Privacy Policy
September 5, 2024
Introduction
Invatech Health Ltd has an obligation to meet UK (Data Protection Act 2018 - DPA2018) and EU (General Data Protection Regulation - GDPR) legislation for the protection of Personally Identifiable Information (Personally Identifiable Information) and Patient Identifiable Data (PID).
The Information Commissioners Office (ICO) is the UK Data Protection Authority (DPA) that oversees the management of all Personally Identifiable Information and PID activities through the Data Protection Act 2018 and EU General Data Protection Act Regulation (GDPR).
Purpose
Effective security of the Personally Identifiable Information and PID Invatech Health has access to and manages is a business-wide effort involving the participation and support of every Invatech Health employee, contractor and consultant who deals with this information and/or has access to IT systems. It is the responsibility of controllers and processors of Personally Identifiable Information to know this Policy and to conduct their activities accordingly.
This Policy has been written to outline the scope, definitions and controls that will be applied to Personally Identifiable Information data and information. We will process information for the following purposes
To provide our care home and pharmacy IT services to you, including;
processing staff, resident and prescription information;
the fulfilment, tracking and delivery of orders for products and services;
registering and supporting Atlas & Titan accounts and validating contact details;
storing information about staff and residents;
storing staff/resident profiles, prescription information and generating reports about residents’ medication through our Atlas portal.
2) To create and maintain records of the products we supply to you and residents.
3) To remember users who log on from the same device without having to re-submit their username.
4) To monitor the use of our services and to fix any issues affecting these services.
5) To respond to any messages, complaints or queries we may receive.
6) To offer support with any requests we receive in relation to staff or residents and the data/information we hold or process.
7) To maintain records of staff who have taken on and have completed online training.
8) To comply with any regulatory and legal requirements that apply to us and to comply with any legitimate requests from regulatory bodies.
9) To prevent crime and fraud and to comply with any legitimate requests we receive from law enforcement and crime prevention agencies.
10) To perform statistical analysis and to create reports and management information that help us understand the use of services and any trends.
11) To create and maintain records required for the operation of our business.
Scope
This Policy applies to care home and pharmacy services and all relevant and in-scope staff, contractors and consultants who use, or have access to, these systems. It covers the following data definitions:
1. Data Processor: In relation to personally-identifiable information or data, a Data Processor is any person (other than a Data Subject of the Data Controller) who processes the data on behalf of the Data Controller.
Invatech Health is a Data Processor. This means that we process data on behalf of our clients such as care homes and pharmacies. We are a Data Controller for our own information, which is covered under a separate internal staff policy.
2. Data Controller: A person who (either alone or jointly in common with other persons) determines the purposes for which, and the manner in which, any personal data are, or are to be, processed.
Pharmacies and care homes are Data Controllers and they are required to protect the data. Invatech Health, as a processor, can be jointly liable for managing this data and therefore take proactive steps to manage our controller relationships through contract.
3. Personal data means data relating to a living individual who can be identified:
(a) from the data, or
(b) from the data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller or processor. This includes any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual.
4. Sensitive personal data means personal data consisting of information pertaining to:
(a) the racial or ethnic origin of the Data Subject;
(b) political opinions;
(c) religious beliefs or other beliefs of a similar nature;
(d) whether they are a member of a trade union;
(e) physical or mental health or conditions;
(f) sexual life;
(g) the commission or alleged commission by the Data Subject of any offence;
(h) any proceedings for any offence committed or alleged to have been committed by the Data Subject and the disposal of such proceedings or the sentence of any court in such proceedings.
Invatech Health will have access to both personal and sensitive data about individuals (known as Data Subjects) and that Invatech Health systems and staff will have legitimate business and contractual access to such data.
The following data, often used for the express purpose of distinguishing individual identity is available on Invatech Health systems and will be clearly classified as Personally Identifiable Information and PID and covers users, customers and Data Subjects.
1) Names of staff and residents, including full names and ‘known by’ information:
2) Log-in names or usernames used to access systems and external portals.
3) Contact details:
Home address.
Email address.
National Insurance number.
Date of birth (age).
Birthplace.
Telephone number.
Photograph of face.
4) Information from and about the device from which you access services, including the:
IP address (when linked to an individual).
NHS Digital identity.
Medical health information.
Medicines information.
5. Consent: Consent is a legally-binding expression of will, given voluntarily, in which the Data Subject declares his/her agreement to the processing of their data across the various systems and lifetime of this processing.
Principles of personal privacy
On an annual basis, the Invatech Health Data Protection Officer shall update all relevant Invatech Health external and internal privacy policies and, if applicable, outline any substantive changes in an accompanying communication and awareness training program.
The principles of Invatech Health’s privacy process are;
1) Fairness and lawfulness: In processing personal data, the individual rights of the Data Subject shall be protected. Personal data shall be processed fairly and in accordance with legal provisions.
2) Restriction to a specific purpose: Personal data may be processed only for the purposes for which they were originally collected. Changes to information may take place by virtue of a contractual agreement with the Data Subject or Controller concerned, collective agreements, consent given by the Data Subject, a legitimate business interest to do so, or through national legislation.
3) Transparency: Data Subjects shall be informed of how their data is being handled. Personal data shall be collected directly from the Data Subject concerned. When collecting the data, the Data Subject shall either be aware of, or be informed of, the following:
The identity of the Data Controller.
The purpose for which the data is being processed.
Third parties or categories of third parties to whom the data may potentially be transmitted.
National legislation or collective agreements that may impose additional or differing requirements regarding the content and scope of this information.
4) Data Economy: Before any step is taken to process personal data, it shall be checked whether, and to what extent, the processing of personal data is necessary in order to achieve the purpose for which it is undertaken. Where the purpose allows, and where the expense involved is in proportion with the goal being pursued, anonymised or statistical data shall be used. Personal data may not be collected in advance and stored for potential future purposes. Data that are no longer needed shall be deleted in compliance with existing destruction requirements.
5) Factual accuracy and timeliness of data: Personal data shall be correct and up-to-date when stored. Suitable steps shall be taken to ensure that inaccurate or incomplete data are deleted, corrected, or supplemented.
6) Data requiring special protection: Personal data requiring special protection may be processed only under certain conditions. This includes racial or ethnic background, political views, religious or philosophical convictions, trade union membership, health, or sexual orientation of the Data Subject. Further data categories may be classed as requiring special protection.
Need-to-know principle: Data Subjects have access to personal data on a need-to-know basis only. The need-to-know principle means that Data Subjects may have access to personal information only as is appropriate for the type and scope of the task in question.
7) Automated individual decisions: Automated processing of personal data intended to evaluate certain personal aspects of the Data Subject (e.g. historic medicines information) shall not form the sole basis for decisions that have negative consequences or result in significant detriment to the Data Subject concerned. Data Subjects shall be informed of the fact that an automated decision-making procedure is carried out, and of its result, and he/she shall be given the opportunity to respond.
Data Subject rights
Every Data Subject has the following rights. A Data Subject may not suffer any disadvantage as a consequence of asserting his/her rights:
The Data Subject may request information on which personal data relating to him/her have been stored, how the data were collected, and for what purpose.
If personal data are transmitted to third parties, the Data Subject concerned shall also be informed of the recipient’s identity, or of the category of recipients.
If personal data are incorrect or incomplete, the Data Subject may request for them to be corrected or supplemented.
The Data Subject may request his/her data to be deleted if the processing of such data has no legal or legitimate business interest basis, or if both have ceased to apply. The same applies if the purpose behind the data processing activity has lapsed or ceased to be applicable for other reasons. Existing archival requirements shall be observed.
The Data Subject generally has a right to object to his/her data being processed, and this shall be taken into account if the protection of his/her interests takes precedence over the interests of the Data Controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed.
Training
On an annual basis, the business shall administer company-wide privacy and information security training.
Monitoring and enforcement
Invatech Health shall monitor this Policy for compliance by:
1) reviewing tasks relating to Data Controller and Data Subject requests for Invatech Health’s Privacy Notice;
2) ensuring service level agreements (SLAs) are met for providing the notice, subject access requests (SARs) and data breach notifications;
3) reviewing relevant policies to ensure consistency of approach and the existence of satisfactory security controls;
4) executing tasks outlined in this document.
Should anyone become aware of a violation of this Policy, it is his/her duty to report the violation to the Invatech Health Data Protection Officer using the contact information below. Such violations should be reported in writing (email) and maintained by the Data Protection Officer.
dpo@invatechhealth.com