ShareMyXray Team - 09 February 2023

Data Protection and Privacy Policy in Plain English

This Privacy Policy contains important data protection information for GDPR on who we are, how and why we collect, store, use and share personal information and your rights in relation to your personal information, especially for ShareMyXray Patient Accounts.

Who we are: Cypher Information Technology Ltd, a UK company

What is our role: Under GDPR we are the “Data Controller”

Personal Information we collect and use:

  1. We collect and use non-medical Personal Information when you provide it to us, such as your payment details and contact details such as name, email, telephone, address. We also collect system information such as device, browser type and how you interact with our Service, .
  2. We collect and store your medical information as well. This includes your date of birth, patient numbers and other identifying information, medical images, clinical reports, clinical request details, hospitals and details of medical imaging studies performed. Note that medical information is ‘sensitive’ under GDPR and subject to a higher standard of care.

How we use your Personal Information:

  1. We use your non-medical Personal Information for administrative and business purposes (particularly account activity via email, for support, and to process orders and payments), to advertise changes to Services, to improve our business overall, and in connection with our legal rights and obligations. We use system information to improve our Service and make it easier to use
  2. We do not use your medical information other than upon instruction from you within the application to send it to medical institutions or other destinations that you specify; or to receive your medical information from medical institutions or other senders that are sending your medical information to you.

Sharing your information to third parties:

  1. We may share your non-medical Personal Information to our GDPR-compliant service providers to fulfil any contracts we enter into with you, only to the extent necessary to run our business, and only where they provide equivalent organisational and technical protection of your Personal Information.
  2. None of our suppliers have access to your medical information. We never share your medical information, other than when you tell us to via the application, or if we have a legal obligation to do so.

How long do we keep your information:

  1. For no longer than necessary
  2. Non-medical information is kept while your account is still active, and dormant Patient accounts are deleted after 1 year. Tax and business records are kept for 6 years, which may include your name, contact and payment history.
  3. Medical information is deleted automatically 1 year after last use, unless as part of an order for on-going storage. In the case of on-going storage, unless renewed it is automatically deleted 30 days after such order expires.

How we keep your information secure:

  1. Data is always strong encrypted both in transit and at rest; staff and agents have no access to any Personal Information unless specifically required for their role; emails are processed locally and immediately removed from our email hosting service once downloaded.
  2. Patient Data are always strong encrypted both in transit and at rest; Patient Data are never sent by email; our staff and agents have no access to Patient Data unless specifically required for their role; our system support accounts do not give access to Patient data; our per-Customer support accounts that do give access to Patient Data may only be used if necessary for a specific support request; our staff and supplier contracts specify this segregation and identify breach as gross misconduct.

Transfers outside the European Economic Area (EEA):

  1. We use suppliers in the US for your non-medical information only where they maintain certification under the EU-US Privacy Shield and EU General Data Protection Regulations (GDPR).
  2. We never share your medical information, other than when you tell us to via the application including destinations outside the EEA that you specify.

Do we sell your information:

  • No.
  • In the event of sale of the business as a going concern then your information, and obligations for its care, would transfer to the new owners.

Your rights in relation to your information:

  • To access your information and to get information about its use
  • To have your information corrected
  • To have your information deleted
  • To restrict the use of your information
  • To receive your information in a portable format
  • To object to the use of your information
  • To withdraw your consent to the use of your information
  • To complain to a supervisory authority
  • Contact us at support@cypherit.co.uk with subject ‘Patient GDPR’ for detailed info.