1 September 2020
Your privacy is essential to our core activity. We are committed to respecting and protecting it while you use our services. This policy is designed to let you know who we are, what we do, how we protect the information you provide us with, or that we are provided from other sources, such as your healthcare team, and what your rights are.
This policy was updated on the 1st September 2020.
Who we are
BIOS Health delivers a platform for patients and healthcare teams managing long term health conditions. Our company's registered address is 8 Bateman Mews, Cambridge, United Kingdom, CB2 1NN and we are registered with Companies House with the number 09575301.
We are a data controller and sometimes a data processor under UK law. This means we are responsible for the data we receive through the use of our apps and for determining the purpose(s) and manner in which it is processed. As we provide our services to third parties, such as healthcare organisations and trusts, we may be processing the information on their behalf and subject to their lawful basis for processing and/or our own legitimate interests.
Signing up to use the apps, you consent to us having and using your data to provide our service. We take this responsibility extremely seriously and commit to maintaining utmost security to support this. If you stop providing your personal information or you choose to withdraw your consent to us processing your information, we will no longer be able to provide you with the service.
What data will we collect?
Any information that you put into our system. This can include name, address, email and NHS number, but often only name and email are required for consent and for contacting in case of disruptions to services. This sign up process can also be done anonymously using only study IDs and anonymous emails if a user is participating in a study already with the help of the study personnel. We store any personal information separately to the rest of the health data, which we process anonymously.
We primarily collect data related to your health, provided by sensors such as GPS, accelerometer and heart-related sensors such as PPG (photoplethysmogram) and ECG (electrocardiogram) sensors as well as survey results to questionnaires related to your health and well-being that you input using your smart device.
We may also collect additional information from our applications and website such as your device's IP address and the time and duration of your service usage, to deliver the fastest application response for you, as the user.
We will record your usage of our app(s) to understand which sections you use most to improve the applications and your user experience with them
Information put into our system by your healthcare team in working with you to understand your condition and overall health better.
Geolocation – In order to create accurate measures of your activity levels we use differential GPS in some of our metrics. This means that we do not record your locations, but only the changes in your location. This information enables accurate measures of distances moved in activity without us having access to your location.
Information from third parties that form part of our services.
How do we use your data?
We use your information to support you and your healthcare team. The applications are intended for you to record your symptoms, how you are feeling and other overall health metrics. There are also passive health measures as mentioned in the data types that measure your physical activity levels as well as your heart function. This data is for you and your healthcare team to learn more about your condition to ultimately improve and create treatments for you and your condition. This data is not used in assessing your treatment clinically, but only used for research purposes.
NOTE – we will NOT use your information nor sell your information for marketing purposes.
1. To provide you with the service
a. To register and manage your account with us and to ensure your information is accurate and up to date
b. To inform you of any alterations, modifications and updates to the service
c. To review, investigate and address issues that may affect your use of our service
2. To exercise our legitimate interests
a. We will use your data to review and assess the quality of our service and make improvements
b. We need your information to provide a responsive service to you and your healthcare team and to support or respond to you, when you contact us
c. We will use your information for internal operations. These might include troubleshooting, fraud detection and resolution, data quality checks, functional testing, security, audit and statistical analysis to ensure that our app(s)/service satisfies the requirements of our users
3. To respond to obligatory requirements
a. We will disclose information if we are requested to do so as part of a reasonable regulatory requirement or in response to a legal request
Sharing your data
We may need to share your information and anonymised information (or small portions of it), depending on the service, with third parties. The third parties, and an example of their involvement in the delivery of the service are;
Information storage providers to record information that is input to your account
Healthcare & research teams. This will always be anonymised unless you agree, at the time, to participate in trials using your identifiable information
We will only ever share the minimal information necessary to deliver the service.
We will also take part, where approved by the relevant authorities, in assisting with relevant studies and medical research. This is to help understand more about your condition and the improvement of future treatments available to you, and others who suffer from the same condition. These will require separate consent from you, the user.
How do we keep your information secure?
Your information is stored within Amazon Web Services and situated in a region local to you. All information processed by us is encrypted in storage.
We have strict procedures and security measures to prevent, as much as reasonably possible, unauthorised access to or disclosure of your information. We cannot guarantee the security of any information you transmit to us, such as emails containing information about you.
How long will we store your information?
We will keep your information for up to 30 years in line with medical guidelines, from the point you tell us you no longer wish to use the platform. If you ask us to delete your information before this, we will, but it may take up to 6 months to completely remove your data from the cloud-based back-up storage system, simply because of the way in which our back-up host operates. Following the confirmed death of a user, their data will be removed after 8 years, again in line with medical guidelines.
What rights do you have regarding your information?
We are committed to complying with your rights to your information and will deal with any requests, outlined below without undue delay, and in line with regulatory timeframes. By law you have a number of rights that apply in certain circumstances. These include the right to:
Object to processing
This means you may not want your information used in some ways
This means we can no longer use your information, but we will store it and maintain your place on our data set of users whose information we hold but cannot use moving forward
You should have clear, accessible and transparent information provided to you so you understand how we work, protect and use your information
Have access to your information
This enables you to check we are using your data correctly and is done by contacting us directly or your healthcare team
If you see incorrect or incomplete information, you can ask to have that corrected.
This means you can be "forgotten". It is important to know; this is not a general statement and is subject to some conditions, but the right means you can have all the information we hold on you deleted where there is no compelling reason for us to keep using it.
Move your data
This is referred to as portability. Your data should be provided for you in a way that is accessible and provides you with the option of reusing the data in other situations, as you own your data
You have the right to lodge a complaint, and we will respect this and deal with it in a timely fashion in line with UK regulations.
This means you remove the right for us to use your data. You may do this at any point and without providing a reason for doing so. Removing your consent though means you will no longer be able to use our services.
If you have further questions, you can contact us at the address:
8 Bateman Mews
If you would rather deal with an independent group or feel we have not satisfactorily dealt with your enquiry, you can contact the ICO by email OR phone 0303 123 1113.