DialysisAway Privacy Information

For Patients

This document sets out what personal data we collect and use in delivering our services. This document relates to the personal data collected, obtained and used via the DialysisAway platform.

Who we are

  • We are Medicalisys Ltd (Company number 12186141) and we created the DialysisAway platform to help dialysis centres to coordinate the information required in order to enable dialysis patients to access treatment while travelling away from their base centres.
  • Our registered office is: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ. We are registered as a data controller with the Information Commissioner’s Office and our registration number is ZB027157.

What personal data we collect

To allow you to register and interact with the platform for the purposes of arranging dialysis away from base, you will need to provide some of the below categories of information, at registration and/or during the process (depending on your location and healthcare arrangements):

 

  • Name
  • Email address
  • Username
  • Mobile phone number
  • Nationality
  • Date of birth
  • Home address
  • Language(s) spoken
  • EHIC/GHIC card
  • NHS number (National Patient Record Number)
  • Next of kin (name and contact details)
  • Companion (name and contact details)
  • Home clinic
  • Destination clinic
  • Dates of planned treatment
  • Funding source
  • Insurance details

Personal data obtained from third parties

To book a trip via DialysisAway, the receiving clinic will require a certain amount of medical information prior to the trip being accepted. This information is exchanged directly between your home clinic and the receiving clinic via Dialysis Away. In additional to your basic personal data (listed above), this will include:

 

  • Results of blood tests and swabs
  • Dialysis history
  • Details of dialysis prescription
  • Medication chart
  • Any further medical or other information relevant to treatment including, but not limited to, information provided by your doctor

How your personal data is used

  • To register new users
  • To provide support to users
  • Record your communication preferences
  • To allow users to search for destination clinics within our database
  • To allow users to place enquiries and confirm trips
  • To allow clinics to exchange information relating to the provision of medical treatment
  • To allow you to communicate directly with clinics and their staff via DialysisAway
  • To deactivate users

 

We also use information about how users interact with DialysisAway to analyse and improve the platform and to enable centre operators registered with the platform to derive activity reports and trends. We act as a controller for this purpose. This information will be used at an aggregated level wherever possible.

Who do we share your personal data with

Other than the relevant clinics who will have access to your personal data via DialysisAway, we also use some third parties to deliver our service, as below:  

Provider Purpose Location
Stripe
To enable direct payments to be taken
UK
Amazon Web Provider (AWS)
IT hosting
GERMANY
Twilio
Two factor authentication
USA

In the event of a medical emergency, it may be necessary for a clinic to disclose your personal data to a third party (such as emergency services or your listed next of kin) to protect your vital interests.

 

We may also be required to comply with a request or legal order to disclose personal data to a third party, for example in relation to a police investigation or insurance claim.

Lawful basis

Under data protection law, we have to identify relevant lawful bases for our use of your personal data, as set out below:

 

Lawful basis Purpose
Performance of a contract
Where the collection or exchange of personal data is necessary for a trip to be booked (in line with our Terms and Conditions)
Vital interests
Where it may be necessary to use or disclose your personal data in a medical emergency
Legitimate interests
In meeting our legal obligations under financial, health and safety and employment laws (among others)
Legal obligation
In meeting our legal obligations under financial, health and safety and employment laws (among others).
Provision of health care or treatment (additional basis required for health-related information)
Where medical information is required to be submitted or exchanged to allow a trip to be booked and treatment to be administered.

How long do we keep your personal data

As your home and destination clinics are the data controllers for the information concerned, they will define the retention periods for information based on their requirements or local regulation. You should also consult their privacy information for information about separate retention of information.

 

DialysisAway will retain some information relating to hospitalisations as a result of dialysis and non-attendees for treatment for analysis purposes.

Your rights

Under data protection legislation, you have a number of rights in relation to your personal data, as below:

 

  • The right of access (obtaining a copy of your data)
  • The right to rectification (correcting your data)
  • The right to erasure (deleting your data)
  • The right to restrict processing (to stop use of your data for a time limited period)
  • The right to data portability (to move your data to another organisation)
  • The right to object (to object to our use of your data)
  • Rights in relation to automated decision making and profiling (to know if and how we use any technology to make decisions about you)

 

There are some limited exemptions to these rights, so they may not apply in every scenario. For further information on these rights, please see the Information Commissioner’s Office (ICO) website.

 

If you wish to make a request in relation to any of these rights, please contact us at: [email protected] or at Medicalisys Ltd, 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ.  Where we act as a processor or as a sub-processor on behalf of our customers, we will pass any requests to the customer to respond to (in their capacity as a controller).

International transfers of personal data

DialysisAway is created by a company (Medicalisys Ltd) based in the UK and therefore subject to the UK GDPR and related data protection legislation.

 

Depending on where you are located and travelling to, the exchange of information between clinics may mean that personal data is accessible in countries with standards that are not equivalent to the UK (or EU) GDPR.

 

Where this is the case, you agree for such transfers take place in line with

UK/EU GDPR Article 49(1)(b) and (c) where the transfer of personal data is necessary for the performance and conclusion of a contract between you and the clinics/Medicalisys i.e. for trips to be arranged in line with the terms you have accepted.

Information security

We have information security measures in place to reduce the risk of unauthorised access to, misuse or loss of personal data. These include:

  • We hold both the DSP Toolkit assurance (NHS ODS code O4S4B) and the Cyber Essentials certification.
  • All access to information is restricted by the use of a login and password for each user, including two factor authentication (2FA) requiring a one-time code to be entered (sent by text to user’s phone).
  • All data stored in the cloud is encrypted at rest.
  • Data is encrypted in transit.
  • Auto-logout when a user remains inactive for a period of time.
  • Contracts in place with our suppliers covering data protection and information security.
  • Regular testing and review of our security measures.
  • Staff policies and training.

All data is stored in the EU. We use Amazon Web Services (AWS) as our main hosting provider.  AWS holds ISO27001 certification (among others), as set out at: https://aws.amazon.com/compliance/iso-certified/

More general information on AWS security measures is available at: https://aws.amazon.com/products/security/?nc=sn&loc=2

Queries or complaints

In the first instance, we would hope to resolve any queries or concerns you have in an informal way, if you contact us at: [email protected] and/ or at Medicalisys Ltd, 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ.

 

If you are not satisfied with our response, you also have a right to complain to the Information Commissioner’s Office (ICO) as the regulator of data protection. For further information, please see: https://ico.org.uk/make-a-complaint/