Last modified: May 24, 2018
- Your use of software products operated by Isosec;
- Your use of Isosec’s website;
- Isosec’s Direct Marketing practices.
Who we are
Isosec provide revolutionary software and innovation for healthcare organisations. Our clients include over 50 NHS Trusts and 70,000 users who already benefit from improved workforce efficiency, significant time and cost savings, a significant contribution to the NHS paperless targets and most importantly more resources to spend on patient care. The registered address is Isosec Ltd Blackfriars House, Parsonage, Manchester, Lancashire, M3 2JA.
What types of personal information are collected and how is such information used?
Isosec (“Processor”) is processing data on behalf of our customers (“Controller”) who use software products operated by Isosec. The types of personal information processed are:
- Identity data: your full name, role, email address, device user name, subject common name, certificate data, domain name of Active Directory account, and unique identifier as recorded in the NHS Spine Directory service;
- Location data: the GPS-coordinates of your location.
Isosec (“Controller”) may collect, store, and use the following categories of personal information about you:
- Contact details: your full name, email address and phone number;
- Usage data: your application use.
How is your personal information collected?
We use different methods to collect data from and about you including through:
- Audit: We collect Identity, location and usage data through audits sent to Isosec upon authentication to the NHS Spine. This includes authentications using either the NHS physical Smartcard or Isosec’s Virtual Smartcard;
- Direct interactions: You many give us your contact details by filling in forms or corresponding with us by post, phone, email, or otherwise. Isosec retain a database of information from interested parties to their products for marketing purposes, including emails and calls.
- Marketing lists: We may receive personal data of healthcare professionals from another organisation. In all cases we make rigorous checks to satisfy that the third party obtained the personal data fairly and lawfully.
Purposes for which we use your personal data
We collect information when users use our products for the purposes of usage tracking, and to provide analytics and technical support services to meet our contractual obligations.
We collect contact details for administrative and customer support purposes such as licensing, development, testing and technical support.
We also collect contact details for direct marketing purposes to pursue legitimate interests of our own provided your interests and fundamental rights do not override those interests or we may rely on your specific consent to process. You can stop us from using your personal information for marketing purpose by requesting this at any time.
If you are a customer who has purchased a product from us we will need to contact you from time to time with relevant information. In this circumstance consent to communications is included in your contract. You are still free to opt out of Isosec communications at any time.
How we will use information about you
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- Where we need to perform the contract we have entered into with you (or an entity of which you are an employee or officer);
- Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests;
- Where we have your consent.
How is personal information protected?
We have implemented reasonable and appropriate security measures to help protect personal information from accidental loss and from unauthorised access, use, or disclosure. Details of these measures are available upon request.
Despite these security measures, we cannot guarantee that unauthorised persons will never be able to defeat them. Therefore, we have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
International transfers of data
We only transfer personal data outside of the EU where such transfer is reasonably required for our legitimate business purposes and where the transmittee either resides in a territory with an EU adequacy declaration or has contractually agreed to comply with data protection provisions affording your personal data protections equivalent to the protections given under EU law.
How long will you use my information for?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for. We store the audit data and contact details that we are processing necessary to fulfill our contractual obligations for 1 year only. We store marketing data we acquired through consent for 2 years only after which we seek re-permissioning from you if your original opt-in method was consent. In case you object to your data being processed for the purpose of direct marketing by us, we will delete your records immediately (except for the records necessary to maintain our do-not contact list). We store specific contact details of customers who bought products from us during the course of providing our services.
Who can access your information?
We do not sell or rent your information to third parties. We do not share your information with third parties for marketing purposes. Our policies require our employees and vendors to protect the confidentiality of any personal information they may access.
However, we may make Isosec products usage information available to all Isosec entities and unaffiliated trusted third parties in certain situations, for example:
- to meet our obligations to content and technology providers;
- as needed in connection with the transfer of our business assets (for example, if we are acquired by another company or if we are liquidated during bankruptcy proceedings);
- although unlikely, a trusted third party may need to access personal information in connection with a digital forensic investigation of a potential security incident;
- as required by law in a matter of public safety or policy.
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
- Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
- Object to processing of your personal information where we are relying on a legitimate interest (e.g. Direct Marketing purpose) and there is something about your particular situation which makes you want to object to processing.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.
To exercise the rights above please contact firstname.lastname@example.org. We may need to request specific information from you to help us confirm your identity and ensure your right to exercise any of your rights above. This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it. Once we have received these from you, we will no longer process your information for the purpose or purposes you originally agreed to.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Isosec may change this statement from time to time. If we make any changes to this Statement, we will change the Last Updated date, and in some cases we may provide you with additional notice. If you have any questions about this statement, please contact Isosec at email@example.com.
If you have any additional questions or concerns related to this Privacy Statement and/or our practices, please send an email to firstname.lastname@example.org.