Skip to main content
/

Last Updated: 31st Jan 2023

Privacy Policy

ORCHA Data Protection Principles

NHS Cheshire and Merseyside is the data controller, in terms of the Data Protection Act 2018. ORCHA is the data processor and adheres to the legal responsibilities of this role. As the Data Processor, ORCHA respects the privacy and confidentiality of all users who engage with the ORCHA App Review platform, or organisations who engage in partnership, or project work with ORCHA. ORCHA strives to ensure that all data that is shared with us, as a Data Processor, is treated with full respect for personal, and client, privacy and is protected in line with all legal responsibilities and recognised best practice standards and processes. NHS Cheshire and Merseyside will only collect the minimum levels of personal data necessary to support our operational processes and will never share, or sell, personally identifiable data collected while maintaining our business processes without asking for and receiving fully informed consent from any platform users, or clients, who may be affected by that action.

Why we publish this policy?

This Data Privacy Policy is published in order to comply with the provisions of the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018. NHS Cheshire and Merseyside also publishes this policy:

  • to ensure all data capture, data management and data utilisation processes are transparent to our end users
  • to clearly explain what data we collect
  • to explain how NHS Cheshire and Merseyside uses any personal information that our end users supply to us
How we collect information

NHS Cheshire and Merseyside collects personal information about you when you, for example:

  • When you are registered with us to become a Pro User for NHS Cheshire and Merseyside platform site
  • undertake actions on the platform site such as:
    • Recommend an App to another user, if that functionality is available to you
    • Visit web pages on the platform site
    • Complete specific actions on a platform web page – e.g. Click on the 'Download an App' button
    • Participate and complete modules within the related ORCHA Digital Health Academy
  • complete a survey
  • take part in a platform led event or competition
  • provide us with personal information in any other way
  • enquire about the fundraising campaigns that we run

All these actions are required to enable NHS Cheshire and Merseyside to act as a data controller and ORCHA to deliver its services as a Data Processor . NHS Cheshire and Merseyside only capture the minimum number of data items required for the delivery of those services. All data that is captured through your interactions with the platform is stored securely in protected databases and only accessible to accredited administrative users with specific access permissions. Data transferred between platform webpages and the data stores we utilise is fully encrypted in transit, in line with best practice encryption methodologies (certified 256bit encryption) to minimise the risk of that data being intercepted or breached. The platform uses TLS 1.2 to transmit data securely when the items are accessed via a browser. NHS Cheshire and Merseyside only collects the following personal data items, depending on your interactions with the platform:

  • Your name
  • Your address
  • Your email address, and/or mobile telephone number
  • Non-mandated additional information volunteered by yourself (e.g. Age)
  • The pages you view on the websites
  • The Apps you recommend to others
  • The Apps you download via the platform sites
  • The address, name, and job role of relevant Healthcare Professional (if applicable)

The ORCHA platform uses Google Analytics which collects the following information from all users of the platform, registered and unregistered:

  • IP address

Google Analytics service allows us to maintain a strong understanding of platform utilisation to ensure the platform is continually improved for our platform users. The IP address is held separately from all data captured via the platform directly and cannot be used to identify an individual directly. For more information on the Privacy Controls utilised in Google Analytics please visit:

https://support.google.com/analytics/answer/6004245?hl=en&ref_topic=2919631

The ORCHA platform uses Hotjar in order to better understand user needs and to optimize the service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. This includes a:

  • device's IP address (processed during your session and stored in a de-identified form),
  • device screen size, device type (unique device identifiers),
  • browser information,
  • geographic location (country only), and the preferred language used to display our website.

Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf. For further details, please see the ‘about Hotjar’ section of Hotjar’s support site.

NHS Cheshire and Merseyside also collects the following usage data relating to the ORCHA Digital Health Academy (accessible to all Pro Users) internally:

  • Academy courses accessed
  • Progress against the academy courses accessed
How we get this information and why we have it

NHS Cheshire and Merseyside collect this information through your interaction with the ORCHA platform and through your direct interactions with us as a company. We collect it to ensure we can deliver the full functionality of the ORCHA platform to you, and any additional services you request directly from us. We also utilise the data to understand how users interact with the platform so that we can continually adapt and improve the platform for our users. NHS Cheshire and Merseyside will only capture the minimum number of data items necessary to ensure the fulfilment of the required services.

How we use your information

NHS Cheshire and Merseyside uses the information that you give to us:

  • to send you information, products or services that you have consented to receive
  • to improve the information, products and services NHS Cheshire and Merseyside offers to its users. (This includes improving our capability to match Health Apps specific to your health need/age/preferences and general improvement of website and review functionality and presentation)
  • to contact you about events, fundraising, campaigning and our other work, where you have consented to receiving marketing information
  • to develop aggregated reports and analysis, using anonymised data, to support research into the broader ongoing development of the Health App market and the utilisation of Health Apps within a defined Health Economy

ORCHA, as a Data Processor, may link data captured from different ORCHA services (e.g. The ORCHA Digital Health Academy), at a personal level, in order to improve our understanding of service utilisation and to support analyses on site utilisation and activity, but ORCHA will never publish, share or sell personally identifiable data without explicit, and informed, consent being received from all parties whose data is being used for those purposes.

How do we store and manage your data?

The Azure ORCHA platform solution is hosted on Azure and utilises a Hub and Spoke networking model. Any electronic Patient Health Information (ePHI) sits in the geographic jurisdiction of the client so local governance laws can be adhered to. For example, a UK clients ePHI would be hosted in the Azure UK South datacentre and adhere to GDPR laws. A Canadian client’s ePHI data would be hosted with Azure in Canada in a way that adheres to local compliance laws. ePHI is stored in these local Spokes whereas all other system data is stored within the central Hub hosted in Azure UK South. All data is encrypted at rest. All Azure to Azure communication within the ORCHA hosted platform is done through the Azure backbone. On top of that, environments are hosted within Virtual Networks. There is a single point of access for all data and that is through Azure Front Door and then through a Firewall and then into the Hub. Once the Hub is accessed then data can be requested from any of the Spokes. All data that is passed out of the system goes back though the Firewall and then through Azure Front Door. Access to the Production environment is through a Bastion host (Jump Box) and users can Remote Desktop to this machine. To access this the user needs to have an Azure Active Directory account and needs to have the correct permissions assigned. Production data is not used for reporting purposes.

How do we protect personal information?

NHS Cheshire and Merseyside implements a range of measures to ensure that any personal information that you provide us with is kept secure, accurate and up to date. NHS Cheshire and Merseyside protective measures include:

  • regular reviews of data capture processes to ensure only data that is necessary to support the delivery of the platform services is captured
  • transparent, informative opt-in Consent capture mechanisms to ensure that all platform service users understand why NHS Cheshire and Merseyside collects their data and how ORCHA processes and manages that data.
  • The platform provides the functionality for users to retract their consent should their preferences change. This functionality is available in the ‘My Account: Your rights under GDPR’ section on all ORCHA provided platforms.
  • Users who choose not to provide any personally identifiable data, can continue to use the platform as normal, but the full functionality of the platform will not be available to those users.
  • Strong encryption of all data in transit between the sites/Apps to secure data storage facilities using certified 256 bit encryption.
  • All platform related databases are secured within a hosted Microsoft Azure environment compliant with local GDPR and other regional regulations.
  • Access to data collected through platform interactions with end users of our services, is limited to only those Data Administrators with appropriate permissions
  • Critical system components are backed up across multiple, isolated locations and the system continuously monitors service usage to deploy infrastructure to support availability commitments and requirements.
  • NHS Cheshire and Merseyside keeps personally identifiable data for a period of 2 years following the closure of an account for legal and audit purposes. After this period all personally identifiable data items are destroyed in line with best practice data destruction standards.
Third parties

NHS Cheshire and Merseyside or ORCHA will not pass your personal details to other people, or organisations, without first obtaining your consent. NHS Cheshire and Merseyside or ORCHA reserves the right to share your aggregated information with other companies that we own, or other companies that help us provide any of our services. There may be rare occasions where information is gathered through the day-to-day collection of platform data, where the data identifies a clear need to safeguard the welfare of the individual and/or his/her family and, on those occasions, it may be necessary to contact relevant authorities to address this. NHS Cheshire and Merseyside will only undertake these actions in line with appropriate legal guidelines and using formal, recognised, and auditable processes.

Your consent

By providing NHS Cheshire and Merseyside with personal information, the end user is agreeing to ORCHA's use of that information as stated in this Privacy Policy. Your consent to utilise NHS Cheshire and Merseyside services is contained within the platform registration process and will clearly inform the user at the point of registration why the data we are requesting is necessary and how that data will be used by NHS Cheshire and Merseyside. The NHS Cheshire and Merseyside consent process requires all end users to positively opt-in to a range of platform services, with information provided to explain each option prior to sign up. Consent preferences can be changed at any time. The functionality to withdraw Consent is provided within the ‘My Account’ section on the platform.

Under 18-year-olds

For users who are under 18, a parent/guardian's permission is required before any personal information is captured relating to the individual. If you believe that an underage user has incorrectly created an NHS Cheshire and Merseyside account, please inform the NHS Cheshire and Merseyside team via SAR@cheshireandmerseyside.nhs.uk

Your data protection rights

Under data protection law, you have rights including:

Your right of access

You have the right at any time to ask for a copy of the information that NHS Cheshire and Merseyside holds about you, and NHS Cheshire and Merseyside will supply that data to you in line with its legal requirements to do so.

Your right to rectification

You have the right to ask NHS Cheshire and Merseyside to rectify information we hold that you think is inaccurate. You also have the right to ask NHS Cheshire and Merseyside to complete information you think is incomplete.

Your right to erasure

You have the right to ask NHS Cheshire and Merseyside to erase your personal information in certain circumstances.

Your right to restriction of processing

You have the right to ask NHS Cheshire and Merseyside to restrict the processing of your information in certain circumstances.

Your right to object to processing

You have the right to object to the processing of your personal data in certain circumstances.

Your right to data portability

You have the right to ask that NHS Cheshire and Merseyside transfers the information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, NHS Cheshire and Merseyside has one month to respond to you. However, NHS Cheshire and Merseyside aims to provide a response to all Data Rights Requests within 24 hours, with full completion of related actions within seven working days. Please contact us at SAR@cheshireandmerseyside.nhs.uk if you wish to request any changes to the data NHS Cheshire and Merseyside holds about you or to withdraw your consent. Please state in the heading of your email which right or rights you wish to exercise.

Changes

If your personal details change, please help the NHS Cheshire and Merseyside team to keep those details up to date by telling us about any changes. If you want to see what information we have about you, or need to tell us about any changes to the information that you have given to us, please contact:

Data Protection Officer,
SAR@cheshireandmerseyside.nhs.uk

We may change this Privacy Statement at any time. If you use this website after changes are made you will be agreeing to those changes.

How to complain

In the first instance please contact the NHS Cheshire and Merseyside data protection officer at SAR@cheshireandmerseyside.nhs.uk If you remain dissatisfied you can complain to the Information Commissioner’s Office (ICO), if you are unhappy with how we have used your data. The ICO’s address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF. Helpline number: 0303 123 1113

Our use of cookies

Cookies are small text markers stored on your computer that enable us to understand how people use our website. No personally identifiable information is stored in cookies. In common with many similar websites, the ORCHA platform uses them to help remember preferences and for anonymous statistical measurements - for example so we know how many 'visits' a page has had. The platform uses cookies to:

  • remember certain information about users so they don't have to repeatedly provide that information
  • recognise if users are already logged in to certain areas of the website
  • measure how people use our website so we can continually improve how information is provided.

You can control and delete cookies even though the platform does not use cookies to collect personally identifiable information about you. If you still want to restrict or block cookies, you can do this through your chosen internet browser (Internet Explorer, Google Chrome, Mozilla Firefox etc.). Use the help function within the specific browser to find out how. However, if you restrict cookies for the NHS Cheshire and Merseyside website then there is a risk you will not be able to access the full functionality of the NHS Cheshire and Merseyside website and your user experience may be undermined as a result.

What cookies are used on ORCHA platform sites?

The cookies applied on ORCHA websites are:

  • Google Analytics - This is a service we use from Google that collects information about how people use our website. We use this to make sure we are providing the best service we can to our web visitors. This information cannot be used to identify you and is only available for NHS Cheshire and Merseyside s internal use. NHS Cheshire and Merseyside does not allow Google to share it. Using cookies, Google Analytics captures information that allows NHS Cheshire and Merseyside to understand:
    • What pages were viewed
    • How long those pages were viewed for
    • How the user came to the site
    • What website buttons and functions were clicked on
    • What browser was used to access the site
    • What country the computer is accessing the site from
    • What search terms were used
    • HubSpot Content Management System (Joomla) – This is the system the ORCHA platform uses to build the website and update the pages. In a similar way to Google Analytics this also collects information about how many times a page has been visited and how many times a file is downloaded (e.g. the PDFs of our research reports and briefings)
    • Cookies are set when you visit the Hotjar website at hotjar.com and you can opt out of non-essential cookies that have been set. The Hotjar Tracking Code is also installed on hotjar.com and cookies that are specific to the Hotjar Tracking Code may also be set.
    • Third-party cookies - Many of our pages have a 'Share this' function that allows you to share content with your friends or colleagues via email, Twitter, Facebook etc. The ORCHA platform uses cookies to make this service work. It provides information on what items a site user has shared, how many people are sharing and how many page 'views' the ORCHA platform site has received as a result of the sharing. As above, this data does not include information that is capable of personally identifying an ORCHA platform user.
    • Cookies that are set by other websites - If you are using the sharing facility already mentioned (i.e. Share content with Facebook, Twitter) then it is possible those websites (e.g. Facebook) may also set cookies when you log in to their service. NHS Cheshire and Merseyside is not responsible for third party cookies of this nature and does not control these cookies.
    • Embedded third party services - Occasionally we embed things like video, audio and pictures from other websites such as such as YouTube, Vimeo, Flickr or Soundcloud. This means it looks like one of our web pages, but the video is being fed through from another site (i.e. YouTube). When this embedded content is accessed via the NHS Cheshire and Merseyside site, the owner of that content sites may use their own cookies to record that you watched or viewed the content. NHS Cheshire and Merseyside has no control over these cookies so you should check the relevant website for more information.