707. Details of our registration can be found here. If you need to contact the ICO, you can do so here.
For the avoidance of doubt, the ICO can be contacted in cases of data subject complaints, requests or for clarification purposes.
Changes to this policy
V&V Health Innovations may make amendments to this policy at any time without notice.
Schedule 1 – Glossary
automated processing: any form of processing (including profiling) that is undertaken by automated means to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning their performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data about them
controller: the person or organisation that determines the purposes and means of processing personal data
criminal convictions and offences: personal data relating to criminal convictions, the commission or alleged commission of an offence, proceedings for the commission or alleged commission of an offence and sentencing
Data Protection Impact Assessment (DPIA): a tool used to identify and reduce the risks of a processing activity and which must be undertaken in certain circumstances specified in the GDPR, also known as ‘Privacy Impact Assessments).
data subject: an individual to whom personal data relates and who can be identified or is identifiable from personal data
Data Protection Officer (DPO): a person required to be appointed in specific circumstances under the GDPR and who must have expert knowledge of data protection law and practice, being the organisation’s main representative on data protection matters
DPA 2018: the UK Data Protection Act 2018
EEA: the 27 countries in the European Union and Iceland, Liechtenstein and Norway
explicit consent: a higher standard of consent that requires a very clear and specific statement rather than an action which is suggestive of consent
fair processing: notices a notice setting out information that must be provided to data subjects before collecting personal data from them, including notices aimed at a specific group of individuals or notices that are presented to a data subject on a ‘just- in-time’ basis (also known as ‘privacy notice’ or ‘data protection notice’)
GDPR: the General Data Protection Regulation (Regulation (EU)
personal data: any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes criminal convictions and offences data, special categories of personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour
personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed and which compromises the confidentiality, integrity, availability and/or security of the personal data
privacy notices: see fair processing notices above
process, processes, processing: any activity or set of activities which involves personal or business data including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available, alignment or combination, restriction, erasure or destruction
pseudonymised, pseudonymisation: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers (for example, a numerical identifier or other code) or pseudonyms so that the data subject cannot be identified without combining the identifier or pseudonym with other information which has been kept separately and securely. Personal data that have been pseudonymised is still treated as personal data (unlike personal data which has been anonymised)
special categories of personal data: previously known as “sensitive personal data” under the Data Protection Act 1998, this means information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and, for the purposes of this policy personal data relating to criminal offences and convictions.
staff: V&V Health Innovations’s directors, agents, consultants, contractors, employees, representatives, trustees and other representatives, including hourly paid staff holding a position of employment
THIS POLICY IS REVIEWED ANNUALLY TO ENSURE RELEVANCE AND COMPLIANCE
Created: February 2023
_________________
Dr. Vassiliki Somaraki
(Director)