Privacy Policy
Last updated February 2024
Ardia Ltd. - owner and operator of MyRenalCare - is committed to protecting and respecting your privacy.
This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
Our services are available to individuals who are 16+ years old and are not intended for children. We do not knowingly collect data relating to children. You can report any knowledge of a child accessing MyRenalCare and providing personal data by emailing privacy@myrenalcare.com.
If MyRenalCare becomes aware of a minor/child providing personal data without parental consent, we will delete this data within 7 days of being made aware.
For the purpose of the Data Protection Act 1998 (the Act), the data controller is Ardia Ltd., a company registered in England with registration number: 07881370 and having its registered address at 46 Belmont Road, Poole, BH14 0DB.
INFORMATION WE MAY COLLECT FROM YOU
Only minimum data items necessary to provide our services are collected.
We may collect and process the following data about you:
Information that you provide by filling in forms on our system, including but not limited to clinical history.
Details of your activity using our system including, but not limited to, traffic data, time spent in each resource and the resources that you access.
Specifically MyRenalCare may collect the following data: Name (Full Name, Nickname or First Name Only), Username, Email, Age / DOB, Location Data, IP Address, General Wellness Data, General Identifier eg. NHS No, Cookies / Web Beacons etc. (used for tracking an individuals online browsing behaviours/movements), Usage Data, Physical and/or Mental Health Data.
If you contact us, we may keep a record of that correspondence.
When you use our system, we may record your device's IP address (the unique numerical address given to every device connected to the internet) and the time and duration of your activity, your location and other statistical details.
This cookie and your IP address will be used to record the pages you visit on our system. We will use this information to analyse the way our system is used, and to administer and improve the accessibility of our system and for user login authentication.
WHERE WE STORE YOUR DATA
We use Amazon Web Services to power the MyRenalCare web app. All data is held in the UK using Amazon Web Services Europe (London) eu-west-2 datacentre region across 3 availability zones.
Amazon Web Services is considered the industry leader in cloud services and is trusted by organisations like DOW Jones, Pfizer, and the CDC.
Data is encrypted using SHA-256 and AES-265, both 'at rest' on the servers and when in transit. All data displayed and updated back to the database is encrypted and secured with SSL.
This encryption applies to all data - the database records, search indexes as well as uploaded files and images. Backups are encrypted using the same.
All user passwords are double encrypted and hashed with a salt (intended to prevent dictionary attacks).
Data is not accessible to anyone unless we make it accessible.
Every change to every record is recorded along with timestamps and IP addresses.
CONTROL OF YOUR DATA
Any data that you enter into the MyRenalCare app, is controlled by you and - ultimately - owned by your hospital trust. Ardia Ltd. makes no claim to the ownership or control of any patient data.
When signing up for MyRenalCare, you will be asked whether you give consent to two things:
For your clinical data to be stored in the MyRenalCare app, and viewed by your MDT clinicians. Without this consent, the app cannot be used.
For your anonymised data to be used for research purposes.
Our records retention, disposal and destruction policy is compliant with NHS Records Management policy for health and social care (2016) and GDPR.
Data in active accounts will be retained in perpetuity
Data in inactive accounts for 12 months or more will be offered to your NHS Trust according to the Trust’s data transfer policy and then deleted from Ardia Digital Health Ltd records
Should you wish to have your account deactivated or records deleted please contact your NHS Trust who will, as the data controller, handle that request for you.
For physical storage media, DoD 5220.22-M 'National Industrial Security Program Operating Manual' or NIST 800-88 'Guidelines for Media Sanitization' are followed to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices. https://aws.amazon.com/compliance/data-center/data-layer/
USE OF
YOUR DATA
We use information held about you in the following ways:
Our system is designed to facilitate the delivery of individualised care and educate patients on their long term condition. It is also designed to facilitate clinicians to manage patient populations and operate on data that you provide.
Our system is intended to be a platform that patients can use independently, or with their clinician. Your health details collected through the system may be available to the relevant health professional and used when discussing your treatment preferences with them.
In particular, where you indicate through our system that your symptoms have worsened we may send alerts to your health professionals whose contact details you have provided to us.
Should you consent to us using your data collected by the system, we may use this information to contact you and invite you to participate in relevant studies.
To carry out our obligations arising from any contracts entered into between you and us.
To notify you about changes to our service.
If the purpose for processing data changes then consent will be re-obtained before continued use of the service.
Where you consent to us using your data for clinical research we will use information held about you in the following ways:
To assess your suitability for inclusion in clinical trials and studies.
To provide you with information about clinical trials and studies that you request from us which we feel may interest you or which you have expressed an interest in.
To respond to requests from pharmaceutical companies and research organisations about potential candidates for clinical trials that they may wish to conduct.
To share your information with pharmaceutical companies and research organisations to enable them to assess your suitability for inclusion in clinical trials and studies and/or to enable them to invite you to enrol as a participant in such clinical trials or studies.
To help inform research organisations (these may include pharmaceutical companies, universities and other academic institutions, health care organisations) on the validity of their research protocol.
DISCLOSURE OF YOUR DATA
We may disclose your personal information to:
Hospitals or academic institutions for occasional use in relevant studies, if you have opted to consent to this. The information that is used will be made anonymous and will be confidential. In these instances, we shall inform you in advance and you will have the choice to opt out of the use of your information in connection with such study.
Third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation.
Third parties in order to enforce or apply the terms of use applicable to the system or our terms of business or any other agreements with you; or to protect the rights, property, or safety of Ardia Ltd., our customers, or others.
We may collect anonymous statistical data on the use of medications which may be shared with the NHS and other third parties to optimise spending.
YOUR RIGHTS
The UK GDPR provides the following rights for individuals:
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
The right to be informed
The right of access
The right to rectification
The right to erasure
If you believe your data privacy rights have been breached please inform us by contacting us at privacy@myrenalcare.com. In addition you have the right to complain to the UK's Local Supervisory Authority - the Information Commissioner's Office (ICO) and/or lodge a complaint with their local data protection authority.
If we believe your privacy rights have been breached, we will:
report a data breach to the Information Commissioner's Office (ICO) using either the Data Security and Protection Reporting Tool in England, or the ICO breach reporting tool in Scotland, Wales and Northern Ireland, without undue delay, and no later than 72 hours after we become aware of the breach.
Breach notification must include:
the nature of personal data breach including:
the categories and approximate number of individuals concerned
categories and approximate number of personal data records concerned
name and contact details of DPO or other contact point
description of likely consequences of personal data breach
description of measures taken or proposed to deal with personal data breach, including measures to mitigate possible adverse effects.
You have the right to remove your explicit consent to the processing of your data. The MyRenalCare platform depends on the personal, general wellbeing, physical and mental health data that you to provide our services, therefore opting out will disable your account until you opt back in again.
You are unable to opt out of processing activities related to Usage Data. We use this data to improve the services that we provide.
If you have given your consent to anything we do with your information (i.e. we rely on consent as a legal basis for processing your information), you have the right to withdraw that consent at any time.
Withdrawing your consent does not make unlawful what we have done with your personal data up to that point, when your consent was active.
If you request for us to erase all your personal data (also known as the “right to be forgotten”) in the following circumstances:
It is no longer necessary for us to hold that personal data with respect to the purpose for which it was originally collected or processed;
Consent is the lawful basis for MyRenalCare holding your data and you withdraw your consent;
You object to us holding and processing your personal data and there is no overriding legitimate interest to allow us to continue doing so;
The personal data has been processed unlawfully; or
the personal data needs to be erased in order for us to comply with a particular legal obligation.
The erasure of your personal data may result in automatic closure of your user account and access to the log-in areas of our application.
Time Limit to Respond
We aim to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.
THIRD PARTIES
MyRenalCare's privacy policy does not extend to third parties and users should make themselves aware of the privacy policies of any third-party site/platform that they visit through the app. These include but are not limited to, YouTube and Kidney Care UK.
MyRenalCare provides opt-in integration with Patients Know Best. If you would like to give or remove consent for your data to be shared between your MyRenalCare and Patients Know Best user accounts, you can do this within your MyRenalCare user account.
MyRenalCare uses OAuth 2.0 to integrate with Patients Know Best and does not share your email address in order to make this integration.
You can read about Patients Know Best's privacy policy here: https://patientsknowbest.com/privacy-policy/
CONTACT
Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to privacy@myrenalcare.com.
Data Protection Officer (DPO): Ian Harrison CEng FBCS MBA CITP dpo@myrenalcare.com