Privacy Notice for Log My Scan
This Privacy Notice tells you how Teesside University as Data Controller, collects and processes your personal data as users of the app Log My Scan.
We may amend this notice to reflect changes to our website, business, data protection law or other legislation. For this reason, we ask that you revisit this notice on a regular basis.
Log My Scan is a technology service for doctors, nurses and other healthcare professionals who undertake Point-of-Care Ultrasound (POCUS) scanning as part of their professional role. Your Personal Data is collected in order to register you as an app user, to faciltiate your use of the app and for general administration of your account, including sending you updates and push notifications. The app aims to facilitate supervision of training.
Personal Data is collected from you when you register and when you upload anything which identifies you personally to the app.
The following information will be collected and stored by the University:
4.3 Password (hashed)
4.4 Phone number
4.5 Marketing Preferences
4.7 Hospital/Clinical Location
4.8 Language preferences
4.10 Date of Registration
4.11 Clinical activity
4.12 Superviser/supervisee relationship
4.13 Feedback and comments
4.14 Personal reflections on clinical activity
4.15 Progress towards achievement competencies
4.16 Users skill level in performing different types of scans as a medical diagnostic test
This is not an exclusive list and other personal data may be requested consistent with the expressed purpose.
Personal data processed for the purposes identified above on the basis of consent. In signing up to and using the app you expressly consent to personal data being collected and shared as described below.
All uploaded patient scan data will be anonymous and does not constitute personal data under data protection legislation. You are however obliged to follow ethical and clinical requirements in relation to obtaining consent from the patient to use their anonymised scan data for these purposes and/or have a lawful basis under Article 6 and 9 of the GDPR (e.g. Article 6(f) and 9(h), with a condition under Part 1, Sch 1 section 2(c) and (d) of the Data Protection Act 2018).
The University may share your personal data internally between departments for the purposes of administering your account.
The University will only share your Personal Data with external third parties where we are permitted to do so under Data Protection Legislation.
Where we have a lawful basis, we may pass Personal Data to third parties in the following circumstances:
5.1 To professional bodies where there are fitness to practice concerns;
5.2 To the police where inappropriate use is identified;
5.3 To relevant authorities where required by law to do so;
5.4 In the public interest for the purposes of research subject to appropriate safeguards;
5.5 Some data e.g. feedback from a supervisor may be shared with others with your express consent.
International processing is not envisaged within this activity but in the event that it is necessary to transfer data outside the EEA this will done pursuant to an agreement which ensures that necessary safeguards are in place and this privacy notice will be updated accordingly.
We take technical and organisational measures to protect all of the Personal Data we hold. Only authorised employees and contractors have access to your Personal Data. All personal data will be stored in cloud storage which complies with NHS standards of cloud storage and NHS cloud provider requirements.
We will only retain the Personal Data we hold about you as long as necessary. Personal data will automatically be deleted when you delete the app from your device. See below section 10. if you have any concerns about retention of your personal data and/or you wish to exercise a right to erasure.
GDPR requires that Personal Data is accurate. It is essential that you update your account details if any information you have provided changes. If you fail to update your details, the University cannot take responsibility for any inaccuracy. Requests for deletion or erasure in accordance you’re your rights below should be sent to firstname.lastname@example.org Any such requests will be actioned within 28 days of receipt.
As a data subject you have certain rights which include:
Right to complain You have the right to lodge a complaint with the Information Commissioner’s Office details are provided below;
Right to access personal data: You can find out what information we hold about you by making a subject access request. The request can be made free of charge, by writing to the Data Protection Officer, details of which are below.
Right to Erasure (Right to be Forgotten) You have the right to have the Personal Data we hold about you erased;
Right to object You have the right to object at any time to the processing of your Personal Data;
Right to withdraw Consent Where consent forms are the basis for processing, you have the right to withdraw your consent to the processing at any time;
Right to Data Portability If you request us to we will transmit your Personal Data directly to another organisation;
Right to Rectification You have the right to ask us to rectify inaccurate information held about you without undue delay.
These are not unqualified rights and the University may not be able to act on your request in certain circumstances.
The Data Protection Officer is contactable at Teesside University, Middlesbrough, Tees Valley, TS13BX, UK. Telephone: +44 (0)1642218121, Email: email@example.com
You may contact our Data Protection Officer directly with any queries relating to Data Protection.
The Lead Supervisory Authority overseeing the Controller is: The Information Comissioner’s Office (the’ICO’), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK95AF, United Kingdom. Tel: +44 (0)3031231113, Email: firstname.lastname@example.org. Website: https://ico.org.uk.
12th May 2021