RwHealth – PRIVACY POLICY

The below is the Privacy Policy for Real World Health (RwHealth) (formally Draper and Dash, D&D)

PURPOSE OF THIS PRIVACY POLICY

This privacy policy aims to give you information on how Real World Health (RwHealth) collects and processes your personal data through your involvement in Real World Health (RwHealth). Data collected includes any data you may provide when you complete forms and give us basic information about yourself, such as your name, date of birth, physical address and email address. You are responsible for the accuracy of the information that you provide to us.

It is important that you read this privacy policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements other notices and privacy policies and is not intended to override them.

CONTROLLER

Real World Health (RwHealth), having its registered office at One Canada Square, Cabot Square, London E14 4QT (company number 07540246) (“Real World Health (RwHealth)”).

Real World Health (RwHealth) (also referred to as “we”, “us” or “our” in this privacy policy) is the controller and is therefore responsible for your personal data. Real World Health (RwHealth) respects your privacy and is committed to protecting your personal data.  

If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact us via email using the following email address: info@realworld.health.  

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

CHANGES TO THE PRIVACY POLICY AND YOUR DUTY TO INFORM US OF CHANGES

We keep our privacy policy under regular review.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. See below for contact details.

THIRD-PARTY LINKS

Our Website and Platform may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Website or Platform, we encourage you to read the privacy policy of every website you visit.

 

  1. The data we collect about you

Personal data, or personal information, means any information about a living individual from which that person can be identified. It does not include data where the identity has been completely removed and the data therefore cannot be re-identified (anonymous data). Data protection law does not apply to data that has been anonymised.

We may collect, use, store and transfer different kinds of personal data about you. We have grouped together those categories of data as follows:

  • Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
  • Contact Data includes billing address, delivery address, email address and telephone numbers.
  • Financial Data includes bank account and payment card details.
  • Transaction Data includes details about payments to and from you and other details of products and services you have purchased / received from us.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the Website.
  • Platform Data includes information about your visit (such as when you first used the Platform and when you last used it, and the total number of sessions you have had on that Platform), including products and services you viewed or used, Platform response times and updates, interaction information (such as button presses or the times and frequency of your interactions with the communications we deliver to you in the Platform or otherwise) and any phone number used to call our customer service number.
  • Profile Data includes your username and password, orders made by you, your interests, preferences, feedback and survey responses.
  • Usage Data includes information about how you use our Website, products and services.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We get some of this information directly from you, when you register with us and when you use our services. 

Aggregated Data

We also collect, use and share aggregated data. This means grouping deidentified patient data used for research purposes. We are committed to ensuring that all best endeavours are taken to protect patients’ identifiable data. However, we cannot always guarantee that some specific patient characteristic would not allow for patients to be identified in a research environment. Some of our research focuses on the use of statistical or demographic data, for which use cases extend to rare and common diseases. 

Aggregated data could be derived from your personal data but is not considered personal data in law, as such data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Website or Platform feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will then be used in accordance with this privacy policy.

We may also hold information about you and your health from other apps, devices and services where you have given your consent to that data being shared with us. Examples include where you decide to share information with our Platform which has been collected from a smart watch or similar device.

IF YOU FAIL TO PROVIDE PERSONAL DATA

Where we need to collect personal data under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

  1. Children

We are committed to protecting the privacy of children as well as adults. A parent or guardian of a child may provide information related to their child. The parent or guardian assumes full responsibility for ensuring that the information that they provide is accurate.

  1. How is your personal data collected?

We use different methods to collect data from and about you including through:

  • Direct interactions. You may give us your Identity, Contact, and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
    • apply for our products or services; 
    • create an account on our Platform; 
    • use our Platform; 
    • subscribe to our service or publications; or 
    • give us feedback or contact us.
  • Automated technologies or interactions. No automated only decisions are made – these are at most 80% and the remaining is driven by human decision making. As you interact with our Website or our Platform, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We will also collect Health and Medical Data through your use of our Platform. We collect this personal data by using cookies, server logs and other similar technologies. More information about our cookie policy can be found here.
  • Third parties or publicly available sources. We will receive personal data about you from various third parties as set out below:
    • Technical Data from the following parties: analytics providers.
  1. How we use your personal data

We will only use your personal data when we have a lawful basis for doing so. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform the contract we are about to enter into, or have entered into, with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we have your explicit consent to process your special category personal data.

To find out more about the types of lawful basis that we will rely on to process your personal data please see the Glossary at Section 11 below.

We will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.

PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

Purpose / Activity Type(s) of data Lawful basis for processing including basis of legitimate interest (if applicable)
To register you as a new customer / create a Real World Health (RwHealth) account

Identity Data

Contact Data

Profile Data

Performance of a contract with you

Consent

To process and deliver your order including: 

(a) Manage payments, fees and charges 

(b) Collect and recover money owed to us

Identity Data

Contact Data

Financial Data

Transaction Data

Marketing and Communications Data

Performance of a contract with you

Necessary for our legitimate interests (to recover debts due to us)

To manage our relationship with you which will include: 

(a) Notifying you about changes to our terms or privacy policy 

(b) Asking you to leave a review or take a survey

Identity Data

Contact Data

Profile Data

Marketing and Communications Data

Performance of a contract with you

Necessary to comply with a legal obligation

Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

To administer and protect our business and the Platform and Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

Identity Data

Contact Data

Technical Data

Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

Necessary to comply with a legal obligation

To deliver relevant Website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you

Identity Data

Contact Data 

Profile Data

Usage Data

Marketing and Communications Data

Technical Data

Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our Website, products/services, marketing, customer relationships and experiences

Technical Data

Usage Date

Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Website updated and relevant, to develop our business and to inform our marketing strategy)

Consent

To make suggestions and recommendations to you about goods or services that may be of interest to you

Identity Data

Contact Data 

Technical Data

Usage Date

Profile Data

Marketing and Communications Data

Necessary for our legitimate interests (to develop our products/services and grow our business)

 

Consent

 

PROMOTIONAL OFFERS FROM US THIRD-PARTY / MARKETING / OPTING OUT

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.

You will receive marketing communications from us if you have requested information from us or purchased goods or services from us and you have not opted out of receiving that marketing.

Third-party marketing

We will get your express opt-in consent before we share your personal data with any third party for marketing purposes via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.

 

Opting out

You can ask us or third parties to stop sending you marketing messages at any time by logging into the Website or Platform and checking or unchecking relevant boxes to adjust your marketing preferences or by following the opt-out links on any marketing message sent to you or by contacting us at any time.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of product/service experience or other transactions.

CHANGE OF PURPOSE

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules.

  1. Disclosures of your personal data

We may share your personal data with the types of parties set out below for the purposes set out in the table above.

  • Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners will be permitted under the terms of the transfer to use your personal data in the same way as set out in this privacy policy.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

  1. Data Security and Data Transfer

We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any actual or suspected personal data breach and will notify you and/or any applicable regulator of a breach where we are legally required to do so.

No patient identifiable data is transferred outside of the UK. Only aggregated research data is managed on other servers.

We operate under strict security certifications and compliances. Our team continuously strives to work with and adopt new technology to provide valuable insights to our various client base, and protection of the sensitive data we process is important. As such, we are compliant with the following:

  1. ICO 
  2. ISO 27001 
  3. ISO 9001
  4. Cyber Essentials 
  5. Data Security and Protection Toolkit 
  6. Cyber Security Centre Web Checker.

Real World Health (RwHealth), alongside our IT partners, are committed to complying with data protection legislation and industry standards. As such, we work closely together to keep you and your data safe in the following areas:

  1. System access levels and user authentication controls;
  2. System auditing functionality and procedures;
  3. Operating system controls such as vulnerability scanning and anti-virus/anti-malware software;
  4. Network security such as firewalls and penetration testing; and
  5. Encryption of special category personal data.

Our current process focuses on ensuring that there are strong levels of patient de-identification across the entire Platform and Real World Health (RwHealth) programme as a means of protecting the identity of patients who have joined Real World Health (RwHealth), as well as a means of insulating these patients from any potential cyber security issues during the programme or in the future. As part of the process, we take steps to ensure that we are compliant with all penetration testing protocols to ensure the protection of patients and their data – this remains the highest priority of Real World Health (RwHealth).

Data transfer and storage is managed by the data teams at Real World Health (RwHealth) and Clevacloud, the resulting infrastructure comprised of an Internet of Things (IOT), referring to a system of interlinked and internet-connected devices able to collect and transfer data in an automated fashion over a wireless network; a Microsoft Azure Database, which works as an Al-powered, automated, and fully managed cloud database for data storage; and Virtual Machine, acting as a computer created within a computer with its own virtual hardware and network interfaces, for web platform hosting.

All data transferred between devices and the Platform’s cloud database will be protected with full encryption, and cyber security will be provided by Microsoft Azure, which creates a highly secure cloud foundation using multilayered, built-in security controls and real-time global cybersecurity intelligence to detect and respond to threats as soon as they arise. Ongoing assessment of ecosystems by the research team’s technical experts will occur, should a more secure provider be identified over the course of the study. Security is an important concern and will be evaluated at each stage within the infrastructure. We will be utilising Azure Security Centre to monitor the security of all Azure assets, and firewall settings will limit access to Windows authenticated users within the Real World Health (RwHealth) infrastructure.

Clevacloud itself functions as our Information Commissioner’s Office (ICO) registered IT partners, in strict compliance with data protection legislation and industry standards. This involves ensuring safety of any data transferred and stored across the aforementioned areas.

Physical security sees our data and disaster recovery sites held within RapidSwitch and Microsoft Azure data centres, both strictly compliant to ISO 27001, ISO 9001 and PCI DSS standards. Manned security and monitoring of these centres occurs on a 24/7/365 basis, with biometric access policies, internal and external CCTV systems, as well as security breach alarms.

Network security follows similarly stringent measures, with access to cloud platforms / resource infrastructure and data strictly controlled through distinct access levels dependent on employee roles – limited to specific parts of cloud platforms, or solely aggregated data – and all access requiring 2 Factor Authentication, complex password protection, and prior authorisation. Furthermore, production databases are not available in any manner outside of the internal environment, preventing direct hacking of databases, and web server access to the cloud platform is accessible only by our developers through secure web panel or SSL (Secure Sockets Layer) encrypted FTPS (File Transfer Protocol Secure) connections. Finally, all internet-facing services are placed within securely segregated DMZ (DeMilitarised Zone) networks that sit between the internal and external network, providing virtual or physical networks isolated from core services by dedicated firewalls with strict access controls – firewalls also utilised for interior network zoning to separate service infrastructure tiers.

Cloud Applications security is provided through firewall clusters enabled with IDS (Intrusion Detection System), server operating systems patched weekly for regular updates, data encrypted using FIPS 140-2 compliant AES256bit encryption, secure communications provided by SSL and TLS (Transport Layer Security), and security credentials encrypted using a one-way hashing model.

  1. Data retention

HOW LONG WILL YOU USE MY PERSONAL DATA FOR?

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

We reserve the right to retain anonymised copies of your data for use in ongoing research purposes. 

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you. Examples of how anonymised data may be used includes expanding the knowledge base for identifying correlations between risks, pathologies, outcomes and optimal treatment pathways. Anonymised data and insights may be used by clinicians, researchers, and other third parties for the improvement of patient care and therapeutic options. Anonymised data will be supported by the use of, and merging with, in-depth multi-source, historic, and live worldwide data.

  1. Your legal rights

Our lawful basis for processing your personal data is your consent. Under certain circumstances, you have rights under data protection laws in relation to your personal data. Generally, your rights under data protection laws fall into the following categories:

  • Request access to your personal data (commonly known as a “data subject access request”).  Please note that there are also various other ways through which you can access your own data (see ‘How my data can be accessed’ in Section 10 below).
  • Request correction of the personal data that we hold about you.
  • Request erasure of your personal data where there is no good reason for us continuing to process it. 
  • Object to processing of your personal data where we are relying on a legitimate interest in order to process it.
  • Request restriction of processing of your personal data.
  • Request the transfer of your personal data to you or to a third party.
  • Withdraw consent at any time where we are relying on consent to process your personal data. 

Withdrawal of Consent

You have the right to withdraw your consent and require we erase your personal data which we are processing at any time, where at least one of the following grounds applies:

  • the processing is no longer necessary in relation to the purposes for which your personal data were collected or otherwise processed;
  • our processing of your personal data is based on your consent, you have subsequently withdrawn your consent and there is no other legal ground we can use to process your personal data;
  • you object to the processing as set out in the “right to object” section of this policy and we have no overriding legitimate interest for our processing;
  • the personal data have been unlawfully processed; and
  • the erasure is required for compliance with a law to which we are subject.
  1. How my data can be accessed

The means by which your personal identifiable data or aggregated, de-identified data can be accessed are as follows:

By You – personal identifiable data collected by Real World Health (RwHealth) will be made accessible to you via a request sent to info@realworld.health 

  1. Glossary 

LAWFUL BASES ON WHICH WE MAY RELY

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

  1. Contact Us

If you have any questions about the processing of your personal data, please contact our Data Protection Officer, Real World Health (RwHealth) at info@realworld.health

If you are not happy with how we have processed your personal information, you have the right to make a complaint to the Information Commissioner’s Office. Please see www.ico.org.uk for more information on how to do this.