PATIENT WATCH is provided by Patient Watch Ltd (“we”, “us”, “our”, “PW”), a company registered in England with company number 14114586 and a registered office address at 86-90 Paul Street, London, England, EC2A 4NE.

PW may act as a “controller”, “processor”, or “joint controller” depending on how Patient Watch is deployed and who determines the purposes and means of the relevant processing. Where PW acts as controller, references below to “we”, “us” or “our” are to PW.

Where another organisation is the controller, such as a healthcare provider, insurer, study sponsor, registry, manufacturer, supplier, or research institution, that organisation is responsible for the lawful basis, participant notices, consent materials, and sharing arrangements for its processing.

We are committed to protecting and respecting your privacy.

This notice applies to our United Kingdom deployment of Patient Watch and to European Economic Area deployments where the EU GDPR applies. For each care pathway, study, registry, or customer arrangement, we document deployment-specific roles, lawful bases, transfer mechanisms, and governance arrangements in the relevant contract, protocol, order form, statement of work, or participant information.

For EU GDPR Article 27 purposes, Patient Watch Ltd has designated Guy Solan as its European Union representative for relevant EEA processing. Guy Solan is based in Sweden and can be contacted at info@patient-watch.com or by post at 18a Tjalmargatan, Östersund, Sweden.

SCOPE OF THIS PRIVACY NOTICE

This notice (together with our end-user licence agreement as set out at Terms of Use (“TOU”) and any additional terms of use incorporated by reference into the TOU applies to your use of:

• the PATIENT WATCH Service (the “Service”) accessible through our website at https://www.patient-watch.com/ (the “Site”);

This notice sets out the basis on which we will process any personal data we collect from you, or that you provide to us. ‘Processing’ for the purposes of this notice covers a very broad range of activities, including using, transferring, storing and even deleting data.

Please read the following terms carefully to understand our views and practices regarding your personal data and how we will treat it.

For the avoidance of doubt:

• By registering with, or using, the Site, or supplying data or information on the Site you acknowledge that you are aware of the collection, use and transfer of the relevant data and your personal data under the terms of this privacy notice (and the Terms of Use).

PERSONAL DATA WE MAY COLLECT IN RELATION TO YOU

We may collect, and process, the following types of personal data about you:

• You may give us information about yourself (“Submitted Information”) by a number of different routes, including:
  • information you provide to us or that we may collect, including but not limited when you:
    • Register
    • Edit your profile
    • Change your password
    • Verify a phone number or email address
    • Create a diary
    • Log a pain score
    • Send an email or SMS to or from site including all email addresses ending @patient-watch.com.
  • . The information that you give us or that we collect may include your name, email address, phone number, hospital number, GMC and password.
  • if you contact us, we may keep a record of that correspondence;
  • information provided when submitting or updating a request for support or contacting our support teams;
  • information provided in response to any surveys or requests for information which we may send to you from time to time or which you complete on our website (in line with your marketing and communications preferences as referred to above);
  • information collected as a result of any monitoring which may take place. We may monitor (which may include recording) certain interactions between us in order to comply with any legal obligations, to detect fraud or criminal activity as well as for training purposes; and/or
• Information we collect about you and your Device. Each time you visit the Site we may automatically collect the following information:
  • technical information, including the type of mobile device you use, a unique device identifier, mobile network information, your mobile operating system, and time zone setting (“Device Information”);
  • health information stored on your Device which you have explicitly consented to sharing, and the provenance of that data including the device used to collect that data, time, date (“Content Information”); and
  • details of your visits to the Site, and the resources that you access (“Log Information”).

We do not use non-essential analytics or advertising cookies in the Service. We may use essential technologies that are necessary to provide secure login, session management, fraud prevention, security, service delivery, and user-requested functionality. If we introduce non-essential analytics, advertising, or similar tracking technologies, we will update this notice and obtain consent where required by applicable cookie and electronic communications laws.

Age Limits

You may only access the Service if you are at least 18 years old.

USES MADE OF THE INFORMATION

We may use personal data we collect about you in the following ways:

• Submitted Information: We will use information which you submit as part of registering to use, or where you are using the Service in order to manage your account, to deliver the Service, to provide technical support, to contact you (including, without limitation, via SMS) so as to notify you regarding any important updates relating to the Site, to answer queries you might raise regarding the Site and for our own internal administrative purposes.
• For marketing purposes: We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising, including the following personal data control mechanisms:
  • We may use your identity, contact details and Device Information to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (i.e. ‘marketing’).
  • You will receive marketing communications from us if you have requested information from us or receive services from us and you have not opted out of receiving that marketing.
  • We may ask you to identify areas of particular interest (which may be related to certain conditions) and if you choose to provide those details then we may send you information which we feel may be relevant to those areas of interest or which might otherwise be of interest to you based on the preferences identified.
  • We will get your express opt-in consent before we share your personal data with any third party for their marketing purposes.
  • You can ask us (or any third parties) to stop sending you marketing messages at any time (see below for further details).
• Survey responses: We will use this information for the purposes outlined in the relevant survey or request for information (referred to generally as ‘surveys’). If a survey involves the provision of information relating to your physical or mental health then this data will be held securely and used only in line with the purposes explained to you, the applicable lawful basis, and any permissions, notices or consents relevant to that survey. Depending on those arrangements, we may also use anonymised, aggregated or appropriately pseudonymised survey data for trend analysis, service evaluation, audit, medical research, registry activity, post-market surveillance and related reporting, and may share those outputs or datasets with healthcare organisations, academic institutions, contract research organisations, pharmaceutical companies, medical device companies and other life sciences partners. If you agree as part of the survey to our contacting you further, then we may do so to supply you with information that may be of interest to you; or in order to determine whether you would want to be further involved in any follow-on surveys or medical research opportunities.
• Device Information: We will use this information to help ensure that Patient Watch presents the correct version and data for your Device.
• Content Information: health information submitted through the Site for the purposes of storing that information and to make it available to you or (with your consent) your nominated health practitioner as you may request from time to time.
• Log Information: this is stored for security and audit purposes and to ensure that we are able to support your use of Patient Watch.
• For security and safety purposes: we monitor activity in order to help protect our users from security threats and to detect if users are trying to misuse any element of the Site or to use them in an unauthorised manner. We may also use your contact information in order to alert you to any relevant security issues or safety concerns of which we are aware.
• To statistically analyse user behaviour and activity: We will monitor user interest and behaviour to help us to understand general usage of the Site to help us improve the services we provide. We may also use this information to tailor the view of the Site or any communications you receive from us so as to provide you with what we believe to be more relevant information. We may conduct statistical analysis in respect of the Service, either ourselves or through an agency acting on our behalf and may share statistical data (that will not identify you) with relevant third parties.
• For audit, research, trials and evidence generation: subject to applicable law, ethics requirements, contractual restrictions and the role of the relevant data controller, we may use personal data, pseudonymised data and aggregated results for clinical audit, service evaluation, registries, post-market surveillance, medical research, and clinical trial delivery or analysis, including work undertaken with healthcare organisations, academic institutions, contract research organisations, pharmaceutical companies, biotechnology companies, medical device companies and other life sciences partners.
• Programme enrolment and care-pathway sharing: where you are enrolled on the Service by or through a care provider, clinic, study sponsor, registry, manufacturer-backed programme, or other organisation, Patient Watch, your enrolling organisation, the study sponsor, or another controller may provide programme-specific notices and may ask you to give separate consent where consent is the relevant lawful basis. Depending on the controller role and programme materials, we and/or the relevant controller may use your data as follows:
  • to share information with your responsible clinician or other healthcare professionals involved in your care, as configured for your programme;
  • to allow your enrolling organisation to use information you provide, on your behalf and in connection with your care, to prepare and submit information to insurers, commissioners, public bodies, or other payers where necessary for funding, reimbursement, treatment authorisation, audit, or other reporting required for your care pathway;
  • to share anonymised or aggregated data that does not identify you with the study sponsor of your programme and, where relevant, the manufacturer or supplier of the medical device, medicine, or care product concerned (in many programmes, the study sponsor is also the manufacturer or supplier), for post-market surveillance, regulatory compliance, service evaluation, medical research, and publication in scientific or clinical literature. Before sharing anonymised or aggregated outputs, the responsible controller or processor applies safeguards such as removing direct identifiers, aggregation, small-number suppression where appropriate, access controls, contractual restrictions, and commitments not to re-identify individuals. If any output remains identifiable or pseudonymised personal data, it is treated as personal data and shared only where a lawful basis, controller instructions, contract, ethics approval, or other applicable governance requirement permits it.

We may associate any category of information with any other category of information and will treat the combined information as personal data in accordance with this privacy notice for as long as it is combined.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

BASIS ON WHICH WE PROCESS YOUR PERSONAL DATA

We may rely on a range of legal grounds in accordance with the applicable privacy laws in order to ensure that our use of your personal data is lawful, including:

• where it is in our legitimate interests to do so (provided this is not overridden by considerations regarding your rights and interests), such as:
  • performing and/or testing the performance of, our products, services and internal processes;
  • following guidance and recommended best practice of government and regulatory bodies;
  • managing and auditing our business operations;
  • monitoring and to keeping records of our communications with you;
  • undertaking market research and analysis and developing statistics; and/or
  • for direct marketing communication purposes and to help us to offer relevant products and services;
• to comply with our legal obligations; and/or
• with your (explicit) consent.

DISCLOSURE OF YOUR INFORMATION

Disclosure of your personal data to third parties may arise in a number of scenarios, for example:

• If we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation or request.
• In order to:
  • enforce or apply the Terms of Use and other agreements or to investigate potential breaches of the same; and/or
  • protect the rights, property or safety of PW, our customers, or others (acting at all times in accordance with our obligations under the relevant data protection legislation).
• In connection with a potential sale or transfer of part or all of our business. In such circumstances we may share information with prospective purchasers (for example as part of a controlled due diligence exercise).
• If we reorganise our business as we may need to transfer information about you to another member of our group of companies so that we could continue to provide the Service to you.
• Where permitted by law, contract, ethics approval and applicable data governance requirements, we may disclose personal data, pseudonymised data, anonymised data, and aggregated outputs to healthcare organisations, academic institutions, regulators, contract research organisations, pharmaceutical companies, biotechnology companies, medical device companies and other research or commercial partners for clinical audit, service evaluation, registry activity, post-market surveillance, research, or clinical trial purposes.
• Where another organisation, such as an NHS trust, private provider, insurer, sponsor, registry, manufacturer, supplier, or research institution, is the data controller or joint controller for a dataset or project, that organisation will determine the lawful basis, notices, permissions, instructions and sharing arrangements that apply to the relevant processing.
• Where you consent as part of a care pathway, study, registry, or device programme, personal data may be disclosed to your responsible clinician, to insurers, commissioners, public bodies, or other payers (via your enrolling care provider where applicable), and anonymised or aggregated data may be disclosed to the study sponsor of your programme and, where relevant, the manufacturer or supplier of a relevant medical device, medicine, or care product (in many programmes, the study sponsor is also the manufacturer or supplier), for post-market surveillance, regulatory compliance, service evaluation, medical research, and publication in scientific or clinical literature, as explained in our Terms of Use.

We maintain a register of material suppliers and subprocessors that support the Service. This includes the nature of the service provided, whether the supplier handles personal data, the contract basis, and assurance information reviewed.

We publish a Subprocessors summary and make relevant subprocessor information available to organisational customers through contracts, due diligence materials, or on request.

We do not sell directly identifiable personal data. Where we disclose or license pseudonymised datasets, anonymised datasets or aggregated outputs for research or commercial purposes, we use legal, contractual, organisational and technical controls designed to protect data and restrict re-identification and onward use. These controls may include data minimisation, removal of direct identifiers, aggregation, small-number suppression where appropriate, access controls, audit or review of outputs, contractual restrictions on onward use, and commitments not to attempt re-identification. If data remains identifiable or pseudonymised, we continue to treat it as personal data and disclose it only where the relevant controller role, lawful basis, contract, ethics approval, or other governance requirement permits it.

We will ensure that we comply with our responsibilities whenever sharing data with a third party.

HOW AND WHERE WE STORE YOUR PERSONAL DATA

We use strict procedures and security features designed to prevent any unauthorised or unlawful access to the personal data which we control.

Personal data which we hold in relation to you will be stored securely on AWS servers in the UK.

Our standard deployment is hosted in the United Kingdom. The European Commission has adopted an adequacy decision for the United Kingdom, which currently permits personal data to be transferred from the EEA to the UK without additional transfer safeguards, subject to the scope and continued validity of that decision.

Where EU GDPR applies and personal data is processed in or accessed from the UK, we and the relevant controller will document the transfer basis, including UK adequacy or another lawful transfer mechanism where needed.

Where data is transferred or remotely accessed outside the UK or EEA, we will use an appropriate transfer mechanism and supplementary measures where required.

Where we have given you (or where you have chosen) a password that enables you to access certain parts of the Site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone and that you use a unique password in respect of your Patient Watch account. We will hash and salt this password, and the unhashed password value will not be stored or transferred.

We will retain a record of your personal data in accordance with relevant law and the following criteria:

• where we have a reasonable business need to do so, for example, in order to manage our relationship with you;
• where we are providing products and/or services to you and then for as long as someone could bring a claim against us in respect of those products or services; and/or
• in line with any legal and regulatory requirements or guidance in respect of retention periods.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of any data transmitted to the Site; any transmission that you make is therefore made at your own risk. However, once we have received your data, we will use strict procedures and security features designed to prevent any unauthorised or unlawful access to the same and all information you provide to us will be stored securely.

The Site may, from time to time, contain links to and from the websites of our partner networks advertisers and affiliates. If you follow a link to any of these websites, please note that these websites (and any services that may be accessible through them) will have their own privacy notices, policies and terms of use and we do not accept any responsibility or liability for the same (and how they may be applied) or for any personal data that may be collected through those third party websites or services, such as contact and location data. Please check the relevant third party terms, notices and policies before you provide any personal data to those websites or use their services.

NATIONAL DATA OPT-OUT (NHS ENGLAND)

The NHS National Data Opt-out programme in England gives people a choice about whether certain confidential patient information may be used for purposes beyond their individual care (for example some research and service planning), where that processing falls within the scope of the policy. It does not apply to every type of processing and does not replace other lawful requirements or care delivery. You can read more and set or change your choice at www.nhs.uk/your-nhs-data-matters. Programme information from NHS England is available at National data opt-out programme.

Patient Watch Ltd complies with the National Data Opt-out policy for any use or disclosure of confidential patient information that we undertake as controller and that falls within the scope of that policy. We maintain and review operational processes so that national opt-out preferences are applied where the policy requires. Where another organisation (such as an NHS trust, sponsor, or research institution) is the controller for a given dataset or project, that organisation is responsible for applying the policy in its own context, including any checks and approvals that apply to data we process on their instructions.

For questions about how this applies to your use of Patient Watch, contact info@patient-watch.com.

This section is our published compliance statement for the National Data Opt-out. NHS England’s overview of compliance is at Compliance with the National Data Opt-out.

YOUR RIGHTS

You have a number of important legal rights regarding the manner in which personal data relating to you is used. You can find more information about your rights on the Information Commissioner’s Office website – please see https://ico.org.uk/for-the-public/.

We have outlined below the key rights which we believe may be relevant to your use of the Site.

If you would like to exercise any of these rights then please contact us using the contact information provided below. Please note that you may be asked to provide us with reasonable proof of your identity so that we can be sure that we are discussing or providing your personal data with, or to, you (or if someone is making a request on your behalf, we need to check that they have the authority to do so).

When you contact us to exercise these rights, we will handle your request in line with the UK GDPR and, where we consider it relevant, the ICO’s guidance on individual rights (see https://ico.org.uk/for-the-public/). Unless a different period applies under law, or we are allowed to extend a deadline because a request is complex or numerous, we aim to respond within one calendar month of receiving your request, or within one month of receiving any further information we reasonably need to verify your identity, whichever is later. If we extend a deadline where the law permits, we will tell you why and when you can expect our full response.

Access to information

You have the right to access certain information we hold about you so that you can be aware of, and verify the lawfulness of, the processing we undertake.

You can exercise your right of access by making what is generally referred to as a ‘subject access request’.

We will review each request which we receive and if we agree that we are obliged to provide personal data to you then we will (subject to certain limited exceptions provided under the relevant law) amongst other things: (i) describe it to you; (ii) tell you why we are holding it; (iii) tell you who it could be disclosed to; and (iv) let you have a copy of it (this may include providing an electronic copy). The time limits described in the previous paragraph apply to subject access requests in the same way.

Right to have information corrected

If you identify that any personal data that we hold about you is wrong, inaccurate or out of date then you may ask us to correct or update it. Please contact us via the details provided below and we will review each request and respond accordingly.

Right of erasure and the right to stop or limit our processing of your personal data

The right of erasure is also known as the ‘right to be forgotten’. You have the right to ask us to erase data we hold about you. Alternatively, you can ask us to stop or to limit any processing we are undertaking in respect of your personal data. These rights arise if we no longer have a valid reason to do so or if we have held it for too long.

These are not absolute rights but every request we receive will be considered carefully and we will respond accordingly (providing grounds for any decision we make).

Right to withdraw consent

You are free to withdraw any consent which you have given to us in relation to our use of your personal data at any time. This includes any programme-specific consent where Patient Watch is the controller or is responsible for collecting consent on behalf of the relevant controller.

Please note that not all uses which we make of your personal data require your consent. For example, we may need to use information to provide a service you have requested, comply with legal obligations, maintain security, or process data on another controller’s documented instructions.

If you withdraw consent for a care pathway, study, registry, device programme, or other programme feature, you may no longer be able to continue using that programme or feature where the processing is necessary for participation. Withdrawal does not affect processing that took place before withdrawal.

It may also not be possible to remove information that has already been irreversibly anonymised, because it no longer identifies you. Where another organisation is the controller, we may direct your withdrawal request to that organisation or handle it on that organisation’s documented instructions.

Right to object

You have the right to object to the processing of your personal data at any time. This effectively allows you to stop or prevent the processing of your personal data.

An objection may be in relation to all of the personal data we hold (as a controller) about you or only to certain information. It may also only relate to a particular purpose we are processing the data for.

You have the right to object where we are processing your personal data for direct marketing purposes by following the opt-out links on any marketing message sent to you or by contacting us at any time. Save in relation to direct marketing communications this is not an absolute right but every request we receive will be considered carefully and we will respond accordingly (providing grounds for any decision we make).

Right to complain

If you are unhappy about the way in which we have processed your personal data then you have a right to raise the issue or to lodge a complaint with the Information Commissioner’s Office – as noted above please see https://ico.org.uk/for-the-public/ for further details.

If the EU GDPR applies to the processing of your personal data, you may also have the right to lodge a complaint with a supervisory authority in the EU Member State where you live, where you work, or where you believe an infringement has taken place.

Changes to our privacy notice

We will keep this privacy notice and we may update it from time to time (for example, to reflect changes we might make to our services or to reflect changes in the law or best practice). Any changes we may make to our privacy notice in the future will be posted on this page.

We encourage you to visit this page periodically so that you are aware of any changes which have been made. In addition, changes may be notified to you by e-mail or when you log onto the Site. The new terms may be displayed on-screen and you may be required to read and accept them to continue your use of the Service.

Contact Details

If you have any comments or concerns regarding our privacy notice, or the manner in which we handle your personal data or if you would like to exercise any of the rights outlined above then please do feel free to contact us by one of the following means by email: info@patient-watch.com

We will consider your comments and respond accordingly. Please note that if you have a ‘support’ query (for example you are having issues in accessing the service) then please refer to our support site - https://patient-watch.com/info.