Scope of policy
For the purpose of this document, the Data Protection Legislation shall mean any data protection legislation from time to time in force in the UK including the Data Protection Act 1998 or 2018 or any successor legislation and (for so long as and to the extent that the law of the European Union has legal effect in the UK) the General Data Protection Regulation ((EU) 2016/679) and any other directly applicable European Union regulation relating to privacy.
Who we are
MindLife’spurpose is to enhance lives and empower people to improve wellbeing. We integrate science, advanced psychology and healthcare with innovative digital technology and AI to create appealing effective self-help and blended applications and services.
Our solutions include digital assessments, interventions and an e- triage and social prescribing platform to find and facilitate recommendations for the best solutions for each user’s’ specific needs and preferences. MindLife may collect, process and hold data for our clients, therapists, community providers and service users.
We are a “data controller” for the purposes of the Data Protection Act 1998 and (from 25 May 2018) the EU General Data Protection Regulation 2016/679 (“Data Protection Law”). This means that we are responsible for, and control the processing of, your personal information.
The data we collect
MindLife is committed to safe guarding the privacy and security of all our users.
This following details the type of information we may collect about our users. Mindlife only collect information necessary to provide the type of service or application required by the user.
Standard Personal Information
- Contact information such as name, address, date of birth, email address, your NHS number and your current GP.
- Information from you about how you use our services such as our websites, apps, software or portal.
- Information you may provide from time to time about the types of services, solutions and products you require,the importance you apply to your preferences and your feedback ratings – this will continually inform our systems and enable recommendations of the best-personalised solutions tailored to your needs and requirements.
- Any contacts we have had with you such as meetings, appointments, telephone calls, written correspondence, complaints or incidents.
- Technical information, including the type of mobile device you use, a unique device identifier (for example, your Device’s IMEI number or PC IP address), mobile network information, your operating system, the type of browser you use, your login information, time zone setting, browser plug-in types and versions, operating system and platform, information about your visit, including the full Uniform Resource Locators (URL) clicks through to and from our websites, (including date and time); pages you viewed or search for; page response times, download errors, length of visits to certain pages, page interaction information, and methods used to browse away from the page.
Special Category Information
- Data from questionnaires, screenings, assessments and surveys you provide
- Data from research trials you have consented to participate in with us or our collaborators
- Notes and reports about your physical and mental health and wellbeing
- Details about your follow up and subsequent care.
- Information about your ethnic origin so that we can provide accurate tests and calculations that may require this information.
- Relevant information from other health professionals, lifestyle services and therapists
How we collect and store your information
Records may be stored electronically, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. All MindLife staff and their contractors have a legal and contractual responsibility to respect the confidentiality of information and access to that confidential information is restricted to only those who have a reasonable need to access it. MindLife staff and their contractors all undergo regular training in how to manage and keep data safe and secure.
We collect personal information from you through your contact with us including through our websites, through our assessments, social prescribing and triaging software, by phone, by email, through our portals and apps, by post, by you filling in applications either online or on paper and through social media. We also might collect information from other people and organisations about you such as onward referrals to MindLife from other healthcare professionals.
We also work closely with third parties (including, for example, experts in all areas of health, researchers, partners, sub-contractors, delivery services, analytics providers, search information providers) and may receive information about you from them.
Purpose of processing your information and the legal basis for the processing
We process your personal information for a number of legitimate interests (such as providing wellbeing and mental health assessment outcomes, interventions, triage, onward referral sign-posting to local services and managing our relationship with you), to help us improve our products, services and solutions, and when relevant to help us provide recommendations for the best personalised products, services and solutions tailored to your needs.
Legitimate interest is one of the legal reasons why we process your personal information. Taking into account your interests, rights and freedoms, we use legitimate interests to allow us to process your personal information. These interests include:
- Providing services for you directly or on behalf of a third party (for example your GP, therapist or another healthcare professional or service)
- Referring you on to other appropriate and approved healthcare, lifestyle and community services.
- Managing our relationship with you, our business and third parties who provide products or services for us.
- Keeping our records up to date for your benefit, and for improving NHS and therapeutic outcomes.
- Research and analysis so that we can monitor and improve our products, services, websites and software or develop new ones.
- Contacting you for market research purposes about the quality of our service that we have provided to you
- Monitoring how well we are meeting our clinical and general performance expectations
- Developing and carrying out marketing activities and to show you information that is of interest to you and which may benefit you (and enabling you to opt-out of this at any point).
Additionally, we process special category personal data under the provision 9(2H) of the GDPR namely
- 9(2H): processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3 Article 9 of the GDPR
Disclosing your personal data
We only disclose personal and special category information about you for the following reasons:
- It is required by law
- You consent – either implicitly for the sake of your own care or explicitly for other purposes
- If you indicate you are at risk of serious self-harm that could present a threat to your life and disclosing that information could help prevent loss of life.
Recipients of your personal data
Your relevant data may be shared with third-party providers that have contracts with MindLife to provide relevant health and/or lifestyle and/or community services. These may include (with consent from you):
Your healthcare provider (such as therapist, link worker, GP, doctor): We may disclose your clinical results so that they can act on any findings that our services obtain from screening.
Approved third party healthcare and lifestyle providers
Details of transfers and safeguards
Your data will remain within the European economic area or countries that are accepted by the European Commission of having adequate arrangements in place and will be held in secure data centres. In the event of the UK leaving the EU MindLife shall follow any requirements outlined by the UK Information Commissioners Office (ICO) at that time. MindLife undertake an annual information governance and security assessment with NHS Digital using the Data Security and Protection Toolkit to ensure we are following best practice guidelines for the management and security of your data. MindLife are registered with the ICO under the data protection act and our registration number is ZA527795
Automated Decision Making
MindLife use risk stratification data tools to help determine a person’s risk of suffering a particular condition, providing appropriate advice based on that risk calculation and to make decisions on showing you the best options and onward referrals for further intervention. You have a right to object to the use of these tools if you feel the advice you have been given from one of these tools is incorrect.
We retain your data for periods that are determined by a number of factors including:
- Any periods for keeping information which are set by law or recommended by regulators, professional health bodies or health associations
- How long it is reasonable to keep records to show we have met the obligations we have to you
- Your use of the MindLife website, services and apps and the period that it has been since you last used any account that you might have created.
- In the absence of any of the above factors determining the retention period then our general retention period for data is 7 years.
Data that is anonymised (any data that has had all personal references to you removed and cannot be used to identify you in any way) will be retained for an indefinite period to provide ways for MindLife and partners to improve and refine their services and effectiveness.
Your rights under GDPR are as follows
- a right of access to a copy of the information comprised in your personal data
- a right to object to processing that is likely to cause or is causing damage or distress;
- a right to prevent processing for direct marketing;
- a right to object to decisions being taken by automated means;
- a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed
- a right to claim compensation for damages caused by a breach of the Act
You have a right to apply for access to your personal data of which you are subject, a right to a description of the data, the purpose of the processing and if the information is to be shared, who it will be shared with. This will be supplied in permanent intelligible form (medical abbreviations etc explained). This information or any actions arising from the request will be carried out within one month of the request being made.
The data protection officer is responsible for dealing with individual rights requests and can be contacted using the email address: email@example.com
Links to other websites and services
Our websites, services, products and solutions may contain links to other websites, products or services. Once you have used these links to navigate away from our site, you should note that we do not have any control over that other site. We cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the sites in question before entering any personal information on those sites.
‘Cookie‘ is a name for a small file, usually of letters and numbers, which is downloaded onto your device, like your computer, mobile phone or tablet when you visit a website. They let websites recognise your device, so that the sites can work more effectively, and also gather information about how you use the site. A cookie, by itself, can’t be used to identify you. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
Overall, cookies help us provide you with a better website by enabling us to monitor which pages you find useful and which you do not. A cookie does not give us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
We use all four categories of cookies defined by the International Chamber of Commerce:
- Strictly necessary cookies are essential for you to move around our website and to use its features, like our shopping basket and your account.
- Performance cookies collect anonymous information about how you use our site, like which pages are visited most.
- Functionality cookies collect anonymous information that remember choices you make to improve your experience, like your text size or location. They may also be used to provide services you have asked for such as watching a video or commenting on a blog.
- Targeting or advertising cookies collect information about your browsing habits in order to make any advertising we do relevant to you and your interests.
Should you have any concerns about how your information is managed by MindLife, please contact the MindLife Data protection Officer by email: (firstname.lastname@example.org). If you are still unhappy following our review, you can then complain to the Information Commissioners Office (ICO) via their website (https://ico.org.uk/).