Last modified: 6/02/2018
Notice of privacy practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. Wecudos’ COMMITMENT TO YOUR PRIVACY:
Wecudos is dedicated to maintaining the privacy of your protected health information (‘PHI’). PHI is information about you that may be used to identify you (such as your name, social security number or address), and that relates to (a) your past, present or future physical or mental health or condition, (b) the provision of health care to you, or (c) your past, present, or future payment for the provision of health care. In conducting its business, Wecudos will receive and create records containing your PHI. Wecudos is required by law to maintain the privacy of your PHI and to provide you with notice of its legal duties and privacy practices with respect to your PHI.Wecudos must abide by the terms of this Notice while it is in effect. This current Notice takes effect on February 23, 2014, and will remain in effect until Wecudos replaces it. Wecudos reserves the right to change the terms of this Notice at any time, as long as the changes are in compliance with applicable law. If Wecudos changes the terms of this Notice, the new terms will apply to all PHI that it maintains, including PHI that was created or received before such changes were made. If Wecudos changes this Notice, it will post the new Notice on its Web site and will make the new Notice available upon request. We know that you care about how information about you is gathered and shared and we appreciate your trust in us to do this carefully and sensibly.
Uses and disclosures of PHI:
Wecudos may use and disclose your PHI in the following ways: 1. Treatment, Payment and Health Care Operations. Wecudos is permitted to use and disclose your PHI for purposes of (a) treatment, (b) payment and (c) health care operations. For example:Treatment. The PHI you provide upon sign up is essential for two reasons.Firstly, for the connection to the correct healthcare providers and secondly for the purposes of a consult or in the provision of follow-up treatment. Your health information may also be shared between the health professionals looking after you in order to provide an all-round holistic treatment programe. At any point you may deny your healthcare providers the means to do so.Payment. Wecudos may use and disclose your PHI to your health insurer or health plan in connection with the processing and payment of claims and other charges. Health Care Operations. Wecudos may use and disclose your PHI in connection with its health care operations, such as providing customer services and conducting quality review assessments. Wecudos may engage third parties to provide various services for Wecudos. If any such third party must have access to your PHI in order to perform its services, Wecudos will require that third party to enter an agreement that binds the third party to the use and disclosure restrictions outlined in this Notice. In addition to this, you agree for us to share your PHI to our affiliated business partners (e.g Virgin Active) to assist and support your health and wellbeing including recommending any products and services that we think you would benefit from given that Wecudos has a large focus on personalising health and fitness. 2. Authorization. Wecudos is permitted to use and disclose your PHI upon your written authorization, to the extent such use or disclosure is consistent with your authorization.You may revoke any such authorization at any time. 3. As Required by Law. Wecudos may use and disclose your PHI to the extent required by law.
The following categories describe unique circumstances in which Wecudos may use or disclose your PHI: 1. Public Health Activities. Wecudos may disclose your PHI to public health authorities or other governmental authorities for purposes including preventing and controlling disease,reporting child abuse or neglect, reporting domestic violence and reporting to the Food and Drug Administration regarding the quality, safety and effectiveness of a regulated product or activity. Wecudos may, in certain circumstances disclose PHI to persons who have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition.
What information does Wecudos gather?:
How Wecudos uses and processes the personal information that is made available by you?:
We use and process Information about you for the following general purposes: 1. to enable you to access and use the Platform; 2. to operate, protect and improve the Platform, Wecudos business, and our users’ experience, such as to perform analytics, conduct research, and for advertising and marketing; 3. to help create and maintain a trusted and safe environment on the Platform, such as fraud detection and prevention, verifying any identifications provided by you, and conducting checks against databases such as public government databases; 4. to send you service, support and administrative messages, reminders, and information requested by you; 5. to administer rewards, surveys, or other promotional activities or events sponsored or managed by Wecudos or our business partners; including the health & fitness professionals that you interact with at our events, 6.to market and sell relevant services, products or experiences that we thing would benefit your health and wellbeing, 7. to comply with our legal obligations.
How Wecudos uses and processes User Communications?:
We may review, scan, or analyse your communications with other users exchanged via the Platform for fraud prevention, regulatory compliance, product development, research and customer support purposes. For example, as part of our fraud prevention efforts, the Platform may scan and analyse messages to prevent the sending of contact information and references to acting outside the Platform. We may also scan, review or analyse messages for research and product development purposes to help make search, booking and user communications more efficient and effective. We will not review, scan, or analyse your communications for sending third party marketing messages to you. We will also not sell these reviews or analyses of communications to third parties. By using the Platform, you consent that Wecudos, in its sole discretion, may review, scan, analyse, and store your communications, whether done manually or through automated means.
DATA PROCESSING AGREEMENT
Wecudos is a mobile application and digital communication service used to reinforce a mutually agreed healthcare plan or aftercare between a patient and a healthcare provider. The Customer is the Data Controller in respect of certain Personal Data & Sensitive Personal Data and appoints Wecudos as a Data Processor.In order to provide Wecudos services we require certain Personal Data & Sensitive Personal Data to be made available by the Data Controller. This Agreement regulates the provision and use of Personal Data & Sensitive Personal Data and ensures both Wecudos and The Customer meet their obligations under the Data Protection Act 1998.
Definitions and interpretations:
The following words and phrases used in this Agreement and the Schedule shall have the following meanings except where the context otherwise requires:
Data Controller means a Person who determines the purposes for which and the manner in which any Personal Data/Sensitive Personal Data are, or are to be processed, in the case of this Agreement, The Customer;Data Processor in relation to Personal Data/Sensitive Personal data, means any Person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller which in the case of this Agreement is Wecudos;Digital communication service/channels include WhatsApp, SMS, email, Facebook messenger, phone. Wecudos the digital communication service and patient management software as described in the Terms and Conditions for the Supply of Wecudos;Person recognised in law, that is to say individuals; organisations; and other corporated and unincorporated bodies of persons, Data Subject means an individual who is the subject of Personal Data/Sensitive Personal Data;Personal Data means data, which relates to a living individual who can be identified from that data, or from that data and other information that is in the possession of, the Data Controller or Data Processor;Sensitive Personal Data means Personal Data consisting of information as to the racial or ethnic origin of the data subject; his political opinions; his religious beliefs or other beliefs of a similar nature; whether he is a member of a trade union; his physical or mental health or condition; his sexual life; the commission or alleged commission by him of any offence or any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings;and Services means the Services to be carried out by the Data Processor in order to provide Wecudos Templates means a set of instructions and configurations created by the Data Controller, and contained in Wecuods that control the content and incidence of digital messages to the patient, as well as information sent to a clinician in regard to a patients data and activity.
The Personal Data & Sensitive Personal Data to be processed under this agreement consists of data relating to patients of the Data Controller namely:First and Last Name,Mobile phone number,Content of the communications with patients and their healthcare provider sent and received via Wecudos. Obligations of the data controller- The Data Controller shall invite its patients to provide their Personal Data and/or Sensitive Personal Data to the Data Processor.The Data Controller must obtain all necessary consents in respect of patient data before entering such data on Wecudos. The instructions given by the Data Controller to the Data Processor in respect of the Personal Data/Sensitive Personal Data disclosed to it by patients of the Data Controller or generated in respect of such patients shall at all times be in accordance with the laws of the United Kingdom.The Data Controller must accept responsibility for all Templates and all data contained in Templates.The Data Controller must ensure that all data fields in Wecudos are correctly filled in and do not contain patient identifiable information where they are not supposed to.The Data Controller, by entering into this Agreement, instructs the Data Processor to process the Personal Data/Sensitive Personal Data on its behalf for the purpose of providing Wecudos, including the purpose of reports metadata and usage data
Our obligations as a data processor:
We process the Personal Data & Sensitive Personal Data in compliance with the Data Protection Act 1998.We will store the Personal Data and Sensitive Personal Data in line with our published Data Retention Policy .We process the Personal Data & Sensitive Personal Data for the purpose of providing the Services and in accordance with the Data Controller’s instructions as laid down in the Templates created and stored in Wecudos by the Data Controller.The only instance that personal and sensitive data may be considered as being transferred is in automated emails and digital messages to Clinicians. All these communications are considered in line with the Caldicott Principles .We will assist any customer within 10 working days of all subject information requests that may be received from the data subjects of the Personal Data & Sensitive Personal Data.We may disclose anonymised outcomes and performance data to reputable third parties (e.g device manufacturers) to improve the outcomes of patients/clients and to record treatment results, progress and any complications or adverse effects. This does not include your patient or clients personally identifiable data and does not include any intellectual property or content of the Data Controller through any of our digital communication channels. We may disclose anonymised outcomes and performance data to reputable third parties for the sake of improving the service we offer to the customer (e.g health professionals and clinics)- this includes advanced data analytics and reporting and the storage of this data for future statistical reference by both parties- this data will not include your patient or clients personally identifiable data and does not include any intellectual property or content of the Data Controller through any of our digital communication channels. However for completeness you should be aware of the following:The Data Controller reports metadata and usage data to Wecudos, Sometimes, users of the Helpdesk will disclose patient data to the Data Processor and very occasionally the Data Processor’s Technical Team may have access to patient data when they are fixing a technical issue with Wecudos; however, this will not involve disclosure of any such data outside of the Data Controller.We don’t sub-contract any of our obligations under this agreement without first notifying you and providing you with the option to cancel.We will not store or directly transfer the Personal Data/ Sensitive Personal Data outside of the EEA. However we draw your attention to the fact that that a clinician who uses Wecudos to view patient data using a computer outside of the EEA may effect a transfer of data outside of the EEA.We will notify all Customers of any information security breach or incident that may compromise the Personal Data & Sensitive Personal Data covered by this agreement within two working days of becoming aware of any such incident.In exceptional circumstances we may contact patients directly via our digital communication channels. For example:In the event of exceptional outages or disruption to third party internet or telephony services, in order to maintain the availability of Wecudos we may contact patients directly to give them alternative connectivity details.In the event that the Data Controller has cancelled its agreement for Wecudos but patients remain on live Protocols, we may contact a patient to ask them to contact their Clinician for advice regarding next steps. Wecudos uses 'Care Pathways' as a way to help you manage your patients and clients, we will never disclose your own care pathway or it's content or your intellectual property to any third parties whether in the EEA or outside.
Third party rights:
The Data Subject is hereby entitled to enforce the terms and conditions of this Agreement as a third party beneficiary.
Duration and termination:
This Agreement shall remain in full force and effect while the Customer remains a paying customer of Wecudos. Governing lawThis Agreement is governed by and construed in accordance with the law of England.
This information security policy outlines how we protect IT assets that we use to provide Wecudos and, with it, the patient and personally identifiable information that we process and hold on behalf of our customers.We are committed to safeguarding and the appropriate use of patient and personal information. Whenever you provide or we collect such information, we will only use the information for its intended purpose we will keep the data safe to the best of our abilities.
Objectives And Scope:
Objectives The objectives of this Information Security Policy are to preserve the integrity and availability of Wecudos and safeguard the confidential and personal information held within it.ScopeThe policy applies to all hardware, software, information, networks, applications, and locations where we carry out data processing for Wecudos.It applies to all those working for or on behalf of Wecudos, (including permanent, part time or contract workers). Responsibility Ultimate responsibility and accountability for information security rests with our Directors. The Directors are responsible for managing and implementing the policy and related procedures.Each member of staff is responsible for the security of the information systems they use, and is aware of their obligation to work within information security procedures and maintain data confidentiality and integrity.MonitoringWe regularly review our policies to keep up to date with the latest legislation and best practice.LegislationWe are obliged to abide by all relevant UK and European Union legislation, and the requirement to comply with this legislation spreads to our employees.Any employee may be held personally accountable for any breaches of information security for which they may be held responsible.We comply with the following legislation and other legislation as appropriate:The Data Protection Act (1998)The Data Protection (Processing of Sensitive Personal Data) Order 2000. The Copyright, Designs and Patents Act (1988)The Computer Misuse Act (1990)The Health and Safety at Work Act (1974)Human Rights Act (1998)Freedom of Information Act 2000
Access Control Only authorised personnel who have a justified and approved business need are given access to our IT assets containing information systems or stored data. This includes IT equipment located in our office, or our external data centres.Equipment SecurityIn order to minimise the risk of loss or damage to IT assets, we locate our equipment in secure Data Centres which are physically protected from threats and environmental hazards.Process ChangesAll developments and process changes must be done in accordance with the legal and information governance framework surrounding Wecudos. Staff are made aware of this requirement and the impact of changes will always be appropriately assessed prior to software release. Protection from Malicious Software We use antivirus software and management procedures to protect against the threat of malicious software. Monitoring System Access An audit trail of system access and data use by staff is maintained. Privacy We only collect information necessary to provide Wecudos and we treat this data in line with our Data Retention Policy and Data Processing Agreement.
DATA RETENTION POLCY
This data retention policy outlines how Wecudos operates in regard to data storage, retention and destruction, and pays particular attention to the requirements laid down in the Data Protection Act 1998. The key principles of this policy are:Data must be stored securely and appropriately having regard to the sensitivity and confidentiality of the data.Appropriate measures are put in place to prevent unauthorised access and processing of the data, or accidental loss or damage to the data.Data is disposed of appropriately and securely to ensure the data does not fall into the hands of unauthorised personnel.
Data and records are stored securely to avoid misuse or loss.Any data file or record that contains personal data or personal sensitive data is considered as confidential.Examples of how we approach storage are:We only use secure data centres that prevent unauthorised physical access to our hardware.Access to the hardware and maintenance is restricted to appropriately trained and authorised Wecudos employees.Only employees who are required to assist in meeting our obligations in providing Wecudos have access to the data. These employees have a full understanding of the obligations and their duty of confidentiality, and the care required in the handling of the data.We password protect all databases.We encrypt data transferred between our app and our server using the current best practices for end-to-end encryption: RSA encryption, 2048 bit key length, over TLS v1.2, Cipher ECDHE-RSA-AES256-GCM-SHA384 . Our certificate provider is Let’s Encrypt Authority X3We do not keep the Personal Data or Sensitive Personal Data on any laptop or other removable drive. In the event Personal Data or Personal Sensitive Data had to be stored on a laptop or removable drive then the data would be encrypted to a standard in line with industry best practice and standards available at that time.We do not and will not transfer Personal Data or Personal Sensitive Data to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects.
The Data Protection Act requires that personal data processed for any purpose “shall not be kept for longer than necessary for that purpose”.In terms of the data stored on Wecudos we regard the following aspects to be personal:A mobile phone numberFirst and last nameContent of the communications sent and received via WecudosThere is no limit to the period of data retention on Wecudos. Data that is processed via our digital communication channels and applications belongs to Wecudos as well as the customer.
Destruction and Disposal:
All information of a confidential or sensitive nature must be securely destroyed when no longer required.The procedure for the destruction of confidential or sensitive records is as follows:Electronic files are deleted in such a way that they cannot be retrieved by simply undoing the last action or restoring the item from the Recycle Bin.Destruction of backup copies is also dealt with in the same manner.Prior to disposal Data storage devices are wiped to the standards defined by US Department of Defence Standard for Data Destruction.
Get in touchAs always, if you have any specific concerns or would like further reassurance then please email ENQUIRIES@WECUDOS.COM