Privacy Notice – Fora Health

Who we are

We are Fora Health Ltd. We provide software that helps patients make shared decisions about their healthcare with their clinicians. We are registered with the UK’s Data Protection Regulator (the Information Commissioner’s Office). You can see our registration details here.

Our registered office is at: Unit 2.09 Brickfields, 37 Cremer Street, London, E2 8HD, UK.

Introduction

We are committed to being transparent about why we need your personal data and what we do with it. This information is set out in this Privacy Notice. It also explains your rights when it comes to your data.

As part of the services we offer, we process personal data. “Processing” can mean collecting, recording, organising, storing, sharing or destroying data.

If you are reading this, then you may fall into one or more of the following groups of people.

Groups of people whose information we process

GroupDescription
Service usersA catch-all for Patients, Clinicians, Researchers and Research participants.
PatientsPatients who have been invited to use our service by their clinicians.
CliniciansDoctors, nurses and other medical staff who use our service to share information with their patients and gather information from them to aid in decision-making.
ResearchersAcademic and commercial researchers who use of our service to gather research data in a research project.
Research participantsPeople taking part in a research project using our service.
External StakeholdersExternal collaborators we may be working with on projects.
Job applicantsPeople applying to work at our company.
Team MembersAll members of our team, including employees, advisors, contractors and interns.

Contact us

If you have any concerns or questions please email us at support@fora.health.

For Patients

Via your healthcare organisation’s use of our software

Fora Health offers our software platform to healthcare organisations that are providing your care.

What data do we have?

So that we can provide a safe and professional service, we need to keep certain records about you. We may process the following types of data:

We also collect and process the following data which is classified as “special category”:

Why do we have this data?

We process your information under the direction of your healthcare organisation. Legally speaking, we are classified as a “data processor” and your healthcare organisation is the “data controller”. You should refer to your healthcare organisation’s privacy notice to understand what information they process and for what reason. In most cases, the legal basis for processing your information will be to provide you with health or social care.

Via direct correspondence with us

If you contact us directly by emailing us for support or messaging us through social media then we will collect and process information about you.

What data do we have?

Why do we have this data?

A note on the National Data Opt-Out Policy for NHS Patients

We review our data processing on an annual basis to assess if the national data opt-out applies. This is recorded in our Record of Processing Activities. All new processing activities are assessed to see if the National Data Opt-Out Policy applies.

If any data processing falls within scope of the National Data Opt-Out we use MESH to check if any of our service users have opted out of their data being used for this purpose.

At this time, we do not share any data for planning or research purposes for which the National Data Opt-Out would apply. We review all of the confidential patient information we process on an annual basis to see if this is used for research and planning purposes.

If it is, then individuals can decide to stop their information being shared for this purpose. You can find out more information at https://www.nhs.uk/your-nhs-data-matters/.

For Clinicians

Fora Health provides our software to healthcare organisations such as your employer.

What data do we have?

Why do we have this data?

We process your information under the direction of your employer organisation. Legally speaking, we are classified as a “data processor” and your employer organisation is the “data controller”. All the information we process on behalf of your employer’s organisation is subject to a data processing contract that details what information we process, how we process it and how we keep it safe.

For Researchers

Fora Health provides our software to research organisations such as Universities and Commercial Research Organisations (CROs). If you use our software as part of your job as one of these organisations then we process your personal information:

What data do we have?

Why do we have this data?

We process your information under the direction of your employer organisation. Legally speaking, we are classified as a “data processor” and your employer organisation is the “data controller”. All the information we process on behalf of your employer’s organisation is subject to a data processing contract that details what information we process, how we process it and how we keep it safe.

For Research participants

Fora Health provides our software to research organisations such as universities and commercial research organisations (CROs). If you use our software as part of your enrolment in a research project conducted by one of these organisations then we will process your personal information:

Via the research organisation’s use of our software

What data do we have?

Why do we have this data?

We process this information on behalf of the research organisation that is sponsoring the research project. Legally speaking, we are classified as a “data processor” and the research organisation is classified as the “data controller”. All of the information we process on behalf of the research organisation is subject to a data processing contract that details what information we process, how we process it and how we keep it safe.

You should refer to the research organisation to understand what information they process and for what reason. In most cases, the legal basis for processing your information will be because you have given your explicit consent.

For Team Members

If you are an employee, contractor, advisor or intern of Fora Health then we will process your personal data:

What data do we have?

Why do we have this data?

We collect and process this information about you on the basis of our legitimate interest in operating our company and our legal obligation when acting as an employer.

For External Stakeholders

We work with partners in different organisations to plan collaborative projects. If we work with you in this capacity, then we process your personal data:

What data do we have?

Why do we have this data?

We collect and process this information on the basis of our legitimate interest in operating our company.

For Job applicants

We recruit and hire new Team Members. If you apply for a job with us then we will process your personal information as part of the recruiting and contracting process:

During the recruitment process

What data do we have?

Why do we have this data

We collect and process this information based on our legitimate interest in recruiting people to work for our company.

During the contracting process

What data do we have?

Why do we have this data?

We collect and process this information based on our legal obligation when acting as an employer.

Exercising your rights under data protection laws

The data that we control about you is your data and we ensure that we keep it confidential and that it is used appropriately. You have the following rights when it comes to your data:

  1. You have the right to request a copy of all of the data we keep about you. Generally, we will not charge for this service;
  2. You have the right to ask us to correct any data we have which you believe to be inaccurate or incomplete. You can also request that we restrict all processing of your data while we consider your rectification request;
  3. You have the right to ask that we erase any of your personal data which is no longer necessary for the purpose we originally collected it for. We retain our data in line with the Information Governance Alliance’s guidelines. If you do not follow these guidelines, you must provide people with your own retention schedule as you need to tell people how long you hold their data for.
  4. You may also request that we restrict processing if we no longer require your personal data for the purpose we originally collected it for, but you do not wish for it to be erased.
  5. You can ask for your data to be erased if we have asked for your consent to process your data. You can withdraw consent at any time – please contact us to do so.
  6. If we are processing your data as part of our legitimate interests as an organisation or in order to complete a task in the public interest, you have the right to object to that processing. We will restrict all processing of this data while we look into your objection.

If you make a data request to us, you may need to provide adequate information for our team to be able to identify you, for example, a passport or driver’s licence. This is to make sure that data is not shared with the wrong person inappropriately. We will always respond to your request as soon as possible and at the latest within one month.

How long we keep your data and which data controller to contact

In some cases, we process your data under the instruction of a data controller. In these cases, you should address any request you have to the data controller responsible. See the following table for details:

GroupRetention PeriodData Controller
Service usersAs defined by the data processing agreement with the data controller.The healthcare organisation or research organisation responsible for controlling the information we process about you.
PatientsAs defined by the data processing agreement we have with your health care organisation (the data controller).The healthcare organisation providing your care.
CliniciansAs defined by the data processing agreement we have with your healthcare organisation employer (the data controller).The healthcare organisation employing you.
ResearchersAs defined by the data processing agreement we have with your research organisation employer (the data controller).The research organisation employing you.
Research participantsAs defined by the data processing agreement we have with the research organisation sponsoring the study (the data controller).The research organisation sponsoring the research project you are enrolled in.
External StakeholdersUp to 5 years following the last direct contact from your employer organisation.Fora Health. Contact us by emailing support@fora.health.
Job applicantsUp to 24 months following the date that the first application was made.Fora Health. Contact us by emailing support@fora.health.
Team MembersUp to 5 years after your last day working with us.Fora Health. Contact us by emailing support@fora.health.

Complaints

If you would like to complain about how we have dealt with your request, please contact the Information Commissioner’s Office.