Privacy Policy - myHealthE

myHealthE - Privacy Statement

Introduction

Protecting your personal data (as defined under Article 4(1) of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) is of upmost importance to South London and the Maudsley NHS Foundation Trust (“SLaM”, “us”, “our” or “we”). The following Privacy Statement applies to myHealthE in its entirety, and sets out how your personal data is handled by us. We strongly recommend that you take some time to read this policy carefully to understand how we treat your personal data. This Privacy Statement should be read together with our Privacy & GDPR webpage (https://www.slam.nhs.uk/about-us/privacy-and-gdpr) and our Web Privacy Policy (https://slam.nhs.uk/privacy-policy).

What information do we collect as part of myHealthE?

We collect information directly from you in a number of ways. You have a choice about the data we collect. When you are asked to provide data, you may decline. However, some information will need to be provided in order to enable you to access the myHealthE system. This will include:

Identifiers such as your name, date of birth and your unique ID number; ;
Contact details such as your email address, telephone number and email address;
Information relating to your child including identifiers such as their name, date of birth, their current school, as well as clinical information relating to your child contained in your responses to the questionnaires accessed through MyHealthE;

Cookies

myHealthE uses cookies. Cookies are small text files that save and retrieve information about your visit, such as how you entered and navigated the app and what information was of interest to you. In addition to this, if you personalise any part of myHealthE the information is stored in a cookie and is remembered for your next visit. Cookies provide an anonymised label for each user. If you are uncomfortable with the use of cookies, you can disable cookies on your electronic device by changing the Settings in the 'Preferences' or 'Options' menu in your internet browser.

Data may be collected when you enter information as part of understanding how you use myHealthE. When this data is collected, we will notify you as to why we are asking you for this information, and how this information will be used. It is completely up to you whether you provide it, and if you do not feel comfortable providing this information, you are under no obligation to do so. myHealthE uses a temporary session cookie to reference the active server session. The cookie is in-memory only and is not active after the browser session is closed.

Networks and Devices

When you access myHealthE we use technology to collect information indirectly, such as your Internet address (IP Address), which is then kept in our internet logs. This is collected for aggregate information purposes and represents statistical data about our user's browsing actions and patterns. This data does not identify any individual in any way and is anonymised.

How do we use this information?

Communication with you

We use your information to send you communications about our service or to let you know about any changes to our terms of service or privacy statements. We also use your information to respond to you if you contact us.

Promote security

We use the information you have provided to verify your account and to promote safety and security by investigating suspicious activity or violations.

Improvement and development

From time to time we may conduct surveys to better understand how to improve features.

How is your information shared?

SLaM will not share your, or your child’s data with other organisations without your consent, unless the law permits us to do so. We share data only with our authorised data processors, who must always act on our instructions as the Data Controller under the GDPR and Data Protection Act 2018. Before you submit any information, it will be made clear to you why we are asking for specific information, and it is up to you whether you provide it. SLaM do not and will never sell your personal data or share it for commercial purposes.

Permission to contact for clinical research

Research is essential to develop better treatment options and improve outcomes for children and young people living with mental health related difficulties. We are looking for volunteers who are interested in taking part in research to help us create interventions and test their effectiveness.

Our research ranges from designing and trialling new treatments and devices through to conducting interviews and questionnaires. The myHealthE teams work closely with King’s College London, other universities and other NHS Trusts across England including Guy’s and St Thomas’ NHS Foundation Trust, Solent NHS Trust, Nottingham Healthcare NHS Foundation Trust and others, to enable clinical data to be used to inform academic research.

If you and your child would like to be involved in future research projects the first step is to indicate on the myHealthE system that you give consent to be held on our NHS researcher contact database. This tells approved NHS Trust researchers that you are willing to be contacted about upcoming studies. You can also indicate, at any time via myHealthE, when you want to be removed from the database.

By joining the consent for research contact database, you are not agreeing for your child to take part in a particular project. Instead, you are giving researchers permission to look at your child's medical records to check which research projects they may be suitable for based on information about their health status, including, their symptoms, their diagnosis or their treatment. All researchers work for or hold an honorary NHS contract and are approved to access patient records.

If your child is eligible to take part in a particular study, a researcher will contact you to discuss what you and your child's involvement will consist of in more details and give you an opportunity to ask any questions. Only if you are happy to continue will the researcher ask for your consent and it is then up to you to decide if you want to take part or not, without reason and your child's care will not be affected by this decision.

Legal bases for processing

In order to process personal data relating to you or your child, we must have a valid, legal reason to process that data. This is called a ‘legal basis’ under GDPR.

When processing your data via MyHealthE, we are processing under ‘public task’ as part of our official functions in the public interest. This justification also covers situations where we share your information with other organisations for the purposes of research.

When processing and sharing data relating to your or your child’s health for the purposes of treatment or research, we require an additional legal basis to justify processing sensitive information (referred to as ‘Special Category’ data under GDPR). As a result we will only process such data about you or your child where: (1) necessary for archiving purposes or scientific research purposes, (2) all appropriate safeguards required under Data Protection Legislation are in place, and (3) it is in the public interest.

Is your information safe?

Any personal information that is collected using the MyHealthE system is processed in line with the SLaM clinical records policy which can be found here (https://slam.nhs.uk/policies-and-procedures) and protected in accordance with Article 8 of the Human Rights Convention, the Data Protection Act 2018 and common law. Furthermore, a Caldicott Guardian is also employed by the Trust to ensure that patient confidentiality is protected according to patient rights.

To ensure the best possible system security we have used a secure government notification system called GOV.UK Notify. A Privacy Impact Assessment has been completed for the text messaging and email service delivered by ‘GOV.UK Notify’ this is available upon request and a copy of their privacy policy can be found here (https://www.notifications.service.gov.uk/privacy).

All the data you enter is treated as SLaM clinically confidential medical records. No health data is transmitted outside the King’s Health Partnership, South London and Maudsley NHS Foundation Trust (SLaM) environment. MyHealthE data is contained within secure data flow which sits within the SLaM Azure environment. Any data transferred is treated with due care in accordance with Confidentiality: NHS Code of Practice by the Department of Health.

Your rights

Under Data Protection Legislation you have a number of rights which you can exercise by contacting SLaM as Data Controller:

to know how your data will be collected, processed and stored, and for what purposes
to withdraw your consent (which applies to your participation in user research panel membership, survey responses and unsubscribe to mailing lists or contact via text message
to request a copy of your personal data
to correct your personal data errors or omissions
to data portability. This means you can obtain a copy of your data in a structured, commonly used and machine-readable format (applies only to your participation in user research panel membership, survey responses and to mailing list membership).
to request we delete your personal data
to request we restrict our use of your personal data (for example, if you think it's inaccurate and needs to be corrected before it is used)

You have the right to complain to the Information Commissioner’s Office (ICO), which regulates and enforces the Data Protection legislation in the United Kingdom. For details of how to do this visit the ICO website at www.ico.org.uk or telephone 0303 123 1113.

How will we notify you of changes to this policy?

We will notify you when we make any changes to this policy and invite you to review and consent before continuing to use the service.

How to contact us with questions or concerns

If you have any additional questions regarding this Policy, please feel free to contact us at:

Data Protection Officer
South London and Maudsley NHS Foundation Trust
Information Governance Office
Maudsley Hospital
Denmark Hill
London SE5 8AZ
Email: [email protected]