Privacy Policy

Who are we?

We are Patientcards Ltd, a company registered in Truro, Cornwall, England, with registered office at Old Bakery Studios, Blewett’s Wharf, Malpas Road, Truro, TR1 1QH (we​, us​, our​).

We provide an online platform (Patient Manager / Help at Hand app)​ which facilitates the provision of social prescription services by enabling health and social care professionals to set up patient profiles, make referrals to support and link workers and onward connections to community providers, and enables the exchange of notes about patients to help assess the social prescription services being provided (our Services​).

In each case, we make Patient Manager / Help at Hand app available to designated users because we have been contracted to do so by our Client in connection with a particular Social Prescription Programme which our Client has decided to run.

What is this policy notice?

2.1 In order to provide our Services, we may need to process Personal Data from time to time (that is information from which an individual can be identified). This Personal Data may be about you or other people. This notice explains how we will use the Personal Data we hold. Patient Manager enables users to collect and share data. This notice only deals with our use of Personal Data. Recipients (including our Client and Professional Users) are not bound by this privacy notice.

2.2 We might need to change this privacy notice from time to time. If we do, we let you know. So please do keep an eye on our notice before sending us any Personal Data or uploading it on to Patient Manager.

2.3 All of the defined terms in this notice are explained in paragraph 14 below. If you have any questions about this notice, feel free to send us an email to [email protected]

Whose data do we hold?

3.1 We hold Personal Data about the following groups of people (Data Subjects):

Are you a controller or a processor?

4.1 It depends on the data and how it is collected and used.

4.2 We are a Controller in respect of the following data:

For example, this could include:

4.3 We are a Processor in respect of any Personal Data about Professional Users or Patients which our Client Administrative Users or Referral Agents) gives us or which we collect on behalf of our Client to enable us to provide our Services.

Where do you collect personal data from?

5.1 We might collect Personal Data in the following ways:

Client Contact Data

Prospective Client Data

Professional User Data

Patient Data

It is likely that some of the Personal Data which we collect and store on behalf of our Client, in relation to Patients, may include Special Categories of Personal Data. Special Categories of Personal Data includes details about an individual’s race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data.

General

5.2 We may also collect, use and share Aggregated Data such as statistical or demographic data which we collect from interactions with our Clients or any Users of Patient Manager. Aggregated Data may be derived from Personal Data but since it cannot be used to identify an individual, it is not Personal Data.

How will you use the personal data you hold and what is your lawful basis for doing so?

Client Data

To provide our services

Agreeing the parameters of the Social Prescription Programme and facilitating the set-up and managing payment

Identity Data, Contact Data, Transaction Data

Necessary for the performance of the contract for the provision of our services or taking steps necessary to enter into a contract.

To manage our relationship with you

To notify you of updates to our (or our Licensor’s) services or software or updates to our privacy notice

Identity Data, Contact Data

Necessary for the performance of the contract for the provision of our services or taking steps necessary to enter into a contract.

Administration and Dispute Resolution

We may also need to process Personal Data about you to meet our internal administration requirements and for matters such as dispute resolution.

Identity Data, Contact Data, Transaction Data

Legitimate Interest

Marketing

From time to time we might contact you by telephone or email about updates to our services, new features or functions or new products we are bringing out. Our marketing may be tailored on the basis of what we think your interests are (from looking at data collected using cookies and other similar technologies as well as past transactions and interactions). We will always include the right to opt out in any such correspondence.

Identity Data, Contact Data, Transaction Data, Profile Data, Traffic Data

Legitimate Interest

Prospective Client Data

We hold and process Prospective Client Data as a Controller, which means we must have a ‘lawful basis’ for doing so. We have set out how we use Prospective Client Data along with our lawful basis in the table below.

Responding to your requests for information (solicited marketing)

This may involve sending you information about our services if you have asked us to do so or contacting you whether by telephone or email to discuss proposals for a Social Prescription Programme.

Identity Data, Contact Data

Necessary steps to enter into a contract

Profiling and Marketing

We may carry out research online (including by looking at traffic data collected by cookies and other similar technology) and through word of mouth in order to find businesses we think might be interested in hearing about Patient Manager. We may use such information to make marketing calls or send an email.

We are relying on legitimate interest as our legal basis for profiling and marketing. The legitimate interest being the promotion of our business. We believe that marketing of this kind is integral to getting our product known in the correct circles, and, since the marketing communication is targeted to individuals working in the field of Social Prescription, and we will only use contact details published on business websites, we believe that this will not be considered invasive by the Data Subject and in this case our interests and the Data Subject’s may be aligned.

Professional User Data

Monitoring account usage

We may record usage patterns or other data we collect from your use of Patient Manager in order to make sure such use is in accordance with our terms of use.

Administration And Dispute Resolution

We may also need to process Personal Data about you to meet our internal administration requirements and for matters such as dispute resolution.

Marketing (profiling and direct mail)

If you have agreed that we may do so, we may contact you by email from time to time with information about our goods and services or similar goods and services which we think may be of interest to you. We may tailor these communications on the basis of information we have collected about your usage of Patient Manager and traffic data we’ve collected.

Patient Data

Monitoring account usage

We may record usage patterns or other data we collect from your use of Patient Manager in order to make sure such use is in accordance with our terms of use.

Administration and Dispute Resolution

We may also need to process Personal Data about you to meet our internal administration requirements and for matters such as dispute resolution.

Marketing (profiling and direct mail)

If you have agreed that we may do so, we may contact you by email from time to time with information about our goods and services or similar goods and services which we think may be of interest to you. We may tailor these communications on the basis of information we have collected about your usage of Patient Manager and traffic data we’ve collected

Will you disclose personal data to anyone else?

7.1 Disclosures of Patient Data made as part of the Social Prescription Services: The purpose of the Social Prescription Programme is to enable Professional Users to disclose and share information to each other about a patient’s progress in connection with the Social Prescription Programme. The decision to transfer Patient Data is made by the Professional Users themselves or a Patient (if they have set up their own account on Patient Manager.

If you have any questions about who your data might be transferred to if you take part in our Client’s Social Prescription Programme, please ask the Referring Agent or Referral Handler. If you don’t know who that is, feel free to send us an email at [email protected] and we will pass your query to our Client for them to contact you directly.

7.2 Disclosures of Personal Data by us to third parties. We may disclose Personal Data to third parties, for the following purposes:

What security procedures do you have in place?

8.1 It is our policy to ensure that all Personal Data held by us is handled correctly and appropriately according to the nature of the information, the risk associated with mishandling the data, including the damage that could be caused to an individual as a result of loss, corruption and/or accidental disclosure of any such data, and in accordance with any applicable legal requirements.

Our cyber security has been penetration tested by Nettitude, A Lloyd’s Registered Company. For more information, please see our cyber security report. If you have any queries, please email [email protected] .

For how long do you store personal data?

Client Contact Data

10.1 Our retention policies for Client Contact Data are as follows:

Prospective Client Data

10.2 We will retain Prospective Client Contact Data for up to 1 year from the point of collection or last interaction. If a Prospective Client becomes a Client, the retention policy set out in paragraph 10.1 shall apply.

Professional Data

10.3 Any Professional User Data which we hold as a Processor will be held only for the duration of our contract with our Client. Upon termination of the contract, we will return or delete the Professional Data.

10.4 Any Professional User Data which we hold as a Controller will be retained in accordance with the following provisions:

Patient Data

10.5 Any Patient Data which we hold as a Processor will be held only for the duration of our contract with our Client. Upon termination of the contract, we will return or delete the Patient Data.

10.6 Any Patient Data which we hold as a Controller will be retained in accordance with the following provisions:

What rights does a data subject have about the personal data we collect and hold?

11.1 Data Subjects have the following rights in respect of Personal Data relating to them which can be enforced against whoever is the Controller.

11.2 If you want to avail of any of these rights, you should contact us immediately at [email protected]. If we are not the Controller, we will need to transfer your request to the Controller – but we will only do so with your consent. If you do contact us with a request, we will also need evidence that you are who you say you are to ensure compliance with data protection legislation.

What happens if I no longer want you to process personal data about me?

12.1 If we are holding Personal Data about you as a Processor, we will need to transfer your request to the Controller who has engaged us to provide our Services – that will be our Client. To the extent that we are holding Personal Data about you to facilitate our Client’s Social Prescription Programme, such a request is likely to impact on your ability to be a part of the programme.

12.2 If we are holding Personal Data about you and using that data for marketing purposes or for any other activities based on your consent, you may notify us at any time that you no longer want us to process Personal Data about you for particular purposes or for any purposes whatsoever and we will stop processing your Personal Data for that purpose. This will not affect your ability to be a part of our Client’s Social Prescription Programme.

Who do I complain to if I’m not happy with how you process personal data about me?

13.1 If you have any questions or concerns about how we are using Personal Data about you, please contact our Data Protection Officer immediately at our registered address (see paragraph 1.1 above) or by email to [email protected]. If we are processing Personal Data about you on behalf of our Client, we will need to pass your complaint to our Client – we will only do so with your consent.

13.2 If you wish to make a complaint about how we have handled Personal Data about you, you may lodge a complaint with the Information Commissioner’s Office by following this link: https://ico.org.uk/concerns/.

What do all of the defined terms in this privacy notice mean?

14.1 Throughout this notice you’ll see a lot of defined terms (which you can recognise because they’re capitalised). Where possible, we’ve tried to define them as we go, but we thought it might be useful to have a glossary at the end for you. Anywhere in this notice you see the following terms, they’ll have the following meanings:

Client means the party we entered into a contract with to facilitate an agreed Social Prescription Programme;

Client Contact Data means Personal Data about our Client (including key contact data);

Controller is a legal term set out in the General Data Protection Regulation (GDPR), it means the party responsible for deciding what Personal Data to collect and how to use it;

Patient Manager / (Help at Hand app) means the online platform which facilitates the provision of social prescription services;

Data Subject means the individual who can be identified from the Personal Data;

Patient Data: that is Personal Data about any individuals who have been identified to receive social prescription services as part of our Client’s Social Prescription Programme;

Personal Data means data which can be used to identify a living individual. This could be a name and address or it could be a number of details which when taken together make it possible to work out who the information is about. It also includes information about the identifiable individual;

Processor is another legal term set out in the GDPR, it means the party who has agreed to process Personal Data on behalf of the Controller;

Professional Users means any or all of the following groups of individuals:

Prospective Client Data: that is Personal Data about our prospective clients (including key contact data);

Social Prescription Programme means a programme implemented by a clinic, trust, housing executive or other body to assess a patient’s social, emotional and practical needs and make referrals to non-clinical services within a patient’s community;

Special Categories of Personal Data means details about an individual’s race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data; and

User means a user of Patient Manager.