Self-Assessment Service Privacy Policy

At C the Signs (C the Signs Limited, company number 10683539 and registered office is at Gridiron Building, 1 Pancras Square, London N1C 4AG) ("We", "Us" and "Our)), We are committed to protecting and respecting your privacy, and the personal data that We hold and process about you. This privacy policy explains what data We collect, how We use it and your rights to ensure that data is managed appropriately.

The data protection laws require controllers to be open and transparent about data use. We are the controller of your personal data used for the purposes set out in this privacy policy.

Your privacy is important tous, so if there is anything in our privacy policy that is unclear or you do notunderstand, please contact us at support@cthesigns.co.uk.

1.      How we use your personal data

2.     Where C the Signs acts as a processor

3.     How long we keep your personal data

4.    Privacy guidance about using the C the Signs Self-Assessment Service

5.     User research and giving feedback

6.     Where We store your personal data

7.     Automated decision making

8.     Sharing your personal data with third parties

9.     How We protect your personal data

10.   Your rights

11.    Updating your information

12.   Changes to this policy

About this privacy policy

This privacy policy explains how C the Signs and other organisations may use your data when you use the C the Signs Self-Assessment Service (also known as "C my Signs" and also referred to in this privacy policy asour "Services").

You can access the C theSigns Self-Assessment Service via our website or mobile device. This policy applies to using either of those channels.

As well as this policy, youshould also read the NHS App terms of use and cookies policy.

Terms we use in this policy

You may find it helps to understand these terms when reading this policy.

  • Data is “processed” when any action is taken with it. For example, when it is collected, reviewed, or transferred.
  • A “controller” is an organisation or person that decides what data is processed. They also decide how and why this needs to be done. They are legally responsible for that data.
  • A controller may appoint a “processor”. This is another organisation or person that processes data under the instruction of the controller.
  • “Special category data” is personal data that has more legal protection, including data about your health.

You can find out more about these terms on the InformationCommissioner’s Office website.

How we use your personal data

We use your data to provide the C the Signs Self-Assessment Services. It means we can give you access to specific cancer pathways commissioned within the NHS in your area.

We may also use your personal data to:

  • Improve the C the Signs Self-Assessment Service;
  • Resolve technical faults;
  • Maintain and improve security;
  • Comply with the law;
  • Protect users against potential fraud
  • Act if you provide information suggesting you or others may be at risk of harm.

The points above are a shortsummary of our reasons for capturing and using personal data. You can find moredetails in the sections below.

What data do we use about you?

In the tables below, you can find out more about data we may collect about you when you use the C theSigns Self-Assessment Service.

We obtain your personal data from you directly when you use the C the Signs Self-Assessment Service.

Data Category

This is part of your contact information and part of your identity for your health record. It is used to:

  • Provide contact information on your self-assessment referral
  • Provide identification within the receiving NHS Organisation’s dashboard or tracking system
  • Help our service desk resolve any user issues
  • Identify your primary care (GP) record
  • Inclusion within our email list for future notifications

Why do we need it?

Email Address

Name

This is part of your contact information. It is used to:

  • Provide contact information on your self-assessment referral
  • Provide contact details within the receiving NHS Organisation’s dashboard or tracking system
  • Help the service desk resolve any user issues
  • Enable our Messaging Service
  • Being part of our email list for notifications of our service

Personal Data We Collect About You

Registered GP Organisation Data Service (ODS) code

ODS codes are unique identifiers used by the NHS to assign to all parts of its organisation. This is used:

  • To validate your GP practice is within the commissioned area for the pathways
  • To retrieve your GP practice electronic healthcare record for utilisation within the referral form generated
  • To report on anonymised data arising from the GP practice (e.g. how many patients are completing self-assessments from your GP practice)

Organisation Data Service (ODS) codes of receiving NHS organisations

The ODS code of the NHS organisation receiving the self-assessment referral generated at the end of the self-assessment pathway is used for:

  • Tracking the referral to the correct organisation
  • Facilitating the dashboard or email receipt of each patient’s referral into the receiving organisation
  • Reporting on aggregated anonymous metrics to report on the service level usage (e.g. the number of patients undergoing self-assessment to the organisation receiving the referrals).

Date of birth

This is a part of your demographic information that forms part of your health record. It enables us to:

  • Provide identification information on your self-assessment referral
  • Provide identification within the receiving NHS Organisation’s dashboard or tracking system
  • Identify your primary care (GP) record

Age

This is calculated from your date of birth. It is used to:

  • Determine your eligibility for certain self-assessment pathways
  • Provide identification within the receiving NHS Organisation’s dashboard or tracking system
  • Report on anonymous demographic information of patients utilising the self-assessment service (e.g. 25% of users of the service are between X and Y age).

Sex

This is part of your demographic information that part of your health record. It is used for:

  • Provide identification information on your self-assessment referral
  • Provide identification within the receiving NHS Organisation’s dashboard or tracking system
  • Identify your primary care (GP) record

Gender

This is part of your demographic information that part of your health record. It is used for:

  • Provide identification information on your self-assessment referral
  • Provide identification within the receiving NHS Organisation’s dashboard or tracking system
  • Identify your primary care (GP) record
  • To correctly address you in communications (e.g. via the Messaging Service or help desk)

NHS Number

Your NHS number is unique identification number for you and your health record. It is used for:

  • Provide identification information on your self-assessment referral
  • Provide identification within the receiving NHS Organisation’s dashboard or tracking system
  • Identify your primary care (GP) record

CTS Number

Your CTS number is a unique identity number assigned by C the Signs to you. It is used:

  • to maintain encryption and protection of your data stored within C the Signs (including of your NHS number)
  • to facilitate audit and log tracing of your actions through the Self-Assessment Service to assist with help-desk queries and resolve user issues.

Contact telephone number (home, work and/or mobile phone numbers)

This is part of your contact. It is used to:

  • Provide contact information on your self-assessment referral
  • Provide contact details within the receiving NHS Organisation’s dashboard or tracking system
  • Help the service desk resolve any user issues
  • Enable our Messaging Service

Online identifier (for example your IP address, event logs)

This is used to log events, trace faults and provide security protective monitoring log data.

Website cookies

This is used for session and performance management.

Special Category Data We Collect About You

Medical Record Information

Online identifier (for example your IP address, event logs)

Facilitating the Self-Assessment Service

The C the Signs Self-Assessment Service requires you to insert your medical information in order to determine your eligibility for the referral pathway. If you are eligible this data is then transferred into a referral form (or letter) and sent to the receiving NHS Organisation (either via secure NHSmail or via a secure C the Signs dashboard). This includes any additional information uploaded by you in the process of completing your self-assessment (e.g. photos).

Enhancing the quality of the referral

In addition, where commissioned and with the consent of your GP practice, C the Signs is able to process your GP practice electronic healthcare record to attach critical information relating to your health into the referral form before transmission to the NHS Organisation receiving the referral. This includes but is not limited to: any active medical conditions you are currently being treated for, serious medical events in the past, medications and allergies. Please also note that this may include information related to race/ethnicity, HIV status, sexual orientation, safeguarding issues, genetic information, and/or test results (e.g. blood tests, urine analysis, stool tests, scans etc). 

C the Signs acts as a Data Processor for this information and is unable to show you the contents of this information prior to the referral being sent. This information is transferred onto the referral form automatically without any individual from C the Signs seeing or accessing the data. The receiving NHS Organisation will receive this information (as they would routinely with other referrals sent by your GP).

The provision of this data within the referral increases the quality of the referral and helps the receiving NHS Organisation to be able to triage you to the most appropriate next step, speeding up the diagnostic process and reducing waste (e.g. where a test may be inappropriate).

Messages from health care providers

Messages processed as part of Messaging Service will be stored within your record for the duration of your account (and any additional time required by law or NHS data requirements).

How C the Signs may process the data above for analysis

C the Signs will process identifiable data from Self-Assessment Service:

  • to ensure the Self-Assessment Service works correctly;
  • to resolve technical faults;
  • so that the service can be improved;
  • for user research where you have agreed to;
  • to maintain and improve security;
  • processing data for the purpose of linkage and dissemination to produce anonymised data.

C the Signs will also process anonymised data from the Self-Assessment Service:

  • to provide high level statistical information;
  • to assess service usage and equality impact.

Privacy guidance about using the C the Signs Self-Assessment Service

Logging in

You gain access to the C the Signs Self-Assessment Service using the personal login you generate through the service or by using Your NHS App login (where available). 

Camera and location information

The Self-Assessment Service may ask for access to the camera on your device for specific pathways available in your area (e.g. to photograph skin lesions). 

Where available and necessary, the C the Signs Self-Assessment Service may also ask for access to your device location. If you allow access to your device’s location, then location data may be used to help you find services in your area.

Accessing services for someone else

This service is intended to be used by yourself, and not on behalf of anyone else. If you are completing this risk assessment on behalf of someone else you must keep this data safe and secure. To the extent possible bearing in mind their age, condition and capacity, you must:

  • make the person aware of your access and any steps you take on their behalf;
  • seek their consent;
  • make the person aware of this privacy policy and other applicable terms and conditions.

User research and giving feedback

When you register to use the C the Signs Self-Assessment Service, we may ask if you would like to join our user research community. User research helps us to make sure that the C the Signs Self-Assessment Service are meeting people’s needs.

If you choose to take part, we will email you a short survey to fill in about yourself. Your answers will help make sure we invite you to user research that is relevant to you. 

When you have signed up, we may ask you to:

  • try new features
  • answer more questions by email
  • talk to our researchers about your experience of using the C the Signs Self-Assessment Service

You can always say no to an invite, and you can leave the user research panel at any time.

User research panel activities

Your personal data will only be captured if you choose to provide it as part of participating in user research relating to the C the Signs Self-Assessment Service. C the Signs is the controller for this data. This may be shared with third parties (e.g. commissioners of the service in the NHS or researchers).

We’ll collect your name and email address to maintain a mailing list for the user research, where you have consented to receive it. We will ask general questions about your health and background to ensure we are inclusive in our research, which counts as special category data. The amount of time we keep this data varies depending on the research you are taking part in. We will tell you before asking your consent.a

Your rights

You have a right to:

  • know how and why your data will be collected, processed and stored
  • request a copy of your personal data
  • correct errors or omissions in your personal data
  • to ask us to restrict our use of your personal data (for example, if you think it's inaccurate and needs to be corrected)

Please note, that for data we add to your self-assessment referral from your GP electronic healthcare record, C the Signs is the Data Processor and therefore does not have the permission or ability to share this with you directly. This must be requested through your GP practice. C the Signs can assist you with this.

For user research activities and your membership of voluntary mailing lists, you also have the right to:

  • withdraw your consent;
  • ask us to delete your personal data;
  • get a copy of your data in a structured, commonly used and machine-readable format.

You can exercise your rights by contacting the relevant controller. For contact details, see the next section of this policy below.

Asking a question or finding out more

If you have a general question about using the C the Signs Self-Assessment Service, please contact support@cthesigns.co.uk.

Making a complaint

If you have any objections or complaints relating to your data, we will investigate and attempt to resolve them. We will make every reasonable effort to allow you to exercise your rights as quickly as possible and within the timescales set out in data protection laws.

You can contact our Data Protection Officer at C the Signs to make a complaint. You can do this by emailing support@cthesigns.co.uk or by sending a letter to:

Gridiron Building

1 Pancras Square

Kings Cross

London

N1C 4AG 

We ask that you try to resolve any issues with us first. However, you have a right to lodge a complaint with the Information Commissioner's Office (ICO) at any time about our processing of your personal information. The ICO is the UK regulator for data protection and upholds information rights.

Our legal basis

Your health data has extra legal protection and C the Signs must also comply with UK GDPR Article 6 and 9. To process your health data, we rely on:

  • 6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
  • 9(2)(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
  • 9(2)(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  • 9(2)(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  • 9(2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
  • 9(2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
  • 9(2)(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Changes to this policy

The terms of our privacy policy may change from time to time. We will inform you via email or via the C the Signs Self-Assessment Service if we make any significant changes to our Privacy Policy, Cookies Policy or Terms of Use.