Digital Health Privacy Notice

 

1. About Us

QUANTA Dialysis Technologies Limited (QUANTA) is a medical device company that provides haemodialysis products and services to healthcare providers so that patients can carry out haemodialysis using our products (including QUANTA’s digital health platform (the Portal)) in their home or in the clinic.

This Privacy Notice sets out important details about information that QUANTA may collect and hold about you, how that information may be used and your legal rights. Please take time to read this Privacy Notice carefully and contact us if you have any questions about its content.

 

2. How we collect personal information

We collect personal information from you and from others involved in your care and treatment whilst providing our haemodialysis products and services to healthcare providers and to you.

We collect personal information from you through your contact with us, including face-to-face, by phone, by email, by post, by filling in forms and inputting information online or through the use of third party applications or smart devices (Devices). For further information on how we use data from Devices please see section 4. Connected Devices.

We also collect information from other people and organisations.
We may collect information from:

• doctors, other clinicians and healthcare professionals, hospitals, clinics and other healthcare providers;
• a family member, or someone else acting on your behalf;
• your parent or guardian, if you are under 18 years old;
• any service providers who work with us in relation to the provision of our products.


3. Categories of personal information we process

We process two categories of personal information about you:

1. standard personal information (for example, information we use to contact you or identify you); and
2. special categories of information (for example, health information).

Standard personal information includes:

• contact information, such as your name, address, email address and phone numbers;
• emergency contact details, including next of kin;
• your age and your date of birth; and
• details of any contact we have had with you, such as any complaints or incidents.

Special category information includes:

• information about your current or previous physical health or mental health, your sex life and/or sexual orientation, your religion, nationality, race and/or ethnicity and genetic or biometric data relating to you. We may get this information from:

    • forms (whether paper based or in electronic form) you have filled;
    • the inputting of information by you either online or through the use of Devices;
    • notes, reports and records about your health and any treatment and care you have received or need, including prescriptions, provided to us by your healthcare provider or obtained by us as part of the treatment you receive from our products and services; or
    • it may be recorded in details of contact we have with you such as from telephone calls, emails, information about complaints or incidents.

 

4. Connected Devices

Personal information collected by Devices can be uploaded automatically and shared via the Portal to allow your clinician to have access to this personal information for your care and treatment. To enable the Portal to access this personal information QUANTA uses a third party aggregator to collate the personal information recorded by your Device and convert it into a readable format. For further information on who we share your personal information with please see section 9. With whom do we share your personal information?



If you want to connect your Device to the Portal you will need to consent to share your personal information. This consent will be detailed at the point at which you choose to connect your Device to the Portal. The personal information that the Device collects is governed by the privacy policy of the respective Device company. You should consult the privacy policy of the relevant Device company for further details about how they collect your personal information.



It is important to note that only you and your healthcare provider will have access to the personal information recorded by your Device, QUANTA will not be able to view this personal information. However, as this personal information is processed by the third party aggregator on our instructions, so that it can be shared with your clinician via the Portal, this personal information is processed in accordance with this Privacy Notice.



If you want to withdraw your consent at any stage and disconnect the Device from the Portal, you will be able to do this using the Device’s settings. You may also disconnect by informing us and we will process the request for you.



5. What we use your personal information for

We process your personal information in order to provide our services and products to healthcare providers so that you can use our haemodialysis products and services in your home or in the clinic.


We may use your phone number or email address to contact you in advance of your treatment to install our haemodialysis machine in your home. We will use your address to install our haemodialysis machine and to supply you with the products you need for your haemodialysis treatments. We may send you confirmations/reminders of products you need for your haemodialysis treatment via text message or email and we may respond to your email enquiries via email. We may use your phone number or email address to contact you to assist you or to monitor your use of our products.


We may also use information about you for quality assurance, maintaining our business records, developing and improving our products and services and monitoring outcomes where we believe there is a business need to do so and our use of information about you does not cause harm to you. This may include our workforce planning and management systems to help support our staff to develop and plan your use of our products and to ensure we have got the right levels of productivity and efficiency and good outcomes for patients and their healthcare provider.


We may also use information about you where there is a legal or regulatory obligation on us to do so or in connection with legal proceedings.


We may also use information about you where you have provided your consent to us doing so.


We do not carry out automated decision making or profiling.


We also process your personal information in order to record, evaluate and improve the provision of our services and products, and to check that the products are working correctly.


We may monitor, record, store and use any telephone, email or other communication with you in order to check any instructions given to us, for training purposes, for crime prevention and to improve the quality of our customer service.


We have set out below some legal reasons why we may process your personal information (these depend on what category of personal information we are processing).


By law, we must have a lawful reason for processing your personal information.


In the event that we use your personal information for other purposes, not specified above, we will inform you about the specific purposes for processing your personal information and, when required, our basis for doing so at the time we collect the personal information from you to the extent required by law.

 

6. What legal basis do we have for using personal information about you


Data protection law requires that we set out the legal basis for holding and using information about you. We have set out the various reasons we use information about you and alongside each, the legal basis for doing so. Given that some information we hold about you is particularly sensitive as it is special category information (as explained above), we need an additional legal basis which we have set out in the third column (entitled ‘Legal Basis for Special Category Information’) explaining our reason for this.

Reason

Legal Basis

Legal Basis for Special Category Information

Providing your healthcare provider and you with our products

Providing you with healthcare and/or treatment

We have a legitimate interest in fulfilling our contract with the healthcare provider for the provision of our products and services to you

The use is necessary for the provision of healthcare and treatment

Liaising with healthcare professionals about the products and services we are providing

We have a legitimate interest in ensuring that healthcare professionals who are involved in your care have full details of the products and services we are providing to you

The use is necessary for the provision of healthcare and treatment


The use is necessary for ensuring high standards of quality and safety of healthcare and of medical devices


The use is necessary in order for us to establish, exercise or defend our legal rights

Ensuring our products perform correctly

The use is necessary in order for us to comply with our legal obligations

The use is necessary for ensuring high standards of quality and safety of healthcare and of medical devices

Providing improved quality, training and security and conducting service and product surveys, research and planning activities

We have an appropriate business need to use your information which does not overly prejudice you

We need to use the information in order to manage the services we deliver including carrying out surveys (which are not a form of marketing), research and planning activities in order to identify and carry out any necessary product and service improvements

Participation in audit and research programmes or the passing of information to research and planning organisations to carry out research and planning on our products and services

Contacting you and resolving queries

(Some audit and research registries/organisations have statutory approvals or the information collected does not identify you as an individual. If that is not the case, then consent will be required and this is usually obtained directly by the relevant organisation or by us on their behalf)

Where consent is not required:

We have a legitimate interest in helping with medical research and have put appropriate safeguards in place to protect your privacy

Providing you with healthcare and/or treatments

We have an appropriate business need to use your information which does not overly prejudice you

(Some audit and research registries/organisations have statutory approvals or the information collected does not identify you as an individual. If that is not the case, then consent will be required and this is usually obtained directly by the relevant organisation or by us on their behalf)

Where consent is not required:

The use is necessary in the public interest for statistical and scientific

The use is necessary for the provision of healthcare or treatment

The use is necessary for ensuring high standards of quality and safety of healthcare and of medical devices

The use is necessary for establishing, exercising or defending legal claims

Investigating and responding to complaints or claims, complying with our legal or regulatory obligations and defending or exercising our legal rights

The use is necessary in order for us to comply with our legal obligations

The use is necessary for the reasons of the provision of healthcare or treatment

The use is necessary for ensuring high standards of quality and safety of healthcare and of medical devices

The use is necessary for establishing, exercising or defending legal claims

Managing our business: retaining patient records, maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (such as tax, financial, legal or public relations advice)

Our having an appropriate business need to use your information which does not overly prejudice you

The use is necessary in order for us to comply with our legal obligations

More sensitive information about you would not be used in all these circumstances, but where it is, the basis on which we would be doing so would be:

The use is necessary for reasons of the provision of healthcare or treatment or the management of healthcare systems

Passing your information to a third party to whom we use in the provision of our products to you and your healthcare provider

Providing you with health services, care and/or treatment

We have a legitimate interest in fulfilling or contract with the healthcare provider for the provision of our products and services to you

We need to supply the information in order for healthcare or treatment to be provided to you

Using your personal information for marketing purposes

You have provided your consent

You have provided your consent



We can also process Special Category Information if we have your permission. As is best practice, we will only ask you for permission to process your personal information if there is no other legal reason to process it. If we need to ask you for your permission, we will make it clear that this is what we are asking for and ask you to confirm your choice to give us that permission. If we cannot provide our products or a service without your permission, we will make this clear when we ask for your permission. If you later withdraw your permission, we will no longer be able to provide you or your healthcare provider with the products and service that relies on having your permission.



7. Security

We have put in place appropriate security measures to hold information securely in electronic or physical format and to prevent unauthorised access, modification or disclosure. Our information security policies are supported by a number of security standards, processes and procedures and we store information in access controlled premises or in electronic databases requiring logins and passwords.


In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. We require our third party data aggregators and storage providers to comply with appropriate information security industry standards. All employees and third party providers with access to confidential information are subject to confidentiality obligations.



8. Where and for how long do we store your personal information


The information about you that we hold and use is held securely in the UK and stored on our secure servers.


The information that we collect from you will not be transferred to, processed and stored outside the European Economic Area.


We retain your information for certain periods (depending on the particular type of information) under our retention policy. This is to ensure that information is properly managed and is available whenever or wherever there is a justified need for that information, including to support our legitimate interests and to meet legal requirements.


If you would like more detailed information on this, please contact our Data Protection Officer (contact details below).



9. With whom do we share your personal information?


We share your personal information internally strictly on a need to know basis and share the minimum required for the purpose.


We will also share your personal information with those involved at your healthcare provider in your care and treatment.


We will also share your personal information with third party suppliers, such as home installers, medical products suppliers and logistics suppliers, who will be dispensing and/or supplying to you on our behalf the products you need to use our haemodialysis equipment in your home. We may also share information about you with those providing us with information technology systems, this includes an incident management and recording system. In each case, we would share only such information as was relevant.


We may also share your personal information with a third party aggregator for the provision of Portal and Device compatibility should you so consent to connect your Device to the Portal.


We may share information about you with our regulators, including the Medicines and Healthcare products Regulatory Agency (which ensures medicines and medical devices used in the UK work and are acceptably safe).


We also look at the quality of treatment we provide to patients and participate in audit and research initiatives to ensure that patients are getting the best possible outcomes from the products and services we provide. We can assure you that your personal information remains under our control at all times and we ensure any information we provide for audits and research initiatives outside of QUANTA will not contain any information in which any patient can be identified, unless required by law. Any publishing of this data will be in anonymised statistical form.


Sometimes, we are required to disclose information about you because we are legally required to do so. This may be because of a court order or because a regulatory body has statutory powers to access patients’ health records as part of their duties to investigate complaints or accidents. Before any disclosure will be made, we will satisfy ourselves that any disclosure sought is required by law or can be justified in the public interest.


Information about you may also be shared with the police and other third parties where reasonably necessary for the prevention or detection of crime.



10. Your rights


The law provides you with certain rights in relation to the information about you that we hold. You may exercise these at any time by contacting our Data Protection Officer (contact details below).


There will not usually be a charge for handling a request to exercise your rights and if we cannot comply with your request, we will usually tell you why. If you make a large number of requests or it is clear it is not reasonable for us to comply with a request, then we do not need to respond or we can charge for doing so.


You have the following rights:

Right of access
You have the right to access information held about you. This includes details of what information we hold about you and a copy of that information. The information will be provided free of charge and, unless there are grounds for extending the statutory deadline, the information will be provided to you within one month of receipt of your request. Please note we will generally also ask for confirmation of your identity and may need further information from you in order to locate the information, in which case the time period starts from the date we have that detail. Please note that in some cases we may not be able to comply fully with your request, such as where your request also involves information about someone else and it would not be fair to that other person to provide the information to you.

Right to rectification
We take reasonable steps to ensure the information we hold about you is accurate and complete. However, you are entitled to have the information rectified if that is not the case. Unless there are grounds for extending the statutory deadline, we will respond within one month of receipt of a rectification request.

Right to erasure (right to be ‘forgotten’)
In some circumstances, you have the right to have information about you ‘erased’ and to prevent us using or holding information about you. Please note that we do not have to comply with such a request where it is necessary to keep your information in order for us to perform tasks which are in the public interest (including public health) or for the purposes of establishing, making or defending legal claims. If you make such a request and we comply with it, please be aware that we will retain a note of your name, the request made and the date we complied with it.

• Right to restrict processing
In some situations, you have the right to ‘block’ or suppress our holding or using information about you. As with the right to erasure, please note that we do not have to comply with such a request where it is necessary to keep your information in order for us to perform tasks which are in the public interest (including public health) or for the purposes of establishing, making or defending legal claims.

• Right to data portability
You have the right to obtain and re-use your personal information for your own purposes across different services, allowing you to move, copy or transfer personal data from one IT environment to another. This right, however, only applies to personal data you have provided to us, where the processing is based on your consent or for the performance of a contract; and when the processing is carried out by automated means.

• Right in relation to automated decision making
You have the right not to be subject to a decision when it is based on automated processing (i.e. by a computer alone); and it produces a legal effect or a similarly significant effect on you. We do not carry out automated decision making.

• Right to withdraw consent
You have the right to withdraw consent to us holding or using information about you, but only if the consent is the basis for us holding or using your information.

• Right to object
You have the right to object to us holding or using information about you in certain situations, where this is based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics.

Right to complain to the Information Commissioner’s Office
You can complain to the Information Commissioner’s Office (ICO) if you are unhappy with the way we have dealt with a request from you to exercise any of your rights or if you think we have not complied with our legal obligations. Whilst you do not have to do so, we would appreciate you making our Data Protection Officer aware of the issue and giving us an opportunity to respond and to address it before contacting the ICO.

Making a complaint will not affect any other legal right or remedies that you have. More information can be found on the ICO website: https://ico.org.uk/ and the ICO can be contacted by post, phone or email as follows:


Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF


Tel: 0303 123 1113 (local rate) or 01625 545 7459 (if you prefer to use a national rate number)


Email: casework@ico.org.uk



11. How to contact us


For further questions or to exercise any rights set out in this Privacy Notice, please contact Quanta’s Data Protection Office:


Data Protection Officer
Quanta Dialysis Technologies Limited
Tything Road
Alcester
Warwickshire
B49 6EU


Email: privacy@quantadt.com



12. National Data Opt-out



When you use our products and services we will ask you to provide us with important information about the treatments you have received. Collecting this information helps to ensure you get the best possible care and treatment.


The information collected about you when you use our products and services can also be used by us and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments, products and services
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.


Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.


You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything; though for clarity we will ask you for your consent to use it for research and planning purposes. If you do choose to opt out your confidential patient information will still be used to support your individual care.


To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
• See the situations where the opt-out will not apply


You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made).


You can change your mind about your choice at any time.


Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.


Our organisation is compliant with the national data opt-out policy.

Who are you?

My Quanta Care

If you’re a Quanta patient enter your login details
below to access your treatment tracker