Device Access UK
PRIVACY STATEMENT

We welcome you to our website. We would like to inform you about the management of your personal data.
PRIVACY & COOKIES POLICY

Last updated on 1st September 2020 v2.3

We are Device Access UK Ltd, Kenneth Dibben House, Enterprise Rd, Chilworth, Southampton Science Park, Southampton SO16 7NS. A company registered in England and Wales with company number 07257316.

This privacy and cookie policy ("Policy") describes Device Access UK Ltd ("Company," "we," and "our") collect, use and share personal data when using this website https://www.deviceaccesseurope.com: (the "Site") or when we have obtained it form a third party such as NHS Digital. Please read the following information carefully to understand our views and practices regarding your personal data and how we will treat it.

We encourage you to read the Privacy Policy in full. However, to summarise:

  • we will always use your data within the law
  • we will never sell your personal identifiable data
  • we will always respect your wishes about how you would like to be contacted
Updates to this Privacy Policy

We will post any modifications or changes to the Policy on our Site. We reserve the right to modify the Policy at any time, so we encourage you to review it frequently. The “Last Updated” legend above indicates when this Policy was last changed. If we make any material change(s) to the Policy, we will notify post a notice on our Site prior to such changes(s) taking effect. In the event that such a change could materially affect your privacy, you will be notified without delay by appropriate means.

How to contact us

If you want to request information about our privacy policy you can email us at compliance@deviceaccess.co.uk or write to:

Device Access UK Ltd,
Kenneth Dibben House,
Enterprise Rd,
Chilworth,
Southampton Science Park,
Southampton
SO16 7NS

How we use your information

This privacy notice tells you what to expect when Device Access collects personal information. It applies to information we collect about:

Visitors to our websites

When someone visits this site we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way that does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

Storage of Your IP address

We store the IP address transmitted by your web browser for a period of seven (7) days, strictly for the purpose of identifying, restricting and eliminating attacks on our website. After seven (7) days, we delete or anonymize your IP address. The legal basis for the processing of this personal data is provided for in Art. 6 para. 1 s. 1 lit. f GDPR.

Usage Data

When you visit our website, the data collected from the use of the website is temporarily stored on our web server for statistical purposes in the legitimate interest to improve the quality of our website. The legal basis for the processing of this personal data is provided for in Art. 6 para. 1 s. 1 lit. f GDPR. This data set contains:

  • the IP address of the requesting computer shortened to such an extent that no reidentification of any persona data is possible.
  • the name of the data file,
  • the date and time of the query,
  • the amount of data transferred,
  • the page, from which the data is requested
  • the access status (file transmitted, file not found),
  • a description of the type of browser and operating system used (e. g. browser language, image resolution, type of browser, plugins),

The listed usage data is stored anonymously.

People who email us

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

Your rights

Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), you have rights as an individual that you can exercise in relation to the information we hold about you.

Access to personal information

Device Access tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:

  • give you a description of it;
  • tell you why we are holding it;
  • tell you who it could be disclosed to; and
  • let you have a copy of the information in an intelligible form.

To make a request to Device Access for any personal information we may hold you need to put the request in writing to the address provided below.

If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

If we do hold information about you, you can ask us to correct any mistakes.

Disclosure of personal information

In most circumstances we will not disclose personal data without consent. The exceptions to this are;

  • circumstances where we can pass on personal data without consent for example, to prevent and detect crime and to produce anonymised statistics;
  • our instructions to staff on how to collect, use and delete personal data; and
  • how we check that the information we hold is accurate and up to date.
Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Your rights

You have the right to:

Access the personal data which the Company holds about you. This is called a Subject Access Request (SAR) and can be made by calling us or in writing via email or at the address as provided in the "How to contact us" section.

You may use this process to exercise your right to:

  • Have your personal data rectified if it is inaccurate or incomplete.
  • Request that we erase information we hold about you.
  • Restrict the processing of your personal data, for example ask us not to contact you.
  • Object to the processing of your data for specific purposes such as communications or direct marketing.
  • Ask for the transfer of your data electronically to be provided to a third party (data portability)
NHS Digital Hospital Episode Statistics (HES) data

DAUK is the Data Controller and a Data Processor of NHS Hospital Episode Statistics (HES) data provided under a formal Data Sharing Agreement with NHS Digital.

Hospital Episode Statistics (HES) is a data warehouse containing details of all admissions, outpatient appointments and A and E attendances at NHS hospitals in England. See NHS Digital and DARS for further details.

Lawful basis for processing

We receive and process this data as a result of the Data Sharing Agreement with NHS Digital and our legitimate interest in conducting scientific and statistical research in order to enable medical device providers to achieve NICE approvals and accreditation and subsequent NHS Adoption, and thus positively impact patients Hospitals and the NHS.

This is covered under GDPR as the most appropriate lawful basis for processing under Article 6 being "Legitimate interest"; coupled with Article 9 condition: – Article 9(2) (j) following a formal assessment to ensure that this meets the purpose, necessity and balancing test criteria.

The preparation and delivery of the bespoke anonymised, aggregated dataset to any medical device manufacturer is only processed; following a formal approval process to ensure it meets the Purpose, Necessity and balancing test criteria for each particular recipient.

The NHS HES data we receive is pseudonymised special category "health data" and non-identifiable; which means individuals cannot be identified from the data.

We never give direct access to unprocessed NHS HES data to any third parties. We do aggregate and anonymise the data at appropriate levels level in accordance with the NHS Digital HES Analysis Guide Methodology to provide insight and build analytical models into bespoke data sets. These are provided to medical device manufacturers following formal external approval process to ensure the requirements for purpose and benefit are met.

Benefits

We have been able to identify where new technologies could replace the current standard of care and show significant benefits to patients, providers of care, and payers of care. This has been the foundation of the success in over 27 NICE evaluations since 2010.

Retention period

The HES data sets containing the pseudonymised data are retained for four (4) years after which they are securely destroyed. These data sets are downloaded stored and processed securely in conformance with the NHS Digital Toolkit requirements and the Data Sharing Agreement conditions.

Optout from NHS HES data

DAUK only has access to pseudonymised NHS HES data for the past four years and cannot remove individuals from the datasets.

Should you wish to request that your data is removed from future datasets, then please visit NHS Digital Opting Out Choices for more information about how to opt out of your data being shared.

You also have the right to lodge a complaint with the Information Commissioner’s Office:

Address: Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113 (local rate)
Website: https://ico.org.uk/global/contact-us/

Contact us