1. Personal data processed
Personal data is any information we have that can identify you, such as your name, date of birth, medical history or credit card details.
Our data retention period, which is the length of time we hold your personal data, is informed by the Department of Health, NHS England and professional bodies such as the British Medical Association and The Health and Care Professions Council.
We might also keep some information that doesn't identify you to help improve our business and our services as well as helping with health research. We do this by removing your identifiable information (such as your name, date of birth, contact details) to form ‘de-identified’ data.
In accordance with national opt-out legislation, you can choose to opt out of your confidential information being used for research and planning. For more information on this, please visit the NHS data opt-out website (https://digital.nhs.uk/services/national-data-opt-out). If you have any concerns about this or wish to change your data preferences, please email the Governance team at info@anathem.ai between 8am and 6pm weekdays.
Where we rely on GDPR Article 6(1)(f) 'legitimate interests' are as follows:
1. Providing health care to individuals
2. Ensuring complaints and communications are handled appropriately
3. Ensuring we provide and maintain a high level of quality of service
4. Undertaking research to further improve our service
We receive personal data from several sources.
Helping with health research
When using your de-identified data to support health research, we aim to publish our research results in peer-reviewed journals or by working with academics. We may conduct research with partner organisations such as universities or other academic institutions. We may also use data that does not identify you personally as part of statistics that we collect on certain types of illness, symptoms and conditions. This might include us contributing medical data to our partners and organisations such as NHS England. They will always be anonymised, which means you cannot be personally identified. This is so we can improve our medical knowledge, help deliver better care and help the general public.
Sharing your personal data
We will only share your personal data with organisations involved with your care (for example your GP or NHS Trust), unless we have a legal obligation to share with another party. Where personal data will be shared outside the purposes of providing you care we will inform you unless the law restricts us from doing so.
Where we store and process your data
We use data hosting service providers based in Azure. All Data resides in the UK to host the information we collect.
Further uses of personal data for corporate purposes:
Purposes of processing - Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (eg tax or legal advice)
Types of individuals - Patients and commissioners
Types of personal data - Financial, contact details, name
Retention period - We keep your data for 8 years
Lawful basis - Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; For compliance with a legal obligation [Article 6(1)(c)]
How to unsubscribe from our marketing communications
You may unsubscribe from our marketing communications by clicking on the “unsubscribe” link at the bottom of our emails or emailing the Data Protection Lead at info@anathem.ai
Please note customers cannot opt-out of receiving transactional emails related to their account or service with Anathem.
2. Website users and social mediaPersonal data processed
Purposes of processingTypes of individualsTypes of personal dataRetention periodLawful basisProvide information in relation to new services offered by Anathem as an existing client or potential new client, or to invite clients to participate in service development activitiesPatients and mail list subscribersName, contact detailsWe keep your data for 12 monthsProviding you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)]
For website users and social media platforms, where we rely on GDPR Article 6(1)(f) our legitimate interests are as follows:
1. Marketing our products, services and research.
3. Cookies
Cookies are small text files that are placed on your computer’s hard drive by your web browser when you visit any website. They allow information gathered on one web page to be stored until it is needed for use on another, allowing a website to provide you with a personalised experience and the website owner with statistics about how you use the website so that it can be improved.
Some cookies may last for a defined period of time, such as one day or until you close your browser. Others last indefinitely. Your web browser should allow you to delete any you choose. It also should allow you to prevent or limit their use.
Our website uses cookies. They are placed by software that operates on our servers, and by software operated by third parties whose services we use. We use cookies in the following ways:
- to track how you use our website - to record whether you have seen specific messages we display on our website - to keep you signed into our website - to record your answers to surveys and questionnaires on our site while you complete them
Personal identifiers from your browsing activity
Requests by your web browser to our servers for web pages and other content on our website are recorded. We record information such as your geographical location, your Internet service provider and your IP address. We also record information about the software you are using to browse our website, such as the type of computer or device and the screen resolution. We use this information in aggregate to assess the popularity of the webpages on our website and how we perform in providing content to you. If combined with other information we know about you from previous visits, the data possibly could be used to identify you personally, even if you are not signed in to our website.
Our use of re-marketing
Re-marketing involves placing a cookie on your computer when you browse our website in order to be able to serve you an advert for our products or services when you visit some other website.
We may use a third party to provide us with re-marketing services from time to time. If so, then if you have consented to our use of cookies, you may see advertisements for our products and services on other websites.
4. Your data protection rights
The UK GDPR allows various rights for people whose data is being processed. The rights are not absolute and so sometimes do not apply. Where you wish to exercise any of your rights, you may do so free of charge (unless in specific circumstances, where you will be informed in advance) by contacting us at info@anathem.ai. We will respond within one month. Under the GDPR (General Data Protection Regulation,) you (the data subject) have a right to access your personal data held by an organisation.
How do I submit a Data Subject Access Request (DSAR)?
If you wish to request personal information that is held about you, there are multiple ways that you can do this;
● Verbally (via clinician or admin support);
● Email info@anathem.ai.
● Letter to: Anathem Limited, 14 Highwoods Close, Marlow, SL7 3PG.
Whichever method you use to contact us, you will need to provide us with the following:
●Your full contact details.
●A description of the information you seek (including dates, subjects, specific documents etc.)
●Proof of your identity (applicable if request is made by letter or email). This is to ensure we only provide personal information to the individual who is entitled to receive it.
A DSAR will only be valid if it contains all the information we need and we have received proof of your identity, whether you are the data subject or if you are making a request on behalf of the data subject.
Details of the rights within UK GDPR are below. You will be informed if the right is available to you upon application:
Right and Meaning
Access UK GDPR Article 15: You may request a copy of the data held by us about you.
Rectification UK GDPR Article 16: If you think the data held by us is wrong and you may request that it is corrected.
Erasure (Right to be forgotten) UK GDPR Article 17: You can request that your data is deleted by us.
Restriction UK GDPR Article 18: There are circumstances in which you may ask us to stop processing your data but we must otherwise keep the data. For example, where required by law.
Portability UK GDPR Article 19: You can ask for a copy of your data in a format that can be readily transferred to another company.
Objection UK GDPR Article 20: You can object to the processing of your personal data when we are relying on a legal obligation or public duty legal basis or where we are processing in our legitimate interest, especially for direct marketing.
Automated decisions UK GDPR Article 22: Where a computer makes a decision about you without human intervention, for example in an online loan application you have the right to know how the decision was arrived at.
5. Protecting your personal data
Anathem takes protection of your personal data very seriously. Anathem uses a range of precautions that include administrative, technical and physical measures, to safeguard your personal data against loss, theft and misuse, as well as against unauthorized access, disclosure, alteration and destruction. We store the personal data you provide encrypted on computer servers that are located in highly secure and controlled facilities. We restrict access to personal data to our employees, contractors and agents who need access in order to operate, develop, or improve our services and the application.
We follow industry accepted security standards to protect the personal data you submit to us, both during transmission and once we receive it.
We have implemented several technical and organisational measures to ensure your personal data is kept secure. This includes:
- Achieving the European ISO27001 certification for Information Security Management Systems which requires annual recertification by external auditors
- Compliance with the NHS Data Security and Protection Toolkit
- Completing annual Cyber Essentials Plus certification by external security specialist company
- Annual penetration testing of our systems by an external cyber security specialist company
- Annual training for all staff on how to handle information securely.
- Having role-based access controls so that staff can only access records necessary for their role.
- Hosting on a secure platform through Azure who maintain the servers and ensure they are secure and up-to-date at all times with the latest security patches. This also includes extensive physical access security systems to the server sites by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means.
6. Complaints
If you have any complaints regarding our use of personal data, please contact us by one of the above means. In the event we cannot resolve your complaint, you have the right to complain to the Information Commissioners Office, the UK data protection regulator. They can be contacted at: Information Commissioner's Office (www.ico.org.uk) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Tel: 0303 123 1113