Privacy Statement
This policy was last reviewed and updated in September 2023.
Introduction
We are committed to protecting and respecting your privacy. The following Privacy Policy applies to Beth, which is owned by South London and Maudsley NHS Foundation Trust “SLaM” and sets out how your personal data is handled by us. We strongly recommend that you take some time to read this policy carefully to understand how we treat your personal data.
SLaM is committed to ensuring that the data you provide is stored and protected at all times. We take the privacy of our Beth users very seriously and all personal data is treated as confidential.
SLaM is registered with the Information Commissioner’s Office (ICO) who are the regulatory body set up to uphold information rights – Ref: Z6032780
What personal information do we collect?
Information that Beth collects - and why we hold this information:
Name - To address you properly and to identify your account. Your name will also be used to verify your account if you want to connect to your care team
Email Address - To identify you and contact you in relation to Beth
Date of Birth - This allow us to verify your account so that you can connect to your care team
NHS Number - This allows us to verify your account so that you can connect to your care team
Beth may use this information for:
Administration of the Service
To provide you with a Beth account and to connect this to your care team we need to use your information to verify who you are.
Communication with you
We use your information to send you communications about our service or to let you know about any changes to our terms of service or privacy policy. We also use your information to respond to you if you contact us.
Improvement and development
From time to time, we may conduct surveys to better understand how to improve features.
What else do we collect?
Beth will securely store anything you choose to include and your communication with the care team section. Anything you enter in Beth will be held in confidence but can be viewed by you and your care team.
Beth also collects analytical data for the purposes of service and quality improvement.
NHS login data sharing
When connecting you to third parties, the following information is shared to securely verify who you are: NHS number, date of birth, first name, last name, email address. We do not receive any additional information when you sign up with NHS login, and we only use the bare minimum of data we need to verify your identity.
Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS login’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.
How is your information shared?
South London and Maudsley NHS Foundation Trust, as Data Controller, will not share your data with anyone without your explicit consent, unless the law permits us to do so.
We share data only with our authorised Data Processors, who must act at all times on our instructions as the Data Controller under the Data Protection Act 2018. Our data processors are outlined below:
Data Processor - Mixpanel
What data they process and why:
Mixpanel is a business analytics tool which collects analytical data from Beth. This data is used for service improvement.
To view their privacy policy please click here
Data Processor - Microsoft Azure
What data they process and why:
Microsoft Azure is a cloud computing service created by Microsoft for managing applications and services. SLaM uses azure to manage Beth and store its contents. Microsoft only stored data within the UK
To view their privacy policy please click here
Data Processor - SmartSurvey
What data they process and why:
SmartSurvey is used to collect information from you, which you would like to share with your care team and will be used by your Care Team as part of your ongoing care. The data is not personal identifiable data but may be sensitive
To view their privacy policy please click here
Before you submit any information, it will be made clear to you why we are asking for specific information, and it is up to you whether you provide it.
The trust does not and will never sell any data.
Cookies
Beth uses cookies. Cookies are small text files that save and retrieve information about your visit, such as how you entered and navigated the website and what information was of interest to you. In addition to this, if you personalise any part of Beth, the information is stored in a cookie and is remembered for your next visit. Cookies provide an anonymised label for each user. A cookie does not allow access to your personal information, we use cookies to tailor the website to customer preference.
If you are uncomfortable with the use of cookies, you can disable this on your electronic device by changing the settings in the 'Preferences' or 'Options' menu on your internet browser.
How long do we retain your personal data for?
Your personal data will be held and processed for as long as you have a Beth account. Once you close your account, we will securely hold the data in line with the NHS retention schedule to ensure we can respond to any future queries or complaints and to comply with legal and regulatory requirements.
Security
Is your information safe?
The files transmitted between Beth and the Electronic Patient Journey System (ePJS, the trust’s electronic record system) is a secure data flow which sits within the Azure data centre. Any data transferred is treated with due care in accordance with Confidentiality: NHS Code of Practice by the Department of Health.
The files transmitted between SmartSurvey and ePJS is a secure flow which sits within a secure UK data centre.
Promote security
We use the information you have provided to verify your account and to promote safety and security by investigating suspicious activity or violations to our terms of service.
Your rights
Right to Access
You have the right to request access to your personal data which we hold. You can do this by submitting an information request, free of charge, to the data protection office: dataprotectionoffice@slam.nhs.uk
Right to Rectification
If you believe that any of your personal data is inaccurate or incomplete you have the right to ask for this to be corrected. To do so please put your request in writing to Beth@slam.nhs.uk
Right to Erasure (Right to be forgotten)
In some circumstances you may ask us to erase your Beth account and data which the account contains. However, there are some situations whereby we would be unable to erase your data, such as when we need to comply with regulatory requirements.
For more information please contact informationgovernance@slam.nhs.uk
Right to Restriction of Processing
If certain conditions apply, you have the right to restrict the processing of your information. Which includes:
- When you contest it as being inaccurate
- If you object to data being processed but we need to decide if it was necessary for a legitimate interest
- When processing your data has been unlawful but you decide against erasing your data
- If we no longer need your data for the original purpose it was obtained, but you require us to hold it to establish, exercise or defend a legal claim.
For more information please contact informationgovernance@slam.nhs.uk
Right of Portability
In certain circumstance you have the right to move, copy or transfer your personal data to another organisation. This works slightly differently to your rights of access as you may be entitled to the same amount of information under the right of portability as you would be entitled to under the right of access.
For more information please contact informationgovernance@slam.nhs.uk
Right to Object
You have the right to object to us processing your data unless we can demonstrate legitimate grounds for processing your data or for if the processing of your data is for the establishment or defense of a legal claim
For more information please contact informationgovernance@slam.nhs.uk
How do we respond to legal requests?
We may be required under law to share your information if there is a legal request which we must comply with such as a search warrant or court order.
How will we notify you of changes to this policy?
We may amend this policy in the future to ensure it is kept up to date with legal requirements. We will notify you when we make any changes to this policy and invite you to review before continuing to use Beth.
How to contact us with questions or concerns
If you have any additional questions regarding this policy, please feel free to contact us at:
Beth
South London and Maudsley NHS Foundation Trust
Maudsley Hospital
London
SE5 8AZ