Loading

Induction Healthcare (UK) Limited Privacy Notice for Induction Switch

Induction Healthcare (UK) Limited (“Induction”, “us”, “our” and “we”) respects and values your privacy and is committed to protecting your personal data. This privacy policy tells you how we look after your personal data when you use the Induction Switch (Application) platform.

About us

Induction Healthcare (UK) Limited is registered with Companies House with company number 11237890

Our registered business address at: 20 St. Dunstan’s Hill, London EC3R 8HL

With respect to your personal data, as a user or non-user contact, we can act as both data controller and processor depending on the situation. We collect, use and are responsible for certain personal information about you. When we do so we are regulated under the Data Protection Act 2018, the General Data Protection Regulation and the need to uphold the common law duty of confidentiality when we process personal information related to patients.

Contact details

We have appointed a Head of Information Governance who is the Data Protection Officer responsible for overseeing questions in relation to this privacy notice.

Name or title of data privacy manager: Data Protection Officer

Email address: dpo@inductionhealthcare.com

Postal address: 20 St. Dunstan’s Hill, London EC3R 8HL

ICO Registration: ZA792302

The purposes of processing

The Induction Switch product has three main purposes:

1. To provide real time savings to healthcare professionals

2. To improve multidisciplinary team communication and with this have a positive impact on patient care

3. To provide healthcare professionals with as much information as possible to treat their patients

To enable the delivery of these main purposes Induction Switch has a number of different modules. A module is a set of software processes which when taken together have a common function. Currently there are 11 modules within the product with constant activity to improve it still further, the full description of those modules is shown in the appendix to this Privacy Notice.

In addition, there are 3 activities needed to ensure the main purposes are performed optimally and the product constantly improved. These are:

  • Clinical Advisory Board
    • A sub-group of users acting as a virtual group (a User forum) to help Induction improve the product and establish how well it is meeting its aims
  • Support Service
  • Analytics

At a more detailed level we may use this information to provide the Application to you, including to:

  • Maintain and improve the Application
  • Contact individuals for the purposes of preventing or addressing service, security or technical issues
  • Answer queries from users directly
  • Maintain the security of the platform. This may involve contact with our users via email or through the Application.
  • We may also use this information to enforce these Terms and Conditions; to comply with our legal obligations (e.g. where we are required to do something by law); or in our pursuit or defence of legal claims
  • We also use aggregated anonymised data to help us understand, improve and promote the Application. For example, the average number of times the directory for a given hospital is viewed per week

The lawful basis of processing

Induction has arranged its product in three levels to support both individuals and organisations. The types of data it is possible to process is different in each of the 3 levels and therefore the legal basis for the processing will also differ. The three levels and the associated legal bases are described below:

Level 0

This level of implementation is created by the Induction Switch Support Service for a location (like a hospital) or a team, for example a specific team based in a community site. It is called an “open” group and the shared data should contain no personal data and no patient data. The specific profile of the processing included in each module for the level 0 implementation is shown in Table A.

The Application is a free service which requires account registration prior to use. The account information that is required is the user’s first name, last name, email address, password and professional role. A verification process is used to check the validity of the email address provided and once this is complete, the user has access to the Application. Their login details may also be used to gain access to a web based version of the Induction app (via www.app.induction-app.com).

This data is obtained by Induction directly from you when you create your account in the Application.

Whilst using the Application, personally identifiable information is collected relating to your use of the Application. This includes user ID/time/date stamps relating to your activity in the Application, numbers that you create/edit, codes that you create/edit, FAQs that you create/edit, documents that you access. These are generated when you use the Application and they form part of the audit trail generated by the Application. You can stop all collection of information by the Application easily by uninstalling the Application and then requesting account removal by emailing us at support@induction-app.com. You can also request removal of your account and all associated data at any time by logging into your account on our website and navigating to the profile section. Here you will see a number of options available to you for account removal.

The legal basis for the use of this service is explicit consent as detailed under General Data Protection Regulation Article 6(1)(a) and the end user is responsible and accountable for all data they enter both from a data protection and professional accountability perspective so they must be the data controller for the data or have explicit consent for the use of the personal data. The end user can revoke their consent and delete their data at any point by a variety of means. In addition, if the information the end user, administrator or collaborator shares is bound by intellectual property legal constraints (e.g. copyright) they must meet and be responsible and accountable for any terms of use of that information.

When Induction process personal data for which they have not specifically received consent they will do so under the following legal bases:

  • occasionally to protect your vital interests, or those of others: [Article 6(1)(d)];
  • as necessary in the public interest: [Article 6(1)(e)]; or
  • as necessary for our (or others') legitimate interests [Article 6(1)(f)], including our interests in providing an innovative, relevant, safe, and clinical service to our users aligned to our Terms and Conditions, unless those interests are overridden by your interests or fundamental rights and freedoms that require protection of personal data. Legitimate interests are the legal basis for giving end users information including education and analysis functions as set out in the purposes section and Appendix 1.

You can stop all collection of information by the Application easily by uninstalling the Application and then requesting account removal by emailing us at support@induction-app.com. You can also request removal of your account and all associated data and any time by logging into your account on our website and navigating to the profile section. Here you will see a number of options available to you for account removal.

Level 1

In the level 1 implementation, a closed or private Team Space from a group of end users can be created for a subpopulation in the open (level 0) end user community, and messaging for personal use, which is NOT for patient specific clinical messaging, is turned on. The specific profile of the processing included in each module for the level 1 implementation is shown in Table A.

The legal basis for the use of this service is explicit consent as detailed under General Data Protection Regulation Article 6(1)(a) and the end user is responsible and accountable for all data they enter both from a data protection and professional accountability perspective so they must be the data controller for the data or have explicit consent for the use of the personal data. The end user can revoke their consent and delete their data at any point by a variety of means. In addition, if the information the end user, administrator or collaborator shares is bound by intellectual property legal constraints (e.g. copyright) they must meet and be responsible and accountable for any terms of use of that information.

When Induction process personal data for which they have not specifically received consent, they will do so under the following legal bases:

  • occasionally to protect your vital interests, or those of others: [Article 6(1)(d)];
  • as necessary in the public interest: [Article 6(1)(e)]; or
  • as necessary for our (or others') legitimate interests [Article 6(1)(f)], including our interests in providing an innovative, relevant, safe, and clinical service to our users aligned to our Terms and Conditions, unless those interests are overridden by your interests or fundamental rights and freedoms that require protection of personal data. Legitimate interests are the legal basis for giving end users information including education and analysis functions as set out in the purposes section and Appendix 1.

You can stop all collection of information by the Application easily by uninstalling the Application and then requesting account removal by emailing us at support@induction-app.com. You can also request removal of your account and all associated data and any time by logging into your account on our website and navigating to the profile section. Here you will see a number of options available to you for account removal.

Level 2

Within a Level 2 implementation Induction is a Data Processor and contracts with a CQC registered provider (usually an acute hospital Trust) and as such supports the direct care of patients by the Provider (clinical activity) through messaging. Furthermore, the Application uses zero-knowledge-based end-to-end encryption meaning that the encryption keys to decrypt the messages are only stored on the users’ device, meaning the company cannot decrypt or read any of the message content. The messaging interchange between the clinicians about a patient is the equivalent of a telephone conversation and will be transcribed into the patient record as advised by the General Medical Council and NHS England 1 . The CQC registered provider (for example an NHS Trust) is responsible for ensuring the privacy notice for patients is updated to reflect this as appropriate.

The personal data content of Induction Switch is processed through instruction of the Trust as a Data Controller, so the legal basis for Induction is GDPR Article 6(1)(b) in that the Trust and Induction have entered into a contract for the provision of this product.

The data protection lawful basis for the processing the special category personal data of patients by the Trust is:

  • Common Law Duty of Confidentiality; implicit consent and opt out of specific services
  • Public Task under the General Data Protection Regulation (GDPR) Article 6(1)(e) for personal data and
  • For special category data it is Article 9(2)(h), which is health or social care with a basis in law and
  • The basis in law is set out in the Data Protection Act 2018 where there is a requirement for official authority. Section 8 of the Data Protection Act 2018 states that when an organisation is processing personal data for the performance of a public interest task, they must identify that task. The Trust’s public task falls under section 8(c) of the Data Protection Act in that they are exercising a function conferred on them by an enactment or rule of law. That enactment will be one of the legal gateways set out in the table of sources of “official authority” set out below.

In addition to patient special category data, Induction collects personal data about end users (Clinicians and administrators & collaborators) from the Trust appointed administrators (Provider Trust staff) who verify the personal data content of their staff namely: name, email address, and occasionally phone number. There is no special category data collected on staff. The data protection lawful basis for the Trust to process their staff data in this way is GDPR Article 6(1)(e) in that the Trust is performing a task carried out in the public interest. Section 8 of the Data Protection Act 2018 states that when an organisation is processing personal data for the performance of a public interest task, they must identify that task. The Trust’s public task falls under section 8(c) of the Data Protection Act in that they are exercising a function conferred on them by an enactment or rule of law. That enactment will be one of the legal gateways set out in the table of sources of “official authority” set out below, most likely the National Health Service and Community Care Act 1990.

Some examples are given below

ORGANISATION (TYPE) SOURCE OF 'OFFICIAL AUTHORITY'
NHS England
Clinical Commissioning Groups NHS Act 2006
NHS Digital Haelth and Social Care Act 2012
GP Practices NHS England's powers to commission health services under the NHS Act 2006 or to delegate such powers to CCGs.
NHS Trusts National Health Service and Community Care Act 1990
NHS Foundation Trusts Health and Social Care(Community Health and Standards) Act 2003
Local authorities Local Government Act 1974 Children Act 1989 Children Act 2004 Care Act 2014

Table A: Showing the Modules available in each of the three implementation levels

Processing Level 0 Level 1 Level 2 2
Directory Module present: More detailed location and bleep numbers than Level 0 Module present: Personal work extensions & numbers in addition to non-personal numbers
Messaging Module present: Personal use only. No patient specific clinical messaging Module present: Personal use and for patient specific clinical messaging
Team Space Module present: Closed/private subpopulations Module present: Closed/Private subpopulations as specified by Trust
Chatbot Module present: Only if end user has on-boarded messaging Module present
Favourites Module present Module present
Guidelines Module present: Any via Team Space Administrator agreed by (SS) Module present: Any via Team Space Administrator agreed by (SS) & Trust
Links Module present: Any End User can add Module present: Any End User can add; constrained by Trust policy
Quick dial Module present Module present
News feed Module present: only from (SS) or collaborator agreed by (SS) Module present: only from (SS) or collaborator agreed by (SS) and agreed by Trust
Surveys Module present: National level only for all Users only via (SS) Module present: Surveys can be enabled or disabled at the Trust level
Private Numbers and codes Module present: End User must be Data Controller for this data &/or have explicit consent to use it Module present: End User must be Data Controller for this data &/or have explicit consent to use it
Remote wipe Module present: For End User only Module present: For End User and Trust SIRO A
Support Service (SS) Module present Module present
Clinical Advisory Board Module present Module present: subject to Trust Policy
Analytics Module present Module present: Made available upon Trust instruction to do so

1 Information governance considerations for staff on the use of instant messaging software in acute clinical settings Version number: 1.0 Published: 9 November 2018 NHS England Publications Gateway Reference: 08496 Prepared by: Kiran Mistry, Data Sharing and Privacy Unit, NHS England

2 May include patient data subject to specific Trust instruction

A = Senior Information Risk Owner of Trust

The recipients or categories of recipients of the personal data from Induction Switch

The primary recipients of the data for each class of product are described in the table below:

  • Non-personal data:
    • Any end user who chooses the particular open location or clinical team as their favourite
  • End user registration data
    • Induction via support service or system administrators
    • CQC registered Trust administrator in the level 2 implementation
  • Personal data which is not patient data and for which there is no explicit consent to share or which is a location associated code:
    • This is available only to the person who entered the data into the personal numbers and code module of Induction Switch and no other end user
    • Induction system administrators
  • Personal data which is not patient data and for which there is explicit consent to share:
    • clinicians and possibly their teams and (Trust) administrators within the closed/private Team Space and
    • Induction via support service or system administrators
  • Personal data which is clinical data (i.e. special category data):
    • Only the communicating clinicians (or rarely their teams) involved in the specific message and;
    • Who are verified employees of a Trust and;
    • Acting within a Trust contract with Induction Healthcare (UK) Ltd

Finally, there are the Induction subcontractors who, in the level 2 situation, are part of Provider Trust (DC-DP) contract with Induction. They must conform to the same information governance rules as Induction Healthcare (UK) Limited does through separate specific contracts (DP-DP) with Induction. Induction have used or are using the following sub-contractors who access personal data under contract to Induction:

  • Email service
  • Support function service
  • Data hosting services
  • Analytics software tools

Some of the analytics personal data is collected by Cookies and this is explained in more detail within the Cookie Policy found at https://inductionhealthcare.com/cookies

The details of transfers of the personal data to any third countries or international organisations

The details of data we hold that may be transferred to any third countries is set out in the table below. It should be noted that no clinical data (i.e. patient data or special category patient data) from Induction Switch is transferred to any third country from the body of an instant message.

Recipient Name Purpose of processing Location of data and/or location of Data Appropriate Privacy Safeguards in place
Mixpanel USA company
Freshdesk USA company & EU (Frankfurt) data centre
Firebase (owned by Google) USA company
Sentry USA (Stores in Google cloud platform in encrypted form)

The retention periods for the personal data

We store personal information in the form of user accounts which our users’ signup for. We also store numbers, FAQs, guidelines and personal codes provided by our users. We store all information entered into the app on our secure cloud-based servers. All data is encrypted while in motion.

  • End user registration data:

    We will retain your personal information for as long as you have a user account with Induction. If you ask for your user account to be removed, we will action this request and delete your data within 30 days.

  • Personal data which is not patient data and for which there is no explicit consent to share:

    We will retain this personal information for as long as you have a user account with Induction. If you ask for your user account to be removed, we will action this request and delete your data within 30 days.

  • Personal data which is not patient data and for which there is explicit consent to share:

    When this data is not about a person with an Induction account, this data can be deleted by an administrator with or without discussion with the Induction Switch support service, or similarly at the instruction of a CQC registered Trust in a level 2 implementation

  • Personal data which is clinical data (i.e. special category data):

    Messages are encrypted with end to end encryption in both transit and at rest (AES 256). We operate a “zero visibility” system which means no one except the user sending and the user receiving the message can see the message. The metadata of who messaged whom and at what time and date exists on the Induction Switch server for exactly 30 days from when the message was sent. After the 30 days, the log of the message and all metadata surrounding it are deleted permanently. All of our data is backed up automatically for 14 days on NHS approved hosted services.

Security

We are concerned about safeguarding the confidentiality of your information. We provide physical, electronic, and procedural safeguards to protect any information (e.g. aggregated, anonymised installation and usage data) we process and maintain. For example, we limit access to this information to authorised employees and contractors who need to know that information in order to operate, develop or improve our Application. We are certified in Cyber Essentials, ISO 270001 and meet the National Data Guardian’s 10 Security Standards as part of our Data Security and Protection Toolkit submission. Please be aware that, although we endeavour to provide reasonable security for information we process and maintain, no security system can prevent all potential security breaches. As such we make no warranties as to the level of security afforded to your data, except that we will always act in accordance with the relevant UK and EU legislation.

The rights available to individuals in respect of the processing

In the Level 2 implementation through a contract with an NHS Trust, your rights to access, rectification, erasure, restriction, objection and data portability are determined by your health or social care Provider and should be described within their privacy policy. Induction is able to support them meeting their legal duties to you.

With regard to Induction Switch we are able to meet your rights as follows:

- Access to your personal information (this means that you are entitled to request a copy of your personal information and we will grant you access or provide you with all personal information that we hold about you). Please note that for a specific patient who is the subject of a message between clinicians, Induction have no access to this data to even search for it. It can only be achieved in level 2 by a Trust asking its clinicians if anyone has made a message about you in the last 30 days and it is up to them to disclose it.

- Data portability (this means that you are entitled to request that the information you have provided to us is then provided to you or to another organisation in a portable, machine readable, electronic format).

- Rectification (this means you have the right to require us to rectify any inaccurate data held by us about you).

- Erasure (this means you have a right to require us to erase personal information held by us about you, for example when we no longer need to use your personal information for the purpose we collected it for).

- Restriction (this means you have a right to object to our processing of personal information held by us about you in certain circumstances for example, if you would not like to be subject to any profiling or direct marketing). Currently Induction does not undertake automated individual decision making and profiling.

The right to withdraw consent

We will retain your personal information for as long as you have a user account with Induction. If you ask for your user account to be removed, we will action this request and delete your data within 30 days and within 14 days within back up services.

The right to lodge a complaint with a supervisory authority

You also have the right to lodge a complaint with a supervisory authority about the processing of your personal data. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us, or the relevant data controller where we are acting as a data processor, in the first instance.