Privacy Notice – Fora Health
Who we are
We are Fora Health Ltd. We provide software that helps patients make shared decisions about their healthcare with their clinicians. We are registered with the UK’s Data Protection Regulator (the Information Commissioner’s Office). You can see our registration details here.
Our registered office is at: Unit 2.09 Brickfields, 37 Cremer Street, London, E2 8HD, UK.
Introduction
We are committed to being transparent about why we need your personal data and what we do with it. This information is set out in this Privacy Notice. It also explains your rights when it comes to your data.
As part of the services we offer, we process personal data. “Processing” can mean collecting, recording, organising, storing, sharing or destroying data.
If you are reading this, then you may fall into one or more of the following groups of people.
Groups of people whose information we process
| Group | Description |
|---|---|
| Service users | A catch-all for Patients, Clinicians, Researchers and Research participants. |
| Patients | Patients who have been invited to use our service by their clinicians. |
| Clinicians | Doctors, nurses and other medical staff who use our service to share information with their patients and gather information from them to aid in decision-making. |
| Researchers | Academic and commercial researchers who use of our service to gather research data in a research project. |
| Research participants | People taking part in a research project using our service. |
| External Stakeholders | External collaborators we may be working with on projects. |
| Job applicants | People applying to work at our company. |
| Team Members | All members of our team, including employees, advisors, contractors and interns. |
Contact us
If you have any concerns or questions please email us at support@fora.health.
For Patients
Via your healthcare organisation’s use of our software
Fora Health offers our software platform to healthcare organisations that are providing your care.
What data do we have?
So that we can provide a safe and professional service, we need to keep certain records about you. We may process the following types of data:
- Your basic details and contact information. For example, your name, address, email address, phone number and date of birth.
- Data generated by you interacting with our software.
We also collect and process the following data which is classified as “special category”:
- Health data about you, which might include both your physical and mental health data.
Why do we have this data?
We process your information under the direction of your healthcare organisation. Legally speaking, we are classified as a “data processor” and your healthcare organisation is the “data controller”. You should refer to your healthcare organisation’s privacy notice to understand what information they process and for what reason. In most cases, the legal basis for processing your information will be to provide you with health or social care.
Via direct correspondence with us
If you contact us directly by emailing us for support or messaging us through social media then we will collect and process information about you.
What data do we have?
- Your basic details and contact information. For example, your name, email address, social media handles, phone number.
- Any information you decide to provide to us as part of the correspondence.
Why do we have this data?
- We collect and process this information about you on the basis of our legitimate interest in providing you support and answering any questions you have.
A note on the National Data Opt-Out Policy for NHS Patients
We review our data processing on an annual basis to assess if the national data opt-out applies. This is recorded in our Record of Processing Activities. All new processing activities are assessed to see if the National Data Opt-Out Policy applies.
If any data processing falls within scope of the National Data Opt-Out we use MESH to check if any of our service users have opted out of their data being used for this purpose.
At this time, we do not share any data for planning or research purposes for which the National Data Opt-Out would apply. We review all of the confidential patient information we process on an annual basis to see if this is used for research and planning purposes.
If it is, then individuals can decide to stop their information being shared for this purpose. You can find out more information at https://www.nhs.uk/your-nhs-data-matters/.
For Clinicians
Fora Health provides our software to healthcare organisations such as your employer.
What data do we have?
- Your basic personal details, such as your name.
- Your professional information, such as your job title, which organisation you work for and which patients you provide health care for.
- Your work email address and phone number.
- Data generated by you interacting with our software.
Why do we have this data?
We process your information under the direction of your employer organisation. Legally speaking, we are classified as a “data processor” and your employer organisation is the “data controller”. All the information we process on behalf of your employer’s organisation is subject to a data processing contract that details what information we process, how we process it and how we keep it safe.
For Researchers
Fora Health provides our software to research organisations such as Universities and Commercial Research Organisations (CROs). If you use our software as part of your job as one of these organisations then we process your personal information:
What data do we have?
- Your basic personal details, such as your name.
- Your professional information, such as your job title and which organisation you work for.
- Your work email address and phone number.
Why do we have this data?
We process your information under the direction of your employer organisation. Legally speaking, we are classified as a “data processor” and your employer organisation is the “data controller”. All the information we process on behalf of your employer’s organisation is subject to a data processing contract that details what information we process, how we process it and how we keep it safe.
For Research participants
Fora Health provides our software to research organisations such as universities and commercial research organisations (CROs). If you use our software as part of your enrolment in a research project conducted by one of these organisations then we will process your personal information:
Via the research organisation’s use of our software
What data do we have?
- Your basic details and contact information. For example, your name, address, email address, phone number and date of birth.
Why do we have this data?
We process this information on behalf of the research organisation that is sponsoring the research project. Legally speaking, we are classified as a “data processor” and the research organisation is classified as the “data controller”. All of the information we process on behalf of the research organisation is subject to a data processing contract that details what information we process, how we process it and how we keep it safe.
You should refer to the research organisation to understand what information they process and for what reason. In most cases, the legal basis for processing your information will be because you have given your explicit consent.
For Team Members
If you are an employee, contractor, advisor or intern of Fora Health then we will process your personal data:
What data do we have?
- Your basic details and contact information. Your name, personal email address, national insurance number, personal phone number, social medial handles.
- Contact details for your next-of-kin.
- Copies of your official identification documents, such as your passport or driver’s licence.
- Your financial information such as your salary, bank account and pension.
- Details about your professional history, such as your previous work and education.
- Records of your employment with us, such as feedback from performance reviews, absences from work, holiday allowance taken.
- Behavioural details about your professional use of your company-issued computer, such as the applications you have installed and the device’s security settings.
Why do we have this data?
We collect and process this information about you on the basis of our legitimate interest in operating our company and our legal obligation when acting as an employer.
For External Stakeholders
We work with partners in different organisations to plan collaborative projects. If we work with you in this capacity, then we process your personal data:
What data do we have?
- Your basic professional details such as your name, professional contact information and the organisation that you work for.
Why do we have this data?
We collect and process this information on the basis of our legitimate interest in operating our company.
For Job applicants
We recruit and hire new Team Members. If you apply for a job with us then we will process your personal information as part of the recruiting and contracting process:
During the recruitment process
What data do we have?
- Your basic details and contact information. Your name, personal email address, personal phone number, social medial handles.
- Information provided by your professional references.
- Any other information that you disclose to us during the application and interview process.
Why do we have this data
We collect and process this information based on our legitimate interest in recruiting people to work for our company.
During the contracting process
What data do we have?
- Copies of your official identification documents, such as your passport or driver’s licence.
- Your financial information such as your salary, bank account and pension.
Why do we have this data?
We collect and process this information based on our legal obligation when acting as an employer.
Exercising your rights under data protection laws
The data that we control about you is your data and we ensure that we keep it confidential and that it is used appropriately. You have the following rights when it comes to your data:
- You have the right to request a copy of all of the data we keep about you. Generally, we will not charge for this service;
- You have the right to ask us to correct any data we have which you believe to be inaccurate or incomplete. You can also request that we restrict all processing of your data while we consider your rectification request;
- You have the right to ask that we erase any of your personal data which is no longer necessary for the purpose we originally collected it for. We retain our data in line with the Information Governance Alliance’s guidelines. If you do not follow these guidelines, you must provide people with your own retention schedule as you need to tell people how long you hold their data for.
- You may also request that we restrict processing if we no longer require your personal data for the purpose we originally collected it for, but you do not wish for it to be erased.
- You can ask for your data to be erased if we have asked for your consent to process your data. You can withdraw consent at any time – please contact us to do so.
- If we are processing your data as part of our legitimate interests as an organisation or in order to complete a task in the public interest, you have the right to object to that processing. We will restrict all processing of this data while we look into your objection.
If you make a data request to us, you may need to provide adequate information for our team to be able to identify you, for example, a passport or driver’s licence. This is to make sure that data is not shared with the wrong person inappropriately. We will always respond to your request as soon as possible and at the latest within one month.
How long we keep your data and which data controller to contact
In some cases, we process your data under the instruction of a data controller. In these cases, you should address any request you have to the data controller responsible. See the following table for details:
| Group | Retention Period | Data Controller |
|---|---|---|
| Service users | As defined by the data processing agreement with the data controller. | The healthcare organisation or research organisation responsible for controlling the information we process about you. |
| Patients | As defined by the data processing agreement we have with your health care organisation (the data controller). | The healthcare organisation providing your care. |
| Clinicians | As defined by the data processing agreement we have with your healthcare organisation employer (the data controller). | The healthcare organisation employing you. |
| Researchers | As defined by the data processing agreement we have with your research organisation employer (the data controller). | The research organisation employing you. |
| Research participants | As defined by the data processing agreement we have with the research organisation sponsoring the study (the data controller). | The research organisation sponsoring the research project you are enrolled in. |
| External Stakeholders | Up to 5 years following the last direct contact from your employer organisation. | Fora Health. Contact us by emailing support@fora.health. |
| Job applicants | Up to 24 months following the date that the first application was made. | Fora Health. Contact us by emailing support@fora.health. |
| Team Members | Up to 5 years after your last day working with us. | Fora Health. Contact us by emailing support@fora.health. |
Complaints
If you would like to complain about how we have dealt with your request, please contact the Information Commissioner’s Office.
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Website contact form: https://ico.org.uk/global/contact-us/