Last Modified: 20 December 2019
MedeAnalytics International Limited (“MedeAnalytics”, “Company”, “We”, “Us”, “Our”), is a UK-based health and social care analytics provider committed to properly addressing applicable data protection requirements in a way that is transparent, responsive, and reliable. These are met and relate to the controlling and processing of personal data, under data protection, privacy and security laws and legislation, including, without limitation and to the extent applicable from time-to-time, (i) national laws implementing the EU Data Protection Directive (95/46/EC) and the EU Privacy and Electronic Communications Directive (2002/58/EC), (ii) the General Data Protection Regulation (EU) 2016/679 (GDPR), and (iii) all other applicable international, regional, and/or national data protection laws and regulations (“Data Protection Laws”).
As a leader in healthcare analytics, MedeAnalytics helps health and social care organizations make best practise decisions, always keeping in mind the sensitivity of the data We process and control. This information is Hospital Episode Statistics (HES) data, provided under agreement with NHS Digital, in accordance with end-user contracts (UK “Customers”). We host the HES data in UK data centres alongside Our intelligent analytics platform. The HES data is run through the analytics platform in a manner designed to limit display of the data to only that which is necessary to deliver Our state-of-the-art analytics, in a meaningful business context, in the fulfillment of a positive outcome – advanced health and social care data orchestration. We provide what We feel is are profoundly meaningful products and services for MedeAnalytics’ Customers, employees, owners, and investors.
MedeAnalytics is a statistical analysis entity, incorporated as a UK company in 2007, that works exclusively in the UK with health and social care providers; these Customers include NHS providers, commissioners, and national bodies. Where a MedeAnalytics client is an independent sector provider, data is only used in support of NHS-commissioned work. Our objective is to provide commissioning activities, operational and financial analytics, comparators and indicators, HES data quality verification, and other mission critical insights as requested and directed by Customers.
In this Policy We explain the purposes for which data is collected and the lawful bases for controlling and processing activities. This Policy provides information on rights with respect to personal data, and in the Contact section below whom to contact at MedeAnalytics regarding data protection issues and/or concerns.
Personal data means any information that relates to an identified or identifiable individual – in the context of Our activities, all HES data provided to Us is pseudonymised first, and the identification of an individual patient is highly unlikely if not impossible in most cases. MedeAnalytics does not share any information whatsoever on individuals – all HES data is aggregated, and shared only for the planning, evaluation, commissioning, and/or provision of health and social care pursuant to Our contract with NHS Digital, end-user Customer contracts, and applicable Data Protection Laws. By accessing this MedeAnalytics’ website, You agree to this Policy.
DATA CONTROLLER DETAILS
MedeAnalytics is data recipient and controller of HES data provided by NHD Digital information, details being:
MedeAnalytics International Limited
16 Upper Woburn Place
WC1H 0BS UK
Data does not leave the UK, is limited to authorized UK users, and is not transferred to the EU or shared anywhere else rest of world.
DATA PROCESSING DETAILS
MedeAnalytics conducts processing at the address above, and with respect to processing also maintains a primary data centre and separate backup data centre, both in the UK. MedeAnalytics receives HES data directly from NHS Digital, which may be related to patients of a General Practice (GP) who may or may not be part of a Clinical Commissioning Group (CCG) that MedeAnalytics has a contract with as a Customer.
Anonymized, pseudonymised patient information that We process may include but is not necessarily limited to patient name, address, date of birth, email address, telephone number, gender, NHS number, health data, genetic data, and biometric data. Because identifying information is removed before the HES data is provided to Us, in the vast majority of cases only NHS Digital could know the identity of any given individual. MedeAnalytics generates no secondary data sets, makes no attempt to identify individuals, does not use HES data for automated decision-making processes (“profiling”), and in every instance of controlling and processing HES data endeavors to have no risk of identification arise. MedeAnalytics’ processing of HES data for Customers is purely to inform and improve the NHS with respect to patient, health, and social care.
WHAT INFORMATION DO WE COLLECT?
MedeAnalytics collects HES data, under contract with NHS Digital, which is anonymized, pseudonymised patient, hospital, health and social care information. Personal identifiers are omitted, and the information is with respect to HES Admitted Patient Care, Outpatient, and Accident and Emergency, collected generally on a monthly basis.
BASES FOR PROCESSING PERSONAL DATA
In order to process HES data fairly and lawfully, MedeAnalytics must have a lawful bases for processing activities. MedeAnalytics’s legal bases for processing HES data are covered under Article 6(1)(f) and Article 9(2)(j) of the GDPR. Our legitimate interests include assisting end-user Customers with the access and use of Our medical analytics products and services, and the development of the same – which MedeAnalytics considers to be in the public interest as well as of critical value to end-user Customers (please refer to the following section re Our Legitimate Interests Assessment (LIA)).
LEGITIMATE INTERESTS ASSESSMENT (LIA)
Our legitimate interests are a necessary and lawful bases for processing and controlling HES data, as they enable Us to assist Customers with the access and use of Our medical analytics products and services, and the development of the same. MedeAnalytics considers access to its analytics to be in the public interest as well as of critical value to end-user Customers, so they can better understand their patient pools and make better health and social care decisions. Our legitimate interests also include for MedeAnalytics to continue as a leading provider of mission critical medical analytics in the UK, and as well to support compliance with the NHS’ clinical and non-clinical performance expectations, using Our solutions to identify clinical domains where there are significant outliers, enabling Customers to prioritise service redesign activities.
The purpose of MedeAnalytics solutions includes utilization by Customers to produce baselines for innumerable outcome metrics derived from key data combinations, to support better use of resources, staff, and services, ultimately resulting in better health and social care outcomes. It is important to note that access to HES data by MedeAnalytics’ Customers is only ever to aggregated data, with numbers suppressed in line with ICO standards, and pseudonymisation always occurring prior to transfer of HES data to MedeAnalytics.
We firmly believe that Our processing activities are a necessary, targeted, and proportionate means of achieving the purposes of the legitimate interests outlined above, and these interests are not overridden by moral or ethical issues, and balance against any impact on individual rights. MedeAnalytics uses the least intrusive means possible to achieve the analytics it provides to Customers, strictly within the UK only. The risks of any data breach are clearly understood by MedeAnalytics, which is why We require HES data to be pseudonymised before it is provided to Us, and we do not require access to the encryption key in order to process HES information.
The solutions that MedeAnalytics delivers are limited to clinical commissioning groups, care quality commission registered providers, public health departments, and similar health care providers within the UK. Our objective for processing is to provide commissioning activities, operational and financial analytics, comparators and indicators, data quality validation, and other critical insights as requested and directed by Customers on the basis of the pseudonymised HES data.
We aspire always to bring fulfillment of a positive outcome for all involved with Our products and services, and the public ultimately, as outlined herein. MedeAnalytics regularly reviews its legitimate interests, this LIA, and the underlaying operationalization of controlling and processing HES data, to bring Data Protection Laws compliance and best practice to the forefront of Our aim and offering. You may view MedeAnalytics’ most up-to-date LIA by clicking this link.
HES DATA TREATMENT
HES data is health data, and thus is to be treated with extra care and all personal information retained, disposed of, and pseudonymised to ensure the greatest attention is given to MedeAnalytics’ responsible controlling and processing of the same. MedeAnalytics is SO27001 certified, and safeguards are in place at every level of HES data treatment in line with laws, rules, regulations, and legislation relevant to MedeAnalytics’ activities. Policies such as incident response, security escalation, breach notification, and the like are regularly reviewed and updated to conform with Data Protection Laws and MedeAnalytics’ own efforts to ensure the HES data it handles is protected with best practice corporate governance.
HOW WE USE INFORMATION WE COLLECT
The HES data We collect and apply analytics to is accessed by Customers only through this website, and is only used for the purpose of providing those services for which the Customer has engaged Us. These services include presenting the website and its contents to You, maintaining and improving Our products and services, and assisting with statistical analysis to benefit health and social care decisions. We provide reports to Customers (“Client Reports”), and these Client Reports are aggregate statistical reports provided to organisations that relate to overall service delivery information, trends within and across organisations.
RETENTION OF HES DATA
MedeAnalytics maintains a rolling five (5) full years of data and the oldest year is destroyed on receipt of the latest year. At the end of a retention period, MedeAnalytics removes expired data, and can provide appropriate destruction certificates. Data is retained only for so long as necessary for the purposes set out herein and as agreed with Customers, and complies with data deletion requests.
SECURITY AND INTEGRITY
MedeAnalytics maintains a robust cache of safeguards to protect HES data from loss, interference, misuse, unauthorized access, disclosure, alteration, or destruction. We also maintain regularly updated procedures to help ensure that the analytics of HES data are completely reliable for Our Customers’ intended use. MedeAnalytics conducts automated assessments to operationalize privacy by design, and regularly reviews its Data Privacy Impact Assessments to self-evaluate, always improving where possible the security and protection of the data We process, to reflect best practice – with respect to every aspect of HES data transfers, contracting, risk control, and complying with Article 35 of the GDPR and Data Protection Laws generally.
You as the Customer are also responsible for the safety and security of data submitted to MedeAnalytics for processing. It is your responsibility to keep secret any username and password that You use for client login or to access other features of this website. Please do not share this information with any non-Customer and remember that You are responsible for any use of this website when it is accessed with your username, password, key code or the like. If You ever suspect or believe that your username or password have been compromised or used by an unauthorised party, please promptly inform Us – see Contact Us below.
REQUESTS WITH RESPECT TO HES DATA TREATMENT
Customers may contact Us by following the instructions below in the “Contact Information” section to request deletion of data, or to withdraw consent to Our processing, in accordance with applicable Data Protection Law. We might be unable to comply with such a request where doing so would place us in breach of Our obligations under applicable rules, regulation, codes of practice, or Data Protection Law. In the event correction of HES data is requested, contact must be made with NHS Digital. As the HES data We hold is pseudonymised and not individually identifiable, We are not able to process requests to access individual data or transfer it (data portability). A subject access request (SAR) and issues related to access, correction, erasure, and restriction can be raised directly with NHS Digital.
CHANGES TO THIS POLICY
MedeAnalytics keeps this Policy under regular review. We will update this Policy to reflect variations to Our information practices, and any relevant regulatory changes. We encourage You to periodically review this Policy to learn of any changes to how We treat the personal information of visitors to the website. If We decide to use personal data provided by Customers in a manner that is materially different from the uses described in this Policy or otherwise disclosed to You, You will have the choice to allow or disallow any additional uses or disclosures of data. We will not make retroactive changes that reduce privacy rights unless We are legally required to do so.
Please feel free to contact us with any questions, comments, complaints, or suggestions regarding this Policy or Our information practices. You always have the right to contact the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk), however, MedeAnalytics will do all it can to address any concerns so do please contact us in the first instance. You may make contact with Our Data Protection Officer (DPO) via webpage contact form, by email at firstname.lastname@example.org, or by postal mail at:
MedeAnalytics International Limited – Data Protection Officer UK
16 Upper Woburn Place
London, WC1H 0BS United Kingdom
Telephone: +44 (0) 203 741 8055
Facsimile: +44 (0) 203 040 2089
You may also contact MedeAnalytics for privacy-related matters via https://medeanalytics.com/contact/, at email@example.com, or by post or telephone at its parent company address:
501 W. President George Bush Highway, Suite 250
Richardson, Texas 75080 USA
Telephone: (469) 476-5423
Facsimile: (469) 490-1611