Digostics GTT@home HCP Platform Privacy Notice

Digostics GTT@home Healthcare Professional Privacy Notice - 15/03/2024

1. Introduction

The GTT@home service (the “Service”) is provided by Digostics Limited, a private limited company incorporated in England and Wales with company number 11797881, whose registered office is at Harwell Innovation Centre, Curie Avenue, Harwell Oxford, Didcot, Oxfordshire, England, OX11 0QG, United Kingdom (referred to as “Digostics”, “we”, “us” and “our” in this notice).

The GTT@home service combines the following to enable a home-based alternative to clinic-based testing:

disposable electronic oral glucose tolerance tests (the “Tests”)
the GTT@home mobile app for patients to report their Test results (the “App”)
the GTT@home digital diagnostics platform for healthcare professionals (the “Platform”)

The Platform sends a Test to the patient on the request of the patient’s assigned healthcare professional (“HCP”). The patient performs the Test at home and uses the App to record the Test results and send them to the Platform. The Platform makes the Test results viewable confidentially for the patient’s assigned HCP to interpret.

We provide the Service to healthcare provider customers. The users of the Tests and App are patients under the care of our healthcare provider customers and the individual users of the Platform are HCPs and admin users who work for our healthcare provider customers (referred to as “Users”, “you” and “your” in this notice).

This privacy notice is addressed to Users of the Platform and explains our processing of personal data relating to patients and Users that is collected, stored and processed by the Platform or in connection with the use of the Platform.

For the purposes of data protection laws in the United Kingdom (“UK”) and European Union, some of the processing of this personal data is carried out by us as a controller for our own purposes and some is carried out by us as a processor on behalf of our healthcare provider customers, as detailed in Section 3.

2. Types of personal data we process

We process the following information relating to Users and patients in connection with the Service:

Login data		Your name, work email address and phone number, which will be used to create a user account for you to access and use the Platform. This information may be provided to us by you, a colleague, or the healthcare provider organisation you work for.
Platform technical data		Information about the device you use to access the Platform (e.g., a mobile phone, laptop, or desktop computer), including: the IP address used to connect your device to the internet the browser you use to access the internet on your device (e.g., Google Chrome or Apple Safari) the login and operating system used on your device the make and model of your device device identifiers time zone, language, and location settings your mobile network provider and your location (based on your IP address) Platform response times and updates your interactions with the Platform This information is collected automatically by the Platform using cookies, depending on the browser and privacy settings on your device. See Section 8 for more information about the cookies used on the Platform.
HCP data		Details about HCP Users of the Platform [HCPs], which may be inputted to the Platform by the HCPs themselves or by admin Users, including: name (first name, middle names, and surname) work email address phone number organisation the HCP works for hospital or healthcare site the HCP works at
Support contact data	If you contact us to request support in using the Platform, we will obtain information about you depending on what method you use to contact us: for live chat, we will obtain your name, email address, phone number, the facility that you work at and certain technical data about your phone; for email requests, we will obtain your email address, any name you provide, your phone number, the facility you work at, any personal data you include in your message and the time and date the email was sent; for phone requests, we will obtain your phone number, email address, the facility that you work at, any name you provide, any personal data you mention in your message and the time and date of the call.
Patient data		Details about patients under the care of the healthcare provider you work for, which may be inputted by you or a colleague or by us on request of the healthcare provider you work for, including: name patient ID number used by the healthcare provider you work for NHS number assigned HCP condition being tested for reason for the test being taken any notes added by an HCP in relation to the test date of birth phone number email address home address communication preference height weight sex ethnicity group Expected pregnancy delivery date test results date and time of tests taken any notes added by an HCP in relation to the test results
Test ID		The unique device IDs of the Tests issued to patients, which are linked to individual patient data records when an HCP requests a device to be issued to a patient. The Test ID is not personal data by itself as it cannot be used to identify individual patients: only when it is linked by the Platform with the patient’s details on the Platform can it be attributed to an individual patient and therefore becomes personal data.
Delivery data		If the Test is delivered to the patient’s home, this will include: the patient’s name, home address, email address and phone number any notes a User adds in relation to the delivery. If the Test is being delivered to a collection point, this will include: the patient’s name, email address and phone number the name, address, and organisation type of the collection point any notes a User adds in relation to the delivery.
Results data	The Test transmits the Test ID and the Test results to the App and the App transmits those details to the Platform. The Test ID and results are not personal data by themselves as they cannot be used to identify individual patients: only when they are linked by the Platform with the patient’s details on the Platform can they be attributed to an individual patient and therefore become personal data.

3. Our purposes for processing personal data

Below we describe the purposes for which we use personal data, whether we act as a controller or processor for each purpose, the types of personal data we use for each purpose and the legal bases for doing so.

Purpose	Controller or processor	Type of personal data used	Legal basis
Enabling Users to access and use the Platform.	Controller	Login data Platform technical data HCP data	Legitimate interests: enabling Users to access and use the Platform and providing the GTT@home Service to our customers.
Ensuring the security and integrity of the Platform.	Controller	Login data Platform technical data HCP data	Legitimate interests: ensuring that the Platform is secure and remains available for customers and Users to use, to protect our business, customers, Users, and patients.
Enabling HCPs to assign Tests to patients.	Processor	HCP data Patient data Test ID	Our customers are the controller for this processing and determine the legal basis for it. Please contact or refer to the privacy notice of the healthcare organisation you work for to confirm which legal basis it relies on for this processing.
Enabling Tests to be delivered to patients.	Processor	Patient data Test ID Delivery data
Enabling patients to report Test results.	Processor	Test ID Results data
Enabling HCPs to view patient results to aid diagnosis.	Processor	Test ID Results data Patient data
Providing support to HCPs in relation to using the Platform.	Controller	Support contact data	Legitimate interests: helping Users to use the Platform and identifying and resolving any technical problems with the Platform.
Processing platform data, and, analysing and understanding how the Platform is used so that we can improve its content and functionality.	Controller	Platform technical data (We will only use aggregated data which cannot be used to identify individuals.)	Consent Legitimate interests: improving the GTT@home Service and Platform for the benefit of customers, Users and patients.
Safety, training, regulatory, and compliance purposes, such as sharing data with regulatory bodies like the Medicines and Healthcare Products Regulatory Agency or Care Quality Commission if legally required and auditing the quality of the results provided by the GTT@home tests	Controller, Processor	HCP data Patient data	Legitimate interests. Compliance with a legal obligation.
Analysing and demonstrating trends relating to use of the GTT@home Service, for example, the number of Users of the Platform, Tests or App or trends in a particular location.	Controller	[HCP data] [Patient data] (We will only use aggregated data which cannot be used to identify individuals.)	Legitimate interests: understanding and reporting on usage and trends relating to the GTT@home Service.

In addition to the purposes set out above, we may also process personal data if and to the extent necessary for the following purposes:

Purpose	Legal basis
Establishing, exercising or defending legal claims.	Our legitimate interests in defending legal claims brought against us, enforcing claims against others and protecting and asserting our legal rights and the legal rights of others.
Obtaining or maintaining insurance cover, managing risks or obtaining professional advice.	Our legitimate interests in protecting our business against risks.
Compliance with a legal obligation such as a statutory or regulatory obligation or an order of a court, government body or regulator.	Compliance with a legal obligation.

4. Who we share personal data with

Platform Users

Different categories of users have access to data stored on the Platform as set out below:

User type	Data accessed
HCP	Their own HCP identity data Patient data, Test ID and delivery data relating to their assigned patients
Admin	HCP identity data of all HCPs working for the relevant customer Patient data, Test ID, delivery data and results data relating to all patients of the relevant customer

Digostics support staff

Support staff, including outsourced support staff, will have access to Patient data, Test ID and deliver and HCP data in connection with providing support to Users.

Service providers

We use Microsoft Azure to host the Platform, which means that Microsoft Corporation receives all data collected, stored and processed by the Platform.

We use Complete Packaging Ltd to print address labels for the Test packages that are sent out to patients. The Platform automatically sends patients’ names, postal addresses, email address and phone number to Complete Packaging Ltd for this purpose.

Both Microsoft Corporation and Complete Packaging Ltd process personal data as processors in accordance with our instructions to the extent necessary to provide their services, and their processing is governed by contracts with us to ensure they act in accordance with UK data protection laws.

We use Royal Mail Group Limited (“Royal Mail”) to deliver the GTT@home test packages to patients. This means that Royal Mail receives patients’ names, addresses, phone numbers and email addresses to enable it to deliver the packages to patients. Royal Mail acts as a controller for this processing and is subject to UK data protection laws – see Data Protection at Royal Mail Group | Royal Mail Group Ltd for more information.

Customers

If requested by a customer, we may provide patient data, Test ID and/or delivery data to the customer, to the extent they are not able to obtain it via the Platform themselves.

Healthcare regulators

If we're legally required to, or asked by a regulator, we may need to share HCP data or patient data with regulatory bodies like the Medicines and Healthcare Products Regulatory Agency or Care Quality Commission.

Health bodies

In a public health emergency, we may share patient health data in a way that is appropriate and lawful with organisations such as:

NHS Digital
NHS England and Improvement
NHS Wales
NHS Scotland
Public Health England
Local authorities

Health organisations

GPs

We will limit the use or sharing of data to the period of the emergency and will only share data to the extent necessary, using anonymised or pseudonymised data where possible.

If we share statistics on certain types of illness, symptoms and conditions derived from patient data with health bodies, these will be in the form of aggregated data that cannot be used to identify individuals and will not therefore comprise personal data.

Third party EPR system users

If a customer asks us to integrate the Platform with an Electronic Patient Record system it uses other users of those systems may have access to the patient data stored in the Platform depending on the access permissions that apply to those systems. In cases where integration with an Electronic Patient Record occurs, there will be a signed data sharing agreement that governs the extent of the data sharing activity.

Other organisations

Additionally, we may disclose personal data to other organisations or individuals where disclosure is necessary for the purposes set out above, for example if we are under a duty to disclose or share personal data in order to comply with any legal obligation, in order to enforce or apply the terms of any agreement to which we are a party or to protect the rights, property, or safety of Digostics, our customers or others. This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. In all cases, we will only share personal data with such recipients where and to the extent necessary for the relevant processing purpose and in accordance with applicable data protection law.

5. Transfers of personal data outside the UK

The Platform and the data processed by the Platform is stored and hosted in a Microsoft Azure datacentre in the United Kingdom. However, our use of Microsoft Azure involves transfers of all data collected, stored and processed by the Platform to Microsoft Corporation and its sub-processors in the United States of America and other countries. As some of these countries (including the USA) are not deemed to provide adequate protection for personal data by the UK government or European Commission, we use Standard Contractual Clauses as an appropriate safeguard to protect the data transferred in accordance with applicable data protection laws. The Standard Contractual Clauses that apply between us and Microsoft Corporation are included in the Microsoft Data Protection Addendum which can be viewed here: Licensing Documents (microsoft.com) .

6. Retention of personal data

We will retain personal data only for as long as is necessary for the purposes described in this notice. The applicable retention periods are set out in our Data Retention Policy.

7. Security of personal data

We use appropriate technical and organisational measures to safeguard and secure the information we obtain in connection with the provision of the Platform, as set out in detail in our Data Security Statement.

8. Cookies used on the Platform

[The Platform uses cookies to distinguish you from other Users, which helps us to provide you with a good experience when you use the Platform and also allows us to collect information which we can use to improve the Platform.

Users are told about these cookies when they first login to the Platform and are provided with an option to accept or refuse cookies that are not strictly necessary through a pop-up cookie banner. If Users do not actively accept these cookies then only essential (strictly necessary) cookies will be installed.

What are cookies?

A cookie is a small text file containing an identifier (a string of letters and numbers) that is sent by a website server to your browser when you visit a website and is stored in your browser. The identifier is then sent back to the website each time your browser requests a page from the website server. When you return to the website, the website can access its previously placed cookie to uniquely identify your browser.

Cookies do several different things. They recall your preferences on a website, help you view content more efficiently and improve the overall user experience on a website.

Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

Cookies can be set by the website operator (known as 1st party cookies) or third parties such as analytics service providers (known as 3rd party cookies).

Cookies may not contain any information that directly personally identifies a user, but personal data that we store about you may be linked to the information stored in and obtained from cookies.

For further information about cookies, including how to see what cookies have been set on your device and how to manage and delete them, visit https://www.allaboutcookies.org/.

How we use cookies on the Platform

We use cookies on the Platform for a number of different purposes:

to enable you to carry out basic functions on the Platform such as requesting Tests
to collect information about your computer, including your IP address, operating system and browser type, which we use to help us improve the Platform and deliver a better and more personalised experience to Users
to obtain statistical data about Users’ browsing actions and patterns, which does not identify any individual

Further detail about the cookies we use on the Platform and the purposes of those cookies is provided below:

Cookies we use on the Platform

Cookie name	Description	Expiry	1st/3rd party
Strictly necessary cookies: These cookies are necessary for the Platform to function and cannot be switched off. They are usually only set in response to actions made by you which amount to a request for services, such as setting your cookie preferences, logging in to your account, moving around the Platform or completing data fields. These cookies do not store any personally identifiable information. You can set your browser to block or alert you about this type of cookies, but some parts of the Platform will not then work.
Auth0 Token	User session token retrieved from auth0 authentication service once a user has logged in. The token is passed to all service calls in order to validate the user and the level of permissions they have. This cookie does not store any personal identifiable information	24 hours	3rd Party - Auth0
Performance cookies: These cookies allow us to count visits and traffic sources so we can measure and improve the performance of the Platform. They help us to know which pages are the most and least popular and see how Users move around the Platform. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not be able to monitor the performance of the Platform.
None	N/A	N/A	N/A
Functional cookies: These cookies enable the Platform to provide enhanced functionality and personalisation and to recognise you when you return to the Platform. This enables us to personalise the Platform for you and remember your preferences (for example, your choice of language or region). They may be set by us or by third party providers whose services we have added to the Platform. If you do not allow these cookies, then some or all of these services may not function properly.
None	N/A	N/A	N/A

Cookies used by our service providers

We use service providers in connection with the Platform who use cookies to provide those services, including strictly necessary, performance and functional cookies as described above. Where these services involve the setting of third-party cookies, the providers are identified in the table in the ‘Cookies that we use on the Platform’ section above.

Deleting and managing cookies

We will tell you about the cookies used on the Platform when you first login to the Platform and provide you with the option to accept these cookies or not. You can also change your options at any time using the cookie preference tool available at the bottom of every page on the Platform.

You can also manage and delete cookies using your browser settings. The methods for doing so vary from browser to browser, and from version to version. You can however obtain information about blocking and deleting cookies via these links:

Blocking all cookies will have a negative impact on the usability of many websites. If you block cookies, you will not be able to use all the features on our website.]

9. Your rights in respect of personal data

You have various rights under data protection law in respect of our processing of your personal data when we process your personal data as a controller. These are:

the right to access – you can ask us for copies of any personal data we hold about you, along with information about our processing of that data
the right to rectification – you can ask us to correct any inaccurate personal data we hold about you and to complete any incomplete personal data
the right to erasure – you can ask us to delete your personal data
the right to restrict processing – you can ask us to restrict processing of (not actively use) the personal data we hold about you
the right to object to processing – you can object to our processing of your personal data
the right to data portability – you can ask that we transfer the personal data we hold about you to another organisation or to you in a structured, commonly-used and machine-readable form

the right to withdraw consent – if we process any of your personal data on the basis of your consent, you can withdraw that consent
the right to complain to a supervisory authority – you can complain about our processing of your personal data to a data protection authority. The UK supervisory authority is the Information Commissioner’s Office (“ICO”) – see Data protection complaints | ICO for details of how to complain to the ICO.

These rights are subject to certain limitations and exceptions. You can learn more about your rights as a data subject by visiting Individual rights | ICO.

Please contact quality@digostics.com if you wish to exercise any of your rights or if you have any requests, questions or concerns relating to our use of your personal data.

Changes to this privacy notice

Any changes we make to this privacy notice in the future will be posted on the Platform and, where appropriate, notified to you or patients by e-mail or other suitable method. This policy was last reviewed on 14th March 2024.

Contact

Questions, comments and requests regarding this privacy notice are welcomed and should be addressed to quality@digostics.com.