Privacy Notice -- Five Areas & Greater Manchester Integrated Care

Introduction

This privacy notice is for people who use the Five Areas/Living Life to the Full platform and associated content through a healthcare provider or other organisation ("Service Provider"). The Service Provider is responsible for giving you access to the Site (the "Service"). This privacy notice lets you know how Five Areas processes your personal data as part of that Service. 

In most circumstances, the Service Provider is the data controller, which means they decide how and why your data is processed, and Five Areas is the data processor, which means we follow the instructions of the Service Provider. The Service Provider will also have a privacy notice that is relevant to their collection and use of your personal data.  

In some circumstances, we will also be a data controller, and we have listed this separately below. Where we are data controller, our own privacy policy will also apply to how we use and process your data. A copy of our own policy can be downloaded here: www.llttf.com/privacy.

There are seven key principles that underpin data protection legislation and are central to how we store, manage and process data:

  • Lawfulness, fairness and transparency

  • Purpose limitation

  • Data minimisation

  • Accuracy

  • Storage limitation

  • Integrity and confidentiality (security)

  • Accountability

We do what we can to ensure that all personal data we get is treated appropriately, in line with the above principles and protected in line with all our legal responsibilities.

1. Important information and who we are.

Purpose of this privacy notice.

This privacy notice aims to give you information on how your personal data might be collected through your use of a "Living Life to the Full" internet-based system provided by us on behalf of the relevant Service Provider (the "Site"). We have provided this privacy notice to demonstrate our compliance with relevant data protection rules and help to show clearly how we use your personal data.

We have a separate privacy notice for our own collection of personal data and use of our websites, www.llttf.com/privacy .  

We do not knowingly collect data relating to children under the age of 12. Where there is a young person between the ages of 12 and 16, we will always engage through an appropriate parent or guardian or other professional organisation with authority to delivery services to young people.

Contact Information

We have appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights set out below. You can contact the data privacy manager by using the contact details set out below.

Contact details

Our full details are:

Five Areas Limited (Registered in England, with Company Number: 06420019)

Name or title of data privacy manager: C Williams

Email addresses: gdpr@llttf.com

Postal address: Five Areas Ltd, Titan Enterprise Business Centre, 1 Aurora Avenue, Clydebank, West Dunbartonshire, G81 1BF.

2. The data we collect about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Contact Data isthe information provided about you, including information provided to create an account and log-in details for the Services or which the Service Provider may provide to us through the home page on the Site (as mentioned below in section 3). These usually only consist of the email address.

  • Disclosed Data: is the information about yourself, including information about your health, physical and mental well-being or interests, which if you are an individual using the Services you may disclose and which is retained securely on the Site in relation to your use of such Services.

  • Technical Data includes your login data, and your declared time zone setting. We record session cookies but do not use persistent cookies.

  • Usage Data includes information about how you use the Site and Services, for example what online modules or worksheets have been started or completed and when, date and time logged in.

  • Profile Data includes your username, registered email and password, your mobile number if you register for SMS reminders to use the site, your course selection choices, and any feedback or survey responses you provide.

  • Additional Site access data: The Service Provider has requested we record additional analytic reporting of how you access the Site using Google analytics. This includes your browser type and version, operating system and platform, approximate location, and behaviour in accessing the Service

  • Data reports: We may collate data reports through the Site but this will only involve non-identifiable data.

Special Categories of Personal Data

Data Protection legislation imposes additional obligations in relation to "Special Categories" of personal data. This is data regarding a person's race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health and genetic and biometric data).

The only Special Category of personal data we obtain is the data regarding your health and wellbeing which is part of your Disclosed Data.  Prior to processing any special category data, we will obtain your express consent to the use of such data.

Information we do not routinely collect

We do not normally collect your name, address/postcode information, NHS number, or financial/tax information. This is because this information is more than we need to help provide the Services. If you are asked for this information, please do not provide it and let us know so we can investigate.

3. How is your personal data collected?

We use different methods to collect data from and about you including through:

  • Direct interactions****. This is personal data you give to us directly by using the Services or the Site or when you ask us a question or give us some feedback.

  • As you interact with our home page on our Site, we will collect limited Technical Data, including how you reached our Site. Once you have logged into your account on our Site, we will not collect data about your equipment, browsing actions and patterns. Where we collect Additional Site Access Data, this will be collected once you have logged into your account on our Site.  

  • Third parties. We will not receive personal data about you from a third party providing the Services. Additionally, where we collect Additional Site Access Data, this will be provided by analytics providers and search information providers (like Google based outside of the UK).

4. How we use your personal data

We will only use your personal data for specific purposes and when the law allows us to. The main purpose we process your personal data for is under a contract with the Service Provider in order to provide you with secure access to the Site and associated programmes. 

We will also process your personal data where we need to comply with a legal or regulatory obligation.

Technical Support

We also use your personal data to provide technical support and to understand usage and improve our systems and services. This is mainly done for our legitimate interests in providing technical support but only where your interests and fundamental rights do not override those interests. By providing you with the technical support, it enables you to continue to use the Site and receive the Services. 

We also analyse aggregated data to understand usage and to help us improve the Site and our business. This is done for our legitimate interest to understand the effectiveness of our systems and services, and to identify opportunities to improve elements in future. We always anonymise the data so individuals are not identifiable.

Where we are processing for technical support or to understand usage, we will also be a controller of your personal data and our own privacy policy will apply in addition to this policy. 

National Data Opt-Out

We are aware of the National Data Opt-out Policy relating to use of patient information in England and Wales for improving health, care and services including:

  • Planning to improve health and care services; and

  • Research to find a cure for serious illnesses.

We do not undertake these activities as a Controller. In the event we are asked to undertake these activities as a Processor we comply with the National Data Opt-out. If you are a patient of the health care system in England or Wales and want to stop your confidential patient information being used for research and planning you can find more information and opt-out here: www.nhs.uk/your-nhs-data-matters.

Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We do not send you marketing messages from us unless you have elsewhere consented to receiving such information for example by separately signing up to our Newsletter or buying something in our Shop. You have the right to withdraw any such consent, which you can do by getting in touch with us using the contact details below. 

We never share your details with any third party for marketing purposes.

Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, the Site will not function properly. For more information about the cookies we use, please see our policy here www.llttf.com/cookies

5. Disclosures of your personal data

We may have to share your personal data with the parties set out below for the purposes set out in paragraph 4 above.

  • Service providers who provide IT and system administration services.

  • Professional advisers including lawyers, auditors and insurers based within the EU who provide consultancy, legal, insurance and accounting services.

  • HM Revenue & Customs, regulators and other authorities based in the United Kingdom who require reporting of processing activities in certain circumstances, especially in the prevention of money laundering and fraud.

  • Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

We also will share Disclosed Data with the relevant Service Provider to provide the Services to you.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

6. International transfers

We shall ensure that we host any personal data provided to us within the relevant home jurisdiction, usually within the UK and Europe.

Where we collect Additional Site Access Data, we will share your personal data with the third parties identified above in locations outside of the UK.  Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it. For further details please contact us.

7. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We use an approach called security by design. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

8. Data retention

How long will you use my personal data for?

We will only retain your personal data for as long as your account is open on the Site and for a period after. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes and enforce our agreements. If your account is deleted, all personal information will be removed from our systems except for any Transaction Data where it exists, and records required to comply with our legal obligations, resolve disputes and enforce our agreements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

The current retention period for registered user's personal data and response data is 18 months from last use.

Your data may be retained by the Service Provider for a different period, based on their own retention policy.

9. Your legal rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data.

  • Access to information: You have the right to request a copy of the information we hold about you (sometimes referred to as a subject access request) and to check that we are lawfully processing it.

  • Ensuring accuracy of information: We want to make sure that your personal information is accurate and up-to-date. You may ask us to correct or complete information that is inaccurate or incomplete (but we may need to verify the accuracy of any new data provided). 

  • Right to erasure: You may have a right to erasure, which is more commonly known as the 'right to be forgotten'. This means that in certain circumstances you can require us to delete personal information held about you. However, we may not always be able to comply with your request for specific legal reasons which we will notify you of at the time of your request.

  • **Right to object to processing: **You may object to our use of your information in certain circumstances. If we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.

  • Ability to restrict processing: You may also have the right to require us to restrict our use of your personal information in certain circumstances. This may apply, for example, where you want to establish the accuracy of data or where you have objected to our use of your data but we need to assess whether we have an overriding legitimate ground to continue to use the data.

  • Review by an independent authority: You will always have the right to lodge a complaint with a supervisory body. The Information Commissioner's Office (ICO) is the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance. Our ICO registration number is: Z3345595.

  • Withdraw consent: You have the right at any time to withdraw your consent to our use of your personal data where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide Products or Services to you going forward. We will advise you if this is the case at the time you withdraw your consent.

If you would like further information on how you can exercise these rights, please email us at gdpr@llttf.com.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests as quickly as possible and within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

How we protect personal data

We implement different measures to ensure that any personal data provided to us is kept secure, accurate and up to date, in line with the data protection principles. These measures include:

  • regularly reviewing our processes and procedures to ensure these properly reflect the services we provided;

  • updates to our privacy policy from time to time to ensure data subjects are aware of what data we collect and why, and how we manage that data once we have it;

  • limiting the amount and types of data we collect so we only hold what is required to provide the Services; and

  • only keeping personally identifiable data for as long as it is needed and only for the purposes for which we initially identified we required the data for.

Any personal data that we hold is stored securely in a protected data storage facility and are only accessible to staff who need to access such personal data. Data in transit between the Site and the data storage facility is fully encrypted to minimise the risk of interception.