Who we are?
MyWay Digital Health Ltd (MWDH Ltd) is a medical software company, founded by NHS specialists in diabetes and healthcare management, responsible for the MyWay Diabetes (MWD) service. We process data on behalf of the Data Controller in your region to support enhanced diabetes management. MWDH Ltd shall be a Data Controller for data we collect directly into the platform from end users. (for more information on the difference between data processors and data controllers, click or tap on this link “ICO definition of data controller“)
What data do we collect?
We collect demographic and medical data relating to your diabetes condition from your healthcare providers, i.e.: name; address; contact details; IP address; date of birth; height; weight; GP practice; type of diabetes; blood pressure; laboratory test results; smoking status; eye and foot screening info; goals; appointment data; and medication. We store any data input by you (e.g.: blood glucose readings, goals, text added to the eLearning chat forum). In addition, general auditable information and bug reporting data are also collected to help improve the service we offer. We only collect the minimum amount of data required to support your diabetes self-management and for the service to operate effectively unless you have provided your consent for optional improved site functionality (see related Cookies Policy).
Any data you input directly into the website or app will contribute to the care record you can access on your device. Please note, this data is not currently shared with your healthcare team, and you should not assume your healthcare team will be aware of any manual data inputs or device uploads.
What happens if wrong data is manually entered by you?
When you input your own measurements, most of the time you will be happy that this is accurate. If you enter data on your own measurement into the system and later realise the data is incorrect, we can manually erase it. Please get in touch via our ‘Contact Us‘ form with details of what is wrong including the date entered and values that are wrong. Examples could be where a child has entered data on your smartphone or tablet without your knowledge or you may have mistyped a blood glucose level or entered a blood pressure reading in the wrong section, by mistake.
How do we collect your data?
We collect data and process data when you register online for any of our products or services and use or view our website via your browser’s cookies. We collect data from primary care systems, and other associated systems, relating to your diabetes. We track your progress through educational resources, available on our website. Data may also be collected via a customer survey or from feedback. And we may also monitor how you use the site.
There are three main routes to data collection:
MWDH Ltd may receive your data via a bulk data transfer, from your GP (Data Controller).
MWDH Ltd may receive data via the GP (Data Controller) Patient Facing Services (PFS) route.
And with your consent, at the registration sign-up step to use any of our products and services, for data you may input manually.
How will we use or share your data?
The MyWay Diabetes (MWD) service focuses on holistic diabetes management. It is available to all patients, in a region, where their GP has signed up to use this system for the relevant diabetes patients and to patients that have given their consent. We collect data in order to manage your account, giving you: secure access to your medical records; access to tailored education resources; and in some cases, the ability to upload results. Visitors to the public site (who have not logged in), have data stored on the system (basic functional cookies only, unless consent is granted for opt-in Cookies which cover tracking of site use and ability to market via Facebook), however, we do log the IP address of everyone who visits the site.
The website, and/or App, does not currently allow you to share data with other users, such as a carer or family member, as a feature. Any data you share is done so entirely at your own risk. The service does not currently permit data transfers.
We collect and process information about you only where we have a legal basis for doing so under applicable EU/UK laws. The legal basis depends on the services you use and how you use them.
When processing on instruction of the Data Controller, the GDPR lawful basis for ‘processing of personal data’ is met under Article 6(1)(e): processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The GPDR lawful basis for ‘processing of special category data’ is met under Article 9(2)(h): Processing necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the individual, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care services, with appropriate safeguards.
For PFS consent, the GDPR lawful basis for ‘processing of personal data’ is met under Article 6(1)(e): processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The GDPR lawful basis for ‘processing of special category data’ is met under Article 9(2)(h): Processing necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the individual, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care services, with appropriate safeguards.
For personal data you provide directly to MWDH for which MWDH is Controller, we rely on Article 6(1)(f) as it is in our legitimate interest to provide you a platform to enable you to support your care with diabetes, and Article 9(2)(h) as the processing is used to support your provision of health care.
As Controller, we collect and share information for the following purposes:
- to support the delivery of direct healthcare. For example, we share your data with healthcare professionals and feed back to your local healthcare teams (e.g.: to improve structured education). Anonymised data may be used for regional and national quality reporting.
- to promote the services and to protect the safety and security of the services. For example, we send some data you provide to NHS systems as part of your health record or verification step when first registering. Your data may also be used to help improve the products and services MWDH Ltd offer, for service evaluation and audit, and for more general feature improvements such as machine learning functionality. We may pass non-identifiable data to third parties.
- to protect our legal rights and interests. Note, we may need to process your data to comply with a legal obligation.
- for a specific purpose not listed within this policy, where you have given us consent to do so. For example, we may publish testimonials or featured customer stories to promote our services, with your permission.
The service does not involve any automated decision-making or profiling however it will provide basic lifestyle and education recommendations, based on your data record (e.g.: type of diabetes, medications).
We follow the principle of data minimization and only collect data and information which are important and relevant to diabetes care and self-management.
Do we carry out marketing activities to users?
This is an NHS service and is free at the point of care, so we will not try to ‘sell’ you anything. Here the term ‘Marketing’ is about activities we use to keep in touch with you and encourage you to make the most of the resources you sign up for. This can be broadly split into two, in terms of our service support:
- Direct contact
This includes contacting you (for a range of purposes) via emails or messaging. Consent is gathered for these activities during the registration process.
- Social media advertising
Only if you give us explicit consent for analytics cookies, we may use online platforms such as Facebook and Google to include you in adverts about the service. These are to help you (and others who may not yet have registered) to get the most out of using the platform or to come and register if not already users. You can withdraw your consent at any time through the cookie manager on your local MWDH registration page.
You can change how you hear from us at any time while you use the service.
How do we store data?
We take data security very seriously. Any data elements we store are held in NHS approved secure data centres, on encrypted servers. Our providers partner closely with MWDH in ensuring we comply with GDPR and the Data Protection Act 2018. MWDH also have supporting policies and procedures which cover physical and technical security measures which address our approach to information risk management.
Data storage is on your local device unless you manually export the data. Data is encrypted while being sent from the service to your device as per standard encryption for data transfers over the internet. All data is protected using HTTPS with TLS encryption between the device and the host.
We will retain data for as long as the service, in your area, is being funded. Upon termination of funding, all data will be securely and completely destroyed. Given current volumes, the process to delete any personal data is documented and manually erased or scrubbed in accordance with ISO27001 standards.
MWDH Ltd has implemented controls to ensure that regulatory obligations regarding data protection are followed, documented, and results logged. In the unlikely event of a data breach, we will assess the risk and where appropriate, notify the competent supervisory authority (in the UK, this is the ICO) within 72 hours. If the risk assessment indicates a high risk for you, we would also communicate any breach of personal data directly to you. Specific procedures for the management of security incidents and breach monitoring are in place.
Please note that if you access our service using your NHS login details the identity verification services are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS Digital (as the “controller”) when verifying your identity.
To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.
What are your data protection rights?
We would like to make sure you are fully aware of all of your data protection rights. You are entitled, at any time, to:
- the right to access – you have the right to request copies of your personal data.
- the right to rectification – you have the right to request that we correct any information you believe is inaccurate, where MWDH Ltd is the data controller.
- the right to erasure – you have the right to request that we erase your personal data, under certain conditions.
- the right to restrict processing – you have the right to request that we restrict the processing of your personal data, under certain conditions.
- the right to object to processing – you have the right to object to our processing of your personal data, under certain conditions.
- the right to data portability – you have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
You have additional rights under the General Data Protection Regulation, the two main ones are:
- The right to withdraw consent.
- The right to request that you are not subject to a decision based solely on automated processing (note this is not relevant to this service)
Please note our Cookie pop up will appear every 30 days to enable you to review and change your choices if you wish.
If you make a request, we will aim to get back to you as soon as possible but will respond within one month, dependent on the complexity of the request.
If you would like to exercise any of these rights, including your withdrawal for your consent to your data to be processed, please contact us at our email: firstname.lastname@example.org or by using the ‘Contact Us‘ form. Note exercising these rights relates to the data retained or processed by MWDH Ltd only. For detailed data protection queries, you may be directed to your GP practice or another local Data Controller, with whom we will partner to support your request.
If you wish to opt-out of the MWD service or unsubscribe from our Newsletter, please notify us via the ‘Contact Us‘ form and your information will be promptly and securely removed from our system.
How to Contact us?
In the event of any personal data breach or security incident, we will inform you of any serious adverse consequences without undue delay. We will also inform the ICO, within 72 hours, where required and document all evidence.
MWDH control your self-input or other direct updates to your personal data. For more detailed queries you may be passed to the Data Protection Officer in your region.
Any clinical questions must be directed to your local healthcare team.
How to Contact the appropriate authorities?
Should you wish to report a complaint or if you feel that we have not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office.