Privacy Policy

 


Introduction
 
This Privacy Policy (together with our terms of use and any other documents referred to therein) sets out the privacy policy of Imperial College of Science, Technology and Medicine, a charity and UK institution of Higher Education constituted by Royal Charter (with registered number RC000231) of Exhibition Road, London, SW7 2AZ (Imperial College) in relation to our operation of the website at www.jointpro.co.uk (the Website). 
 
This Privacy Policy explains how we collect, use and share patients’ (“you”, “your”) personal data, and your rights in relation to the personal data we hold. References to "we", "us" and "our" in this Privacy Policy refer to Imperial College. Terms defined in the Website terms of use shall bear the same meaning when used in this Privacy Policy.
 
Our pledge
 
We are committed to protecting and respecting your personal data. Personal data that we collect from you is maintained in accordance with this Privacy Policy.
 
1. About Us
 
The primary purpose of the Website is to provide a resource to:
 
  • provide patients with a tool for managing their condition.  The Website enables you to track your progress over time, whilst viewing your scores in the context of your own individual aspirations. In providing you with a platform to co-own your clinical episode, you may feel empowered to set personal aspirations, and are better informed to make treatment decisions with your clinician and direct your functional rehabilitation;
  • improve the clinical care of patients;
  • (with your approval) enable your healthcare professionals to use your data to inform clinical decision-making, and direct functional rehabilitation. Healthcare professionals with accounts on the Website are under no obligation to actively monitor their patients via this means and therefore it is at the healthcare professional’s discretion to contact the patient if they deem the data to be of clinical significance; and
  • assess patient perspectives of care outcomes and treatment effectiveness in patients with long-standing hip, knee or shoulder conditions such that we (and other specific groups of individuals, who could include academic researchers or healthcare analysts) are able to determine which interventions achieve the most value for individual patients in the long term
 
2. Data controller and contact details
 
Imperial College is the data controller of personal data you upload on the Website and is subject to the General Data Protection Regulation and the UK Data Protection Act 2018 (Data Protection Legislation). Our nominated representative for the purposes of Data Protection Legislation is Mr Robert Scott.
 
If you have any questions about this Privacy Policy, or if you would like to exercise any of your legal rights in respect of your personal data, please contact our Data Protection Officer by using the following details:
 
  • Email: dpo@imperial.ac.uk
  • Telephone: 02075943502
  • Post: Robert Scott, Data Protection Officer, Imperial College.
 
3. How we collect your information
 
We collect your personal information:
 
  • when you complete and submit an application to register for the Website or on completing any form or questionnaire on the Website.  In the case of Patients, this may include certain kinds of medical information (see section  below ‘Types of information we collect’);
  • from the information you provide via postings to forums and blogs and any other posting that you make to the public areas of the Website;
  • from when you correspond with us by phone, email or by other means;
  • from when you visit and use the Website including, but not limited to, traffic data, location data, weblogs and other communication data; and
  • from information about you received from third parties, for example a friend, Doctor or other person who wants to tell you about the Website.
 
4. The types of information we collect
 
All users
 
We may collect and process the following personal information about you:
  • your name, title, and date of birth;
  • contact details including your email address, telephone number, postal address;
  • technical information gained from your use of our Website, including your internet protocol (IP) address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
  • information about your visit to the Website (such as which pages you visited, items you browsed, how you navigated the Website, and how long you spent browsing the Website); and
  • if you are a health care professional acting in the course of your profession, your occupation, place of work or other professional information.
 
Patients
 
For users of the Website who are Patients registering for a JointPRO account we might also collect and store the following additional information, based on your submissions to the Website (for the purposes of this Privacy Policy "Patient Information"):
 
  • your gender, weight and height;
  • your living arrangements;
  • your NHS Number;
  • the names of your "Responsible Care Providers" and their place of work (as defined under Terms & Conditions);
  • information relating to your medical condition, as may be updated by you from time to time, including as to:
    • your medical condition, including affected joint and type of condition, 
    • procedure details;
    • other medical disorders (including potentially your history in relation to disorders such as Arthritis, Diabetes, High blood pressure, Liver disease, Cancer, Disease of the nervous system, Kidney disease, Lung disease, Depression, Heart disease, Leg pain when walking due to poor circulation, Problems caused by stroke);
    • your disability status;
    • your mobility;
    • your level of self-care;
    • levels of pain relating to the condition;
    • levels of anxiety arising from the condition;
    • personal aspiration relating to the condition and progress as against those aspirations; and
    • other relevant information relating to the condition, including your usual lifestyle activities, e.g. work, study, housework, family or leisure activities.
 
 
5. How we use your information and who we share your information with
 
Use by Imperial College
 
If you are a Patient with a registered JointPRO account by registering for a JointPRO account, certain selected Imperial College Researchers will be able to view your clinical profile and to export the information contained on such profile (which will include the information referred to in section 3 above (Patient Information) in pseudonymised form).
 
Sharing with others:
 
We may allow some or all of the following categories of persons to view your clinical profile and the information contained on such profile (which will include the information referred to above (Patient Information)):
 
  • your Responsible Care Providers (namely GPs, Consultants and Physiotherapists); 
  • (where you have approved such access) other Clinical Team Members who are assisting your Doctor or Physiotherapist with your clinical care (as verified by your Doctor or Physiotherapist); 
  • (where you have approved such access and have inputted a a site-specific code – see below) the managers and senior administrative staff (Healthcare Analysts) at the hospital or other clinical unit providing you with care, whether that institution is a private healthcare provider or an NHS organisation;
  • (if you are signed up to a specific academic/clinical study), to the Academic Researchers who are involved on such study; and
  • the relevant national records system that monitors all admissions, appointments and attendances at NHS hospitals and/or private hospitals, as applicable (such as the Hospital Episode Statistics (HES) database administered by the Health & Social Care Information Centre (HSCIC, also known as NHS Digital), the National Joint Registry (NJR) or such other replacement national records system, and/or the database administered by the Private Healthcare Information Network (PHIN) concerning private healthcare, as applicable).
 
In some cases you may access the website using a code which indicates that you are being cared for by a particular institution and/or you are participating in an academic/clinical study ("site-specific code").  In such cases, the site-specific code will allow for your information to be shared (in pseudonymised form) with the institution which is providing your care and/or conducting the academic/clinical study in question.
 
For the avoidance of doubt, where a Patient is involved in a specific academic/clinical study or you have accessed the website using a site-specific code, the Patient Information can only be exported for the purpose of the relevant study or analysis in pseudonymised form. 
 
Where information is made available in pseudonymised form, his means that each Patient's data will be categorised by way of a specific numeric/code-based Patient ID rather than the Patient's name.  For academic/clinical studies, only the Lead Investigator for the relevant study (and the super-administrator responsible for the administration of the website) will hold the key enabling this Patient ID to be linked to the Patient's name. Where you have accessed the website using a site-specific code, only (i) a single lead administrator at the institution providing you with care – the Facility Coordinator - and (ii) the super-administrator responsible for the administration of the website, will hold the key enabling this Patient ID to be linked to the Patient's name.
 
All users with access to patient data (to include Responsible Care Providers, Other Clinical Team Members, Healthcare Analysts, Academic Researchers, third party contractors (see below), and the Website’s super-administator) regularly receive information on how to use JointPRO appropriately and are regularly reminded to exercise the utmost professional and personal integrity when using the website.
 
Other uses
 
We may use Patient Information in anonymised or aggregated form for any purpose provided that such use does not enable the Patient Information to be linked to a named individual (and therefore no longer comprises personal data for the purpose of relevant Data Protection legislation, or confidential information).  Such use might include:
 
  • use in aggregated form (ie collected together with similar data from other Patients) to provide information to other users of the website regarding certain metrics relating to specific medical conditions (such as average time for recovery, for example);
  • sale or licensing of part or all of the aggregated data-set created from Patient's contributions to the website for commercial purposes (for example to manufacturers of implants or prosthetics) although we would normally only do so where such use or exploitation had the potential for improving the health and wellbeing of patients.
 
In the event that Imperial College is acquired by or merges with another legal entity, or transfers its operations to a new legal entity, your personal information may be passed to the purchasing/merging/new legal entity amongst the transferred assets and activities.  This will enable your use of the website to continue despite the change of ownership.  
 
Our third party contractors (for example, web developers) who assist us with the operation of the website may also have access to your JointPRO account although only for the purpose of operation and maintenance of the website.  Such third party contractors are bound by strict obligations of confidentiality in relation to such access.
 
We may also disclose your personal information to third parties if and to the extent that we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use; or to protect the rights, property, or safety of Imperial College, our staff, users of the website or others.
 
6. Our legal basis for processing your information
 
General
 
Principally, we will process your personal information on the basis that:
  • the processing is necessary to enable us to perform our contract with you in relation to our making available of the Website; and/or
  • the processing is necessary for the performance of a task carried out in the public interest.
In relation to any information relating to your health (so-called “special category” data), in processing such information we also rely on the further specific grounds set out below.
 
Medicine or health care or treatment
In allowing your approved list of healthcare professionals access to your Patient Information, we) process your Patient Information on the grounds that it is in the public interest and is necessary for the provision of medicine or for health care or treatment. The data is processed by or under the responsibility of a health professional.
In this respect your Patient information may be processed to:
  • monitor and assess your condition and treatment options; and/or
  • edit records relating to your medical condition or procedure.
 
Academic research
As a university, we may (where applicable) process your Patient Information on the grounds that it is in the public interest and is necessary for the provision of approved medical research to improve care, health and services. This means that when you agree to take part in research which is tracked via the Website, we will use your data in the ways needed to conduct and analyse the research study. In this respect we may use your Patient information to:
  • to share with Imperial College researchers, including those working at MSk Lab [The MSk Lab comprises a team of over 30 full-time surgeons, physiotherapists, scientists and engineers all seeking to understand musculoskeletal health and degeneration and to prevent and treat a wide array of problems associated with impaired mobility];
  • if you signed up to a specific academic/clinical study, to share with the academic researchers who are involved on such study.
Where doing so, we ensure that all processing is subject to appropriate safeguards. All research is conducted subject to Research Ethics Committee approval, only processing Patient Information that is necessary, and anonymising or pseudonymising data where possible. We regularly review Patient Information that we hold in our data repository and ensure that it is necessary and accurate for our specified purposes, archiving or securely deleting any data that is no longer relevant.
 
Public health
We may process your Patient Information on the grounds that it is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care. Where doing so, we ensure that we only share data in line with your privacy  preferences and with individuals who are bound by a strict obligation of confidentiality in relation your personal information. In this respect, we use your personal data for the following.  This may include:
  • to share with your Responsible Care Providers or Healthcare Analysts for the purposes of clinical auditing and/or revalidation; and
  • to share with the Private Healthcare Information Network (PHIN), NHS Digital, and orthopaedic registries such as the National Joint Registry (NJR) as applicable for the purpose of clinical audits where required to do so by law. This includes the right for your             personal details and Patient Information to be held and used by contractors working on behalf of the Private Healthcare Information Network and/or NHS Digital.
 
Other disclosures
 
In the event that Imperial College is acquired by or merges with another legal entity, or transfers its operations to a new legal entity, your personal information may be passed to the purchasing/merging/new legal entity amongst the transferred assets and activities. This will enable your use of the website to continue despite the change of ownership.  
 
We may also disclose your personal information to third parties if and to the extent that we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use; or to protect the rights, property, or safety of Imperial College, our staff, users of the website or others. 
 
7. How is your information stored and for how long
 
We will keep identifiable information about you for:
 
  • 20 years after the study has completed in relation to primary research data.
 
 
The data that we collect from you may be transferred to and stored on a single dedicated server based in a UK data centre, run by Rackspace, built to rigorous standards and conforming to ISO 27001 certification. All traffic between users and the server is encrypted using a 256bit SSL (Secure Sockets Layer) certificate. The Website is protected by Cisco firewall to preventing network attacks. 
 
We will take all steps reasonably necessary to ensure that your data is stored securely and in accordance with this Privacy Policy.
 
All personal information you provide to us will be encrypted using the industry standard AES algorithm (AES has been adopted by the United States government as their approved encryption algorithm and is in use by all the major banking groups). In addition, all traffic between users and the server is encrypted using a 256bit SSL (Secure Sockets Layer) certificate. The website has been built using Linux based industry standard web technologies, using its mature security framework to authenticate every user accessing the site. 
 
Unfortunately, the transmission of information via the internet is not completely secure.  Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.  Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
 
8. Your Rights
 
Your usual statutory rights to access, change or move your information are limited, because of exceptions applicable to some types of research, and also because we need to manage your information in specific, lawful ways in order for the research to be reliable and accurate. If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum personally-identifiable information possible.
 
9. Any Concerns
 
If you wish to raise a complaint on how we have handled your personal data or if you want to find out more about how we use your information, please contact Joint Pro’s Data Protection Officer via email at dpo@imperial.ac.uk, via telephone on 02075943502 and via post at Imperial College London, Kensington, London SW7 2AZ.
 
If you are not satisfied with our response or believe we are processing your personal data in a way that is not lawful you can complain to the Information Commissioner’s Office (ICO). The ICO does recommend that you seek to resolve matters with the data controller (us) first before involving the regulator.
 
10. Updating the Privacy Policy
 
We will endeavour to update you to any significant changes to this Privacy Policy. This Privacy Policy was last updated in August 2018.