Privacy policy

Minuteful Kidney - Privacy notice

Last updated: November 16, 2022

Who is Healthy.io?

This document describes how Healthy.io (UK) Limited (“Healthy”, “Healthy.io” “we”, “our” or “us”), a company registered in the UK, with Companies House registration number 10996079, and with the Information Commissioner’s Office (“ICO”), our Data Protection registration reference is ZA289700, use your personal data in relation to support your GP Practice with the Minuteful™ Kidney service.

This service has been approved by the NHS to support your GP Practice with routine testing patients. Furthermore, the Integrated Care Board (previously Clinical Commissioning Group) for your area has completed their due diligence of the Healthy.io service before the service is rolled out by your GP Practice to patients.

What is Minuteful™ Kidney and how does the service work?

Healthy.io makes albumin to creatinine ratio (“ACR”) testing easier and more convenient, by allowing you to test from home using a smartphone app called Minuteful™ Kidney. An ACR test is part of your health care review if you have a chronic kidney disease (CKD) or are at risk of CKD (for example diabetes or hypertension. The test looks for particles of protein in your urine called albumin.

Your GP Practice is collaborating with Healthy.io because doing a Minuteful™ Kidney ACR test allows your doctor to identify and monitor the presence of albumin, which may suggest the first signs of CKD.

Your GP practice will identify patients that have not completed their annual ACR test. Once eligible patients are identified by your GP Practice, to support patient choice in how their treatment is provided, a courtesy text message or letter is sent to the patient which notifies patients about the service and informs them they have the opportunity to opt out of the service.

The SMS or letter may be sent by your GP Practice or Healthy.io depending on the terms of the service between your GP Practice and us. This provides patients with an opportunity to decide if you would like to receive a urine test at home or whether you would prefer to continue visiting your practice for your test.

You have the right to object processing and opt out of the service. If you would like to object or opt out, you can contact your GP Practice. If you make this request after the service is live, you can contact your GP Practice who will forward your request to us to action, or you can call our customer service team on 020 7183 7939 or email [email protected] and we will be happy to answer any questions and support.

As part of the Healthy.io service, which is to provide direct care, the Practice will securely share the minimum amount of personal data with the Healthy.io’s onboarding team. We will then send out your kit that has been designed to fit through a letter box. To assist you with the test we may contact you either by text messages or a phone call.

Once you have received the ACR test kit, you will then need to download the Minuteful™ Kidney app from the Apple App Store or Google Play Store on your smartphone. Once downloaded, you will be able to run the test independently guided by Emily, our in-app nurse.

Patients are not required to create an account to access the Minuteful™ Kidney app. The app is downloaded and linked by the mobile phone number. At the end of the analysis, your test results are displayed and explained to you and automatically shared securely to your GP Practice’s electronic patient record system.

The results are accessible to be viewed by you in the app after the test is completed, you have the option to secure access to your results using a pin code.

Who is the Data Controller?

A ‘Data Controller’ determines the purposes for which and the means by which personal data is processed. A Data Processor carries out tasks on behalf of a Data Controller.

For the purposes of this processing, which is to support your GP Practice in providing you with direct care:

Your GP Practice is the Data Controller and
Healthy.io is the Data Processor.

In line with UK Data Protection Legislation, responsibility for providing transparency information, such as a Privacy Notice, is with the Data Controller. Please refer to your GP Practices Privacy Notice for further information.

Healthy.io is registered with the ICO, our Data Protection registration reference is ZA289700.

Before any personal data is shared with us by your GP Practice, we ensure that a signed Data Processing Agreement (“DPA”) is in place. A DPA is a legally binding document to be entered into between the Controller and the Processor that regulates the scope and purpose of processing, as well as the relationship between the Controller and the Processor.

What is the purpose and lawful basis for processing my personal data?

Please see below an outline of the personal data processed, purpose and lawful basis for processing.

What personal data items are processed?

To provide you with the service, your GP Practice shares the minimum amount of personal data with us, they are: Registered GP name, NHS number, main spoken language, gender, first name, last name, date of birth, email address, home phone number, mobile phone number, address, ethnicity[1], diabetes type, CKD diagnosis and stage, date and value of last - ACR test.
When you complete the test on your phone the following data is also processed: test date, test result, smartphone information (carrier, operating system, device, model, app version, city), app information (IP address)[2].

Is special category data processed?

Special category data is personal data that needs more protection because it’s sensitive, for example health data is categorised as Special Category Data. As part of this service, the following special category data are processed: ethnicity, diabetes type, CKD diagnosis and stage, date and value of last ACR test, test result.

What is the purpose of the processing?

To support the provision of direct care by completing an ACR test.

What is the lawful basis under the UK General Data Protection Regulation (GDPR)?

Personal data: Article 6, 1 (e) public task.
Special category data: Article 9, 2 (h) Health or social care.

What is the lawful basis under the Data Protection Act 2018?

Schedule 1, Part 1: (2) Health or social care purposes.

How does this personal data sharing comply with the Common Law Duty of Confidentiality (CDLC)?

The CDLC is satisfied as your Practice will share your personal data with us for the purpose of direct care.
It should be noted that when personal data is shared for the purpose of direct care, consent is not required; therefore your GP Practice does not need to ask for your consent for the data processing. However, you will be informed about the service with a text message or letter which will inform you that you can opt out from this service should you choose to do so.

How do you obtain my personal data and for how long is it retained?

We obtain the minimum amount of data from your GP Practice who share your data with us in order to be able to provide the service. Only Healthy.io staff members in authorised roles will have access to your data.

The table below shows the data items processed, how they are obtained and retention information.

Data set one

Data items processed for this service

Registered GP name, NHS number, Main spoken language, Gender, First name, Last name, Date of Birth, Email address, Home phone number, Mobile phone number, Address, Ethnicity, Diabetes type, CKD diagnosis and stage, Date and value of last ACR test.

How do we obtain your personal data?

These data items are shared securely with us directly by your GP Practice (usually the Practice Lead) from their electronic health record.

What happens to your data at the end of the retention period?

Personal data is deleted.

Data set two

Data items processed for this service

Smartphone information (carrier, OS, device, model, app version, city), Test date, Test result

How do we obtain your personal data?

Smartphone information is obtained when you complete the ACR test using the smartphone app. When you complete your test on the Minuteful™ Kidney app, this data is shared securely to your GP Practice electronic patient record.
Test date and test result are obtained when you complete the ACR test using the smartphone app. When you complete your test on the Minuteful™ Kidney app, this data is shared securely to your GP Practice electronic patient record.

What happens to your data at the end of the retention period?

Personal data is anonymised. When the personal items referenced in data set one have been deleted, data items reference data set two are anonymous as they cannot be linked to an individual directly or indirectly.

Data set three

Data items processed for this service

App information (IP Address)

How do we obtain your personal data?

The IP Address is obtained by us from the Minuteful™ Kidney app when you complete the ACR test.

What happens to your data at the end of the retention period?

The IP address is retained on a separate database for forensic and information security purposes and deleted after 12 months.

We will retain your personal data in line with our Data Retention Policy, which means that we retain your data for the duration of the contract with your GP Practice. If required by law, we will keep your data for the minimum time required under the applicable law.

When personal data is no longer required, we delete or anonymise data in line with Data Protection Legislation and appropriate industry guidance.

Will you share my personal data with other organisations for purposes other than direct care?

When your GP Practice shares your data with us, we will only use your personal data to provide direct care to you. We will never share your personal information with any third parties for other purposes, such as companies that conduct direct marketing.

A ‘Sub-processor’ is a trusted third-party data processor engaged by Healthy.io who has access to personal data. We use third party Sub-processors to provide elements of services (such as data hosting). We have contracts in place with Sub-processors which ensures appropriate use of your data.

In some circumstances we are legally obliged to share information. If we do need to share personal data with other organisations, we do this in line with the Data Protection Act 2018, the UK GDPR and relevant legislation or court order and we share the minimum amount of information required.

Is my personal data processed outside the UK?

We (or Sub-processors acting on our behalf) may store or process limited data about you in countries outside the UK. Most of the data processing is carried out in the UK or the EEA. However, in order for us to provide you with our service, a limited amount of personal data may be processed outside the UK and the EEA.

Where data is processed outside of the UK or EEA, we will take the required steps to ensure that your personal data is protected to the standard and data transfer mechanisms required by UK Data Protection Law.

How is my personal data protected?

In order to protect your personal data, we and our Sub-processors use all reasonable industry-standard physical, procedural and electronic security measures (such as access control, secure servers, firewalls, internal policies, encryption, database backup etc.). We cannot and do not guarantee the absolute safety of any Personal Data stored with us or with any third-party.

We are committed to complying with information security industry standards such as:

Data Security and Protection Toolkit (DSPT): Reference
ISO 27001:2013 Information Security Management System (ISMS)
ISO 22301:2019 Business Continuity Management System (BCMS)
ISO 13485:2016 Medical devices - Quality management systems - Requirements for regulatory purposes
Cyber Essentials

You can find more information about our information security practices on the Trust Centre webpage of our website.

What are my data rights, and can I object to you processing my personal data?

Individual rights requests are the responsibility of your GP Practice. Any individual rights requests that are made directly to Healthy.io will be reported to your GP Practice for your GP Practice to process and confirm actions required to be taken by Healthy.io. This process is in place as we can only act under the instruction of your Practice to process your data.

You have the right to object processing and opt out of the service. If you would like to object, you can contact your GP Practice. If you make this request after the service is live, you can contact your GP Practice who will forward your request to us to action, or you can call our customer service team on 020 7183 7939 or email [email protected] and we will be happy to answer any questions and support.

Who can I contact if I have any questions or queries?

As we can only act under the instruction of your GP Practice to process your data, if you have any questions or queries about how your data is used, please contact your GP Practice.

How can you make a complaint?

As we can only act under the instruction of your GP Practice to process your data, if you have any questions or queries about how your data is used, please contact your GP Practice.

You have a right to make a complaint if you are unhappy about how your personal data is processed.

Please note that the ICO will not normally consider an appeal until you have exhausted your rights of complaint. Please see the ICO website (link below) for further advice.

If you remain dissatisfied, you may wish to contact the ICO:

Website: https://ico.org.uk/make-a-complaint/
Post:

Information Commissioner's Office Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Telephone: 0303 123 1113

Citations and Footnotes

We only collect this data if instructed to by your GP Practice. The reason your GP Practice may ask us to collect ethnicity is to support your GP Practice to demonstrate equity of access to health care when providing direct care.
Smartphone information, including IP address is processed for operational purposes, including, troubleshooting, maintenance, support, and information security purposes.