Introduction
We, Everyone Health Ltd, are a company incorporated in England and Wales. Our company number is 4215584 and our registered address is 2 Watling Drive, Sketchley Meadows Industrial Estate, Hinckley, Leicestershire, LE10 3EY. Under Data Protection legislation we have a legal duty to protect any information that we use or collect from you. We take measures to safeguard your data and apply security standards and controls to prevent any unauthorised access to it, we are committed to ensuring that your privacy is protected. Here, at Everyone Health Ltd, we will act as ‘controllers’ of the information we collect about you (‘personal data’), unless, we are contracted to act as data processors. Where we are data processors it will be clearly communicated to you who is the data controller.
Our contact details are set out in section 15 of this policy.
As controllers of your personal data, we are responsible for how your data is processed. The word ‘process’ covers most things that can be done with personal data such as the collection, use, storage, sharing and erasure of that data. We are committed to complying with the General Data Protection Regulation (EU) 2016/679 (GDPR) in our handling of your personal data, unless and until the GDPR is no longer directly applicable in the UK, together with any national implementing laws, regulations and secondary legislation as amended or updated from time to time in the UK, and any successor legislation to the GDPR and Data Protection Act (DPA) 2018. This Privacy Policy informs our customers and users about why and how we process your personal data including how we look after it and with whom we may share it. It covers data we collect from or about you via our websites (see links below), our App, venues and through the various health services we offer.
The quick link above has been provided to navigate you to the main website and help you to find the section or area you wish to read.
You have certain rights in relation to your personal data including the right to object to the processing of your information in certain circumstances. Further information about your rights is included in section 13 of this policy.
Personal Data
‘Personal data’ is any information that relates to a living, identifiable person. This data can include your name, contact details, and other information we gather as part of our relationship with you.
It can also include ‘special categories’ of data, which has an equivalent meaning to ‘Sensitive Personal Data’ under the Data Protection Act 2018. Special categories of data include but are not limited to, medical and health records, including information collected as a result of providing health care services and information about a person’s religious beliefs, ethnic origin and race, sexual orientation and political views. The collection and use of this type of data is subject to strict controls. Similarly, information about criminal convictions and offences are also limited in the way it can be processed.
We will collect your personal data mostly through our contact with you and the data is usually provided by you but in some instances, we may receive data about you from other people, health services or organisations. We will explain when this might happen in this policy.
What Information Do We Collect & Why?
We are committed to protecting your personal data and will only process the data if we need to for a specific purpose and providing we have a legal basis, as explained below.
There are various legal bases on which we may collect and process your data. We may have your consent, for example, you have informed us that you are happy for us to process your information for a specific purpose such as providing a service to you or receiving further information about what we do. Please note we may not be able to enter into a contract with you in the absence of data.
Sometimes there is a contractual reason such as when we are commissioned to do the National Child Measurement Programme (NCMP), here the data results are closely protected with no information about individual children’s weights or heights disclosed to school staff or other pupils. Everyone Health store this data securely. Parents will be informed of their child’s results and aggregate data will be shared with the Department of Health. We recognise we are the processor of NCMP data and that the controller is NHS Digital.
The quick link above is to enable you to access the NHS Digital GDPR information link for your reference.
Hearing and Vision screening results will also be shared with Wirral Community NHS Foundation Trust so they can have access to the children’s results on their software (system one).They will obtain this information via password CSV file and this will be sent via nhs.net email. They can then upload this onto their system.
Also, Public Health England (PHE) is responsible for monitoring access to and the effectiveness of behavioural weight management services across England.
To support this, we share information about you and the weight management treatment you receive with PHE. To protect your confidentiality, the information we share is de-personalised only, which means it cannot be used by PHE to identify you.
You can find out more about Public Health England and how it is monitoring adult weight management services at: https://www.gov.uk/government/collections/weight-management-guidance-for-commissioners-and-providers#adult-weight-management.
There are legal reasons for sharing and processing data, these can be covered by the most appropriate GDPR legislation; below are the most appropriate legislations that Everyone Health Ltd use:
ARTICLE 6.1 (a) – Everyone Health will be seeking and recording informed consent to the processing of the data. |
ARTICLE 6.1 (b) – The processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract. |
ARTICLE 6.1 (c) – Everyone Health is under a legal obligation to carry out the processing. |
ARTICLE 6.1 (d) – The processing is necessary in order to protect the vital interests of the data subject or of another natural person (e.g. protect life and/or safety). |
ARTICLE 6.1 (e) – The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested Everyone Health. |
ARTICLE 9.2 (a) – The data subject(s) have given explicit consent to the processing |
ARTICLE 9.2 (b) – The processing is necessary for the purposes of carrying out obligations in the field of employment, social security or social protection law. |
ARTICLE 9.2 (c) – The processing is necessary to protect the vital interests of the data subject or another natural person where the data subject is physically or legally incapable of giving consent. |
ARTICLE 9.2 (e) – The data subject(s) has deliberately put the data within the public domain. |
ARTICLE 9.2 (f) – The processing is necessary for the establishment, exercise or defence of legal claims. |
ARTICLE 9.2 (g) – The processing is necessary for reasons of substantial public interest |
Other legal reasons for collecting or sharing data, such as for employees when we have to collect the information for the HMRC, or, should you have an accident, we may need to provide details of this to the relevant health and safety authorities. We may also process your data based on legitimate interests, for example, in order to operate and improve our health services.
Personal Data Description | Purpose(s) for Processing |
Any personal details you give us or we obtain from third parties Information you type into our websites or provide to one of our colleagues such as when you make a booking, sign up as a volunteer, visit any of our health services or when providing activity data from devices. This information may include your personal contact data and/or health related data. | We use this data to provide you with the services you request or have been referred by a health professional such as your GP. We tell you about services you are eligible for, to keep in contact with you, manage any follow up requirements and manage the services we provide. If you contact us by email, via the website, in person or by telephone we may keep a record of your contact information and enquiry and may subsequently use your contact details to respond to your enquiry. |
Details of your transactions | We collect data for any transactions you carry out through our websites and services, so that we can administer the services you have with us. |
Sensitive health data. We collect any personal health data you provide to us when registering and signing up for our health services. | We collect this information to ensure we are offering you the right services and so your progress can be tracked by yourself and us. We may ask you for information about your health in order to recommend appropriate exercise regimes or offer our other services |
Pseudonymised data* | This contains information about individuals but with the identifiable details (eg NHS number) replaced with an alternative code or number |
Anonymised data* | This is information about individuals that has had identifying details removed |
Aggregated data* | This is data which has been grouped together so it is not at individual level but groups of people *Wherever possible we always look to use anonymised, pseudonymised or aggregated data rather than using identifiable personal data. |
Customer feedback | We will record customer comments and surveys about how we are performing |
Other Sensitive data | We are sometimes required to collect information about your ethnicity and other sensitive data in order to provide aggregated reports to your local authority or commissioning group. This information is used only for statistical purposes and is always kept secure. If you prefer not to provide us with this data we will not hold this data. |
Information about website visits including IP address | We use your IP address to capture information about website visits; so we can learn more about the use of the website, in order to find ways to improve the website and our services for your benefit. |
Your communication preferences | We keep a record of any permissions and preferences you give us about what types of communication you are happy to receive from us. |
Specifically for some of our contracted services we are contracted to share specific information with the commissioners. The following contracts have the below variance:
Our Staffordshire over 50’s contract, personal Data will be shared with the Council, Midlands and Lancashire Commissioning Support Unit (MLCSU) and Centre for Health and Development (CHAD) for evaluation and longer term follow up purposes. Personal Data will be in an electronic format and shared securely as and when required by the Council and upon Termination of this Agreement/Contract; data may also be shared with your NHS GP.
Cookies
When you visit one of our websites, we collect standard internet log information for statistical purposes.
- We use cookies to collect information in an anonymous way, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.
- We do not make any attempt to identify visitors to our websites. We do not associate information gathered from our sites with personally identifying information from any source.
- When we collect personal information, for example via an online form, we will explain what we intend to do with it.
Using cookies helps us to improve our site and to deliver a better and more personalised service.
Our websites contain links to various third party websites. We are not responsible for the content or privacy practices of any external websites that are linked from our sites.
Data Relating To Children
Our services are used by people of all ages. Everyone Health may accept website registrations and collect personal information from individuals under the age of 16. If you are under 16 we do not allow you to post information about yourself in any Everyone Health forums or community areas. Everyone Health accepts no liability if this instruction is ignored.
Children aged under the age of 16 can consent to their own treatment if they’re believed to have enough intelligence, competence and understanding to fully appreciate what’s involved in their treatment. This is known as being Gillick competent.
Otherwise, someone with parental responsibility can consent for them.
This could be:
- the child’s mother or father.
- the child’s legally appointed guardian
- a person with a residence order concerning the child
- a local authority designated to care for the child
- a local authority or person with an emergency protection order for the child
Proof of age maybe required and retained for access to some of our health services.
How Do We Store And Protect Your Personal Information?
These are the basic guidelines we use to look after your personal data.
- We maintain secure systems to protect your personal information
- We respect your wishes about how we contact you, whether by post, telephone, email or text message
- We will update your information or preferences promptly when you ask us to
- We will respond fully to requests from you to see the information that we hold on you.
- We will not hold your personal information for longer than is necessary. The amount of time data is kept before being disposed of will vary depending on why it was collected, how it is used, and in line with any applicable UK laws. We follow strict procedures when storing or handling information that you have given us.
- All staff who are using information also undertake regular training to comply with policies and procedures around data protection, information security, confidentiality and the safe handling of information.
- We will never sell your personal information to a third party.
Retention Policy
The retention of information, for legal or statutory purposes, is in line with The Records Management Code of Practice for Health and Social Care 2016, namely this is 8 years for adults and 25 to 26 years for maternity, midwifery and children services. However in the event of any incident the retention period may be extended for legal purposes.
Services Provided By Contracted Third Parties
Everyone Health may share information with third party organisations that provide specific services on our behalf. These organisations act as a Data Processor under our instructions. They may process data securely outside of the EU. There is a data sharing agreement ((DSA) contract in place with each third party which includes strict terms and conditions to protect your privacy.
Our current processing partners include Systm One, Bionicle, Gladstone, Refer-all, Oviva, Health Diagnostics and Everyone Active all of whom have their own privacy policy.
Health Partners
Everyone Health runs services on behalf of Local Authorities, NHS, Clinical Commissioning Groups and Trusts. These services are often run under a contract agreement. Data may be shared with these organisations at a summary level but not at a personable identifiable level unless we are not the Data Controller or we are commissioned otherwise. With some of our health and well being services, with your consent, we may share identifiable information with your GP, NHS services and Commissioners of the service.
At the end of the management contract, if the service is to be run by another provider, Everyone Health will forward on your details to the new provider so they can continue to provide the service to you without interruption. If you do not wish us to do this please send a request to Everyone Health Head Office. These organisations will be a Data Controller in their own rights, and where they are processers of your data they will inform you directly or through their services such as a website about the data they hold and what processing they undertake.
Marketing
Everyone Health will never sell your personal information to any third party for marketing or other purposes.
In some cases, such as our Exercise and Referral service, Everyone Health works in partnership with other organisations, such as Everyone Active, to provide services to you. In these cases, the partner may contact you for legitimate purposes of providing health and well being services. These services will have their own privacy policy.
How Do We Use Your Information?
We use your information to help us provide and improve our services for you. We may use your information in the following ways.
- to provide you with any services that you have with us as part of your health or well being
- to report to our commissioners on how the services are performing – note: this will be using anonymised, pseudonymised or aggregated data, never using identifiable personal data unless we are contracted to do which will be made clear to you at the point of initial assessment.
- to check your identity
- to check your eligibility where appropriate
- to update our records with any new information you give us
- to notify you if we will be unable to provide a service you have booked before
- to provide marketing communications (if you have given us your permission)
- for research and analysis so we can develop and improve our services for your benefit
- to tailor our communications to you to ensure relevance (if you do not want us to do this please contact us using the details below)
- to comply with legal requirements.
- To safeguard users of our services
Keeping You Updated
There are certain communications we need to send to you so we can provide our services. We call these service communications and include for example notices about your registration, confirmations, appointment reminders, motivation announcements and waiting list announcements.
We may from time to time contact you about our services or products we think you might find interesting by email, by post, telephone or SMS, but only if you have given us your permission to do so.
If you do not want us to contact you other than for service emails let us know when you next visit us or contact us using the details below. You may also opt-out of email or any other communications by contacting the support team at: [email protected] or [email protected], or by letting us know at one of our health service groups.
Your Rights To Manage Your Personal Data
Accuracy of data
We will always try to ensure the data we hold about you is accurate and relevant. If you believe the information we hold about you is out of date or incorrect, please tell a member of staff or see the contacting us section below. You will need a form of identification to request any changes.
Seeing your data – subject access request
You have the right to know what personal information we hold about you. This is called a Subject Access Request.
Removing your data
If you no longer use our services and products and wish us to delete your personal data we will do this if there are no legal or statutory regulations requiring us to keep this information.
Restricting Processing
You can restrict the processing of your data including some processing we do under legitimate business interests.
Transferring Your Data
In some circumstances you can ask us to transfer your information to another organisation.
Objection To Processing
You can object to the processing of your data in certain circumstances such as marketing.
Withdrawing Consent
If we are relying on consent to process your data, you may withdraw your consent at any time by contacting us.
There are also some services, such as the National child measurement programme or children’s audiology services, that require an opt out, the information on how to do this directly to the service will be on the letter that you will have received.
Alternatively to exercise any of the above rights please write to us using the details set out in section 15 or using the contact details already received.
Complaints About How We Manage Your Data
If you are not happy about the way we manage your data please contact us as quickly as possible by contacting your usual contacts for providing our service. You may also write to the Data Controller – who will investigate your complaint and get back to you as soon as possible.
Information Commissioner’s Office (ICO)
The ICO is the UK’s independent authority set up to uphold information rights. You have the right to contact them should you wish. Details can be found on their website: https://ico.org.uk/
Links To Other Websites
Our websites may contain links to and from external websites, advertisers and affiliates. If you follow a link to other sites please note that these will be governed by their own privacy policies. We cannot accept liability for data use on those websites.
Changes To This Privacy Policy
This policy may be updated from time to time on this page. If you have any questions or comments about our Privacy Policy or how we use your personal information please contact us at: [email protected]
In most instances it is best to contact us locally where you take part in our services such as at the Health Service you normally attend. We can usually deal with most of your queries here.
You can also contact us through our contacts pages on our website such as: www.everyonehealth.com or through the localised email address which can be accessed through the main website page, given above.
There are specific privacy policies in place for some of our services. Please follow the contract link to access any localised privacy policies.
Alternatively, you can write or email our Data Controller: datacontroller@everyonehealth.co.uk
Data Controller
Everyone Health Ltd
3 Watling Drive
Sketchley Meadows
Hinckley
LE10 3EY
Document last updated: 2nd October 2023