Privacy Policy

Terminology

  • “You” means the user and the person giving their consent to share their healthcare information.

  • “We” refers to Ultramed Ltd

  • “Questionnaire” is the set of questions you have been asked to answer requested by your healthcare organisation.

  • “Service” is the digital platform allowing patients to communicate with their healthcare organisation.

  • “Professionals” are employees of organisations using Ultramed whose identity and qualifications have been legally verified, for example, doctors and nurses.

  • “Healthcare organisations” are customers of Ultramed and are organisations that are involved in your care, for example hospitals.

Purpose of Ultramed

Ultramed provides an online platform allowing your healthcare organisation to perform their pre-procedures digitally from anywhere with internet access. We provide our service to you on behalf of your healthcare organisation. The healthcare organisation uses our service to send you a questionnaire for you to complete to help get you ready for a procedure or operation. Once your questionnaire has been sent to your healthcare organisation, healthcare professionals can view your record to help make decisions about your care.

The type of personal information we collect

We currently collect and process the following information: 

  • Personal identifiers, contacts, and characteristics (for example, name, date of birth, email address, telephone numbers, postal address, and postal code, NHS, CHI, or hospital number) provided by your healthcare organisation.

  • Healthcare information (related to your health and medical history) inputted by you, someone you trust or a healthcare professional into the questionnaire.

How we get the personal information and why we have it

Personal information shared with Ultramed by your healthcare organisation is your name, date of birth, email address, telephone numbers, postal address, and postal code, NHS, CHI, or hospital number. This personal information is shared when your healthcare organisation asks Ultramed to send you a health care questionnaire to assist your preparation for a procedure.

Your healthcare information is then provided by yourself, entered into the questionnaire. By starting the questionnaire, you give consent for your healthcare information to be shared with the relevant healthcare organisation.

We use the information you provide to us to deliver our service and facilitate information sharing between you and your healthcare organisation. We may also use your information to send you reminders to complete the health questionnaire or to verify your identity when contacting our support team. With your explicit consent, we may use your information anonymously for research purposes.

To improve our service, we collect anonymous information about the usage patterns, such as the number of patients who started or completed a questionnaire and how users interact with our platform.

We are committed to maintaining your privacy and will not use your information for any purpose other than described in this Privacy Policy. We do not sell your information or use it for marketing purposes.

How we store your personal information

We take the security of your information seriously. Your personal information is encrypted during transmission and storage. We store your information on secure servers located in the United Kingdom and the European Union. Access to your healthcare information is limited to healthcare professionals within the relevant healthcare organisation or individuals with a lawful basis for access.

We follow the NHS England, Record Management Code of Practice updated 7.8.2023 https://transform.england.nhs.uk/information-governance/guidance/records-management-code/ We retain your healthcare information for a minimum of 8 years (or longer as required by legal obligations) after the last usage or data addition to provide a medico-legal audit trail.  Backup copies may retain deleted data for up to 60 days.

Lawful bases for processing personal information

Under the Data Protection Act 2018 (the UK’s implementation of the General Data Protection Regulation, or GDPR), organisations can only process personal data if there is a lawful basis for doing so. Whether there is a legal basis for processing personal data is determined by the data controller, and a data processor may act on behalf of the data controller with regard to that data processing. Where data processing involves health data, the completion of a DPIA (Data Protection Impact Assessment) should be considered by the data controller prior to clinical use, assessing and either approving or blocking the proposed data processing.

For all healthcare organisations, we have a Data Processing Contract (DPC) that sets out the responsibilities for each party. We are a Processor for all data that forms your pre-procedure record. 

Our responsibilities in the DPC as a Processor are: 

  • Providing the Service

  • Providing the security of the Service

  • Processing on the written instruction of the Controller

Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing your personal information are: 

Public sector healthcare organisations:

  • Art.6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

  • Art.9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

 Private sector healthcare organisations:

  • Art.6(1)(b) – processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract

  • Art.9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

Sharing of personal information

As the Data Processor, we will share your personal information with your healthcare organisation and healthcare professionals involved in your care. This enables them to make informed decisions about your treatment and ensure the continuity of your healthcare.

Tracking, Cookies and Analytics

We use privacy-friendly analytics that do not use cookies and we have no way of identifying you through analytics. We use essential cookies for the functioning of our service, including allowing you to login and start a questionnaire.

Your rights

Under the Data Protection Act 2018, individuals have data subject rights, which are met as follows:

Right to be informed: This privacy notice states what data is collected, how it is used, whether it is shared, and how long it is kept.

Right of access: To access all the information that Ultramed Limited has which relates to you, a request should be made to your healthcare organisation as the data controller.

Right to rectification: If you note any information that is inaccurate or incomplete you can make a request to your healthcare organisation that this is changed.

Right to erasure: This does not apply as data is for the provision of healthcare.

Right to restrict processing: If you wish to make a request to restrict the processing of your data, you can make a request to your healthcare organisation that this is actioned.

Right to data portability: If you wish your personal data to be transmitted, you can make a request to your healthcare organisation that this is actioned.

Automated decision making and profiling: No automated decision making or profiling is done based on your data.

This Privacy Notice

This privacy policy applies to the Ultramed Service (referred to in this privacy policy as the “Service”). The privacy policy is written generally as if you are the patient.

Agreement and Further Information

By continuing to use our service, you agree to the terms of this Privacy Policy.

We may update this Privacy Policy from time to time. The “last updated” date will indicate the most recent changes. If there are significant changes that affect your rights or the way we process your personal information, we will notify you.

Ultramed’s Data Protection Officer (DPO)

Ultramed’s Data Protection Officer is Dr Paul Upton

ICO Registration and Complaints

Ultramed is registered with the Information Commissioner’s Office (ICO), which regulates data protection in the UK, and our registration number is ZA092775.

You can raise a complaint with the Regulator here: https://ico.org.uk/make-a-complaint/

Last updated: 16/08/2023