Induction Zesty Privacy Notice
Zesty Limited respects and values your privacy and is committed to protecting your personal data. This privacy notice tells you how we use and look after your personal data when you use Induction Zesty (previously known as Zesty Enterprise).
About us
InductionZesty is operated by Zesty Limited.
We are a limited company registered in England and Wales, that is part of the Induction Healthcare
group.Our company number is 08294659 and our registered office is at c/o Pinsent Masons, 30 Crown Place, Earl Street, London, EC2A 4ES.
In this document, “we”, “us” or “our” always means Zesty Limited.
If you use the Induction Zesty platform we collect, use and are responsible for certain personal information about you. Our use of your information is regulated under the Data Protection Act 2018, the UK General Data Protection Regulation and the need to uphold the common law duty of confidentiality.
We have appointed a Head of Information Governance who is the Data ProtectionOfficer responsible for overseeing questions in relation to this privacy notice.
Contact details
Contact our Data Protection Officer
EmailAddress: dpo@inductionhealthcare.com
Postal address: c/o Pinsent Masons, 30 Crown Place, Earl Street, London, EC2A 4ES
ICORegistration: ZA045251
Purposes of our processing
The purpose of Induction Zesty is to provide a patient portal to help make it easier for patients to view and manage their outpatient appointments and correspondence online. If you have been invited by your NHS Trust or other Provider organisation to use the Induction Zesty platform, we need to process your personal data in order to provide this service to you. We also process your personal data if you make contact with us directly, for example to report a technical problem.
We, or our hosting services, might collect information about how you use InductionZesty. Any information collected in this way will only be used for the purposes of further developing and improving the Induction Zesty service. The information that we collect will not include any of your personal data but it will include items such as your Provider or hospital name and which pages or links you click on when using the platform.
What we collect
When you use the Induction Zesty platform we collect and process your:
- Name
- Address
- Date of Birth
- Email address
- Mobile phone number
- Unique patient identifiers (NHS number and/or hospital MRN number)
- Appointment type / clinic name
- Data entered via online questionnaires on behalf of your Trust where requested
-
If you report a technical problem, we will ask you to provide your:
· Name, and
· Email address
so that we so that we can get in touch to help sort the issues you are having. The system that we use to record technical problems will also collect some information that we need to help identify the problem. We may also contact you about your use of the platform.
Where Trust nominated staff use the platform, personal data is also processed to create a staff log-in account. The minimum would include:
- Name
- E-mail address
- Mobile phone number (work number or personal number if work phone not provided)
The lawful basis of processing
Zesty Limited is a processor of your personal data that is processed on the InductionZesty platform. We are processing on behalf of, and under contract to, your NHSTrust or other Provider organisation (the controller).
The controller’s data protection lawful basis for processing your personal data is likely to be:
· UK GDPR Article 6(1)(e) in that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, and
· UKGDPR Article 9(2)(h) in that the processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law and pursuant to contract with a health professional and subject to the conditions and safe guards referred to in paragraph 3.
When relying on UK GDPRArticle 9(2)(h) to process data concerning health, the controller is also required to meet the associated condition in UK law. It is likely that the controller is relying on paragraph 2 of Schedule 1 of the Data Protection Act2018 in that the processing is necessary for health or social care purposes.
Zesty Limited is able to process your personal data on behalf of the controller by virtue of a legally binding contract.
When you register to use theInduction Zesty platform, this is both an authentication process and a consent process to meet the requirements of the common law duty of confidentiality.
The recipients or categories of recipients of the personal data
The primary recipient of the personal data is you as the patient.
The secondary recipients are the controllers (i.e. the NHS Trusts who are Providers or other care organisations) when patients use Induction Zesty to manage an appointment with their NHS Trust or other Provider organisation, or complete an online questionnaire where applicable.
Finally there are the Induction Zesty subcontractors who are part of the contract we have with the controller and must conform to the same information governance rules as we do through separate specific data processing contracts with us. Induction Zesty is using the following sub-contractors who access some personal data under contract to us:
· AmazonWeb Services (AWS) for hosting data.
· AWSSimple Email Service is used to provide email services in the event you forget your password and require an email to re-set it.
· AWSCloudWatch service used by the Induction Zesty team to answer any support queries resulting from the Simple Email Service when you may require assistance to re-set your password.
· TextLocal(part of Webex by Cisco) and 8x8 UK Limited are both used to provide SMS services.
Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor”only and we must act under the instructions provided by NHS England (as the“controller”) when verifying your identity. To see NHS England’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.
The details of transfers of the personal data to any third countries or international organisations
Your data is processed within the UK and is not shared to any third countries or international organisations
The retention periods for the personal data
Zesty Limited is a processor for controllers such as NHS Trusts who are Providers or other organisations who are usually part of the NHS or adult social care system. We therefore set our retention and deletion standards based on the NHS records management standard unless otherwise instructed by the controller.
We adhere to the Records Management Code ofPractice for Health and Social Care 2021 and as such have adopted Appendix II of theCode which contains the detailed retention schedules. The Code sets out how long records should be retained, either due to their ongoing administrative value or as a result of statutory requirement.
The rights available to individuals in respect of the processing
Under certain circumstances you have the following rights under data protection legislation in relation to your personal data.
You have the right to:
· Request access to your personal data (commonly known as a"data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
· Request correction of the personal data that we hold about you.This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
· Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
· Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
· Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
o if you want us to establish the data's accuracy;
o where our use of the data is unlawful but you do not want us to erase it;
o where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
o you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
· Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
· Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
To exercise any of your rights, we would advise that you contact the controller organisation in the first instance and they will provide an instruction to Zesty Limited so that we can fulfil your request.
Alternatively you can contact us directly at dpo@inductionhealthcare.com. Please note that if you come to us first, we will most likely need to contact the controller in order to seek their instruction to fulfil your request.
For any other queries or concerns about Induction Healthcare’s processing of your personal data please contact our Data Protection Officer at dpo@inductionhealthcare.com.
The right to lodge a complaint with a supervisory authority
You also have the right to lodge a complaint with a supervisory authority about the processing of your personal data. The supervisory authority in the UK is theInformation Commissioner who may be contacted at https://ico.org.uk/concerns/. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us, or the relevant controller where we are a processor, in the first instance.
Changes to this privacy notice
Wemay amend this privacy notice from time to time, but if we do so we will notifyyou by providing the updated privacy notice when you next use the platform.Every time you wish to use the platform, please check this privacy notice toensure you understand how we will use your data at that time.
