Who we are?
MyWay Digital Health Ltd (MWDH Ltd) is a medical software company, founded by NHS specialists in diabetes and healthcare management, responsible for the MyWay Diabetes (MWD) service outside Scotland. We process data on behalf of the Data Controller in your region to support enhanced diabetes management. MWDH Ltd shall be a Data Controller where it is processing personal data in relation to our own service delivery purposes. (for more information on the difference between data processors and data controllers, click or tap on this link “ICO definition of data controller“)
What data do we collect?
We collect demographic and medical data relating to your diabetes condition, i.e.: name; address; contact details; IP address; date of birth; height; weight; GP practice; type of diabetes; blood pressure; laboratory test results; smoking status; eye and foot screening info; goals; appointment data; and medication. We store any data input by you (e.g.: blood glucose readings, goals, text added to the eLearning chat forum). In addition, general auditable information and bug reporting data are also collected to help improve the service we offer. We only collect the minimum amount of data required to support your diabetes self-management and for the service to operate effectively unless you have provided your consent for optional improved site functionality (see related Cookies Policy).
What happens if wrong data are entered?
When you input your own measurements, most of the time you will be happy that this is accurate. If you enter data on your own measurement into the system and later realise the data is incorrect, we can manually erase it. Please get in touch via our ‘Contact Us‘ form with details of what is wrong including the date entered and values that are wrong. Examples could be where a child has entered data on your smartphone or tablet without your knowledge or you may have mistyped a blood glucose level or entered a blood pressure reading in the wrong section, by mistake.
How do we collect your data?
We collect data and process data when you register online for any of our products or services and use or view our website via your browser’s cookies. We collect data from primary care systems, and other associated systems, relating to your diabetes. We track your progress through educational resources, available on our website. Data may also be collected via a customer survey or from feedback. And we may also monitor how you use the site.
With your explicit consent, at the registration sign-up step to use any of our products and services, you are opting-in and agreeing to automated data collection from healthcare systems and other third parties.
MWDH Ltd may also receive your data indirectly from NHS systems and from third-party systems (e.g. blood glucose data from your monitor or tracker).
Any data you input directly into the website or app will contribute to the care record you can access on your device. Please note, this data is not currently shared with your healthcare team and you should not assume your healthcare team will be aware of any manual data inputs.
How will we use or share your data?
The MyWay Diabetes (MWD) service focuses on holistic diabetes management. It is only available to patients that have given their consent and in order for MWDH Ltd to satisfy a legitimate interest in your region. We collect data in order to manage your account, giving you: secure access to your medical records; access to tailored education resources; and in some cases, the ability to upload results. Visitors to the public site (who have not logged in), have data stored on the system (basic functional cookies only unless consent is granted for opt-in Cookies which cover tracking of site use and ability to market via FaceBook), however, we do log the IP address of everyone who visits the site.
The website, and/or App, does not currently allow you to share data with other users, such as a carer or family member, as a feature. Any data you share is done so entirely at your own risk. The service does not currently permit data transfers.
We collect and process information about you only where we have a legal basis for doing so under applicable EU/UK laws. The legal basis depends on the services you use and how you use them. The GDPR lawful basis for ‘processing of personal data’ is met under Article 6(1)(f): Processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject). The GDPR lawful basis for ‘processing of special category data’ is met under Article 9(2)(h): Processing necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the individual, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care services, with appropriate safeguards.
This means we collect and share information for the following purposes:
- to provide the services and to protect the safety & security of the services. For example, we send some data you provide to NHS systems as part of your health record or verification step when first registering. Your data may also be used to help improve the products and services MWDH Ltd offer, for service evaluation and audit, and for more general feature improvements such as machine learning functionality. We may pass non-identifiable data to third parties.
- if it satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote the services, and to protect our legal rights and interests. Note, we may need to process your data to comply with a legal obligation.
- for a specific purpose not listed within this policy, where you have given us consent to do so. For example, we may publish testimonials or featured customer stories to promote our services, with your permission.
- to protect your vital interests or to protect the public interest. For example, we share your data with healthcare professionals and feedback into local healthcare teams (e.g.: to improve structured education) and anonymised data may be used for regional and national quality reporting.
The service does not involve any automated decision making or profiling however it will provide basic lifestyle and education recommendations, based on your data record (e.g.: type of diabetes, medications). We intend to expand on clinical decision support functionality in the near future and will update this policy accordingly.
We follow the principle of data minimization and only collect data and information which are important and relevant to diabetes care and self-management.
Do we carry out marketing activities to users?
This is an NHS service and is free at the point of care, so we will not try to ‘sell’ you anything.
Here the term ‘Marketing’ is about activities we use to keep in touch with you and encourage you to make the most of the resources you sign up for. This can be broadly split into two:
- Direct contact
This includes contacting you (for a range of purposes) via emails or messaging. Consent is gathered for these activities during the registration process.
- Social media advertising
If you give us consent for analytics cookies, we may use online platforms such as Facebook and Google to include you in adverts about the service. These are to help you (and others who may not yet have registered) to get the most out of using the platform or to come and register if not already users.
You can change your consent at any time while you use the service.
How do we store data?
We take data security very seriously. Any data elements we store are held in a secure data centre, on encrypted drives, managed by a reliable Tier III hosting provider. Our current provider is ISO 27001 accredited and CyberEssentials Plus certified, partnering closely with MWDH in ensuring we comply with GDPR and the Data Protection Act 2018. MWDH also have supporting policies and procedures which cover physical and technical security measures which address our approach to information risk management.
Data storage is on your local device unless you manually export the data. Data is encrypted while being sent from the service to your device as per standard encryption for data transfers over the internet. All data is protected using HTTPS with TLS encryption between the device and the host.
We will retain data for as long as the service, in your area, is being funded. Upon termination of funding, all data will be securely and completely destroyed. Given current volumes, the process to delete any personal data is documented and manually erased or scrubbed in accordance with ISO27001 standards.
MWDH Ltd has implemented controls to ensure that regulatory obligations regarding data protection are followed, documented, and results logged. In the unlikely event of a data breach, we will assess the risk and where appropriate, notify the competent supervisory authority (in the UK, this is the ICO) within 72 hours. If the risk assessment indicates a high risk for you, we would also communicate any breach of personal data directly to you. Specific procedures for the management of security incidents and breach monitoring are in place.
Please note that if you access our service using your NHS login details the identity verification services are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS Digital (as the “controller”) when verifying your identity.
To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.
What are your data protection rights?
We would like to make sure you are fully aware of all of your data protection rights. You are entitled, at any time, to:
- the right to access – you have the right to request copies of your personal data. We may charge you a small fee for this service.
- the right to rectification – you have the right to request that we correct any information you believe is inaccurate. You also have the right to request we complete the information you believe is incomplete.
- the right to erasure – you have the right to request that we erase your personal data, under certain conditions.
- the right to restrict processing – you have the right to request that we restrict the processing of your personal data, under certain conditions.
- the right to object to processing – you have the right to object to our processing of your personal data, under certain conditions.
- the right to data portability – you have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
You have additional rights under the General Data Protection Regulations, the two main ones are:
- The right to withdraw consent
- The right to request that you are not subject to a decision based solely on automated processing (note this is not relevant to this service)
Please note our Cookie pop up will appear every 30 days to enable you to review and change your choices if you wish.
If you make a request, we will aim to get back to you as soon as possible but will respond within one month, dependent on the complexity of the request.
If you would like to exercise any of these rights, including your withdrawal for your consent to your data to be processed, please contact us at our email: firstname.lastname@example.org or by using the ‘Contact Us‘ form. Note exercising these rights relates to the data retained or processed by MWDH Ltd only. For detailed data protection queries, you may be directed to your GP practice or your local Data Controller, with who we will partner to support your request.
If you wish to opt-out of the MWD service or unsubscribe from our Newsletter, please notify us via the ‘Contact Us‘ form and your information will be promptly and securely removed from our system.
How to Contact us?
In the event of any personal data breach or security incident, we will inform you of any serious adverse consequences without undue delay. We will also inform the ICO, within 72 hours, where required and document all evidence.
MWDH control your self-input or other direct updates to your personal data. For more detailed queries you may be passed to the Data Protection Officer in your region.
Any clinical questions must be directed to your local healthcare team.
How to Contact the appropriate authorities?
Should you wish to report a complaint or if you feel that we have not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office.