Privacy Policy
1. Introduction
Privacy and information governance are the backbone of the software services LungHealth Limited (“LungHealth”) provide, and are of particular importance in healthcare.
This is an all-embracing Privacy Policy which applies to all LungHealth’s decision support software platforms.
This Privacy Policy explains how we handle personal information about our users in healthcare organisations, and how we handle personal information about their patients.
LungHealth operates a specialised platform that is used to manage communications and information in health care and social care systems, with the potential of linking the information across multiple health care or social care organisations. Typically, we are data processors for the health care or social care organisation based on our data processing agreement.
This policy applies to our software, and services. We’ve tried to make it easy to read, but if you do find anything unclear, please get in touch.
Who are we?
Our full company name is LungHealth Limited and our:
Office is at 33 Turbine Way Ecotech Business Park Swaffham Norfolk PE37 7XD
Company Registration Number is: 06442837
ICO Registration Number: ZA119271
NHS Data Security and Protection Toolkit Organisation Code is 86K53
Our Data Protection Officer is Louise Dowie, LungHealth Ltd.
You can contact our DPO: customersupport@lunghealth.co.uk or IG-Smart Ltd via email dpo@ig-smart.com or by phone (+44) (0) 20 7167 4268.
What we do
LungHealth provides decision support software platforms, covering a variety of medical conditions, which assists Healthcare Professionals using the software to deliver a structured review, in line with the most up to date guidelines to ensure that patients receive the best possible treatment for their condition. Lung Health software (which for the purpose of this document includes Cardio LungHealth) may be purchased directly by NHS organisations or made possible by funding received from pharmaceutical companies in line with the ABPI Code of Practice.
LungHealth has no affiliation to any one pharmaceutical company, nor shall it promote any pharmaceutical company’s products in the provision of their service.
The decisions regarding the user’s patients’ treatment, or other non-medicinal intervention, is decided by the Healthcare Professional responsible for delivering their patient’s care.
2. What personally identifiable information do we collect about you, how and why?
As a healthcare professional
Healthcare professionals can create a LungHealth account.
When you do so, we collect the following information about you, and link them to a unique identifier in our system:
Name
Email address
Through the use of our LungHealth software platforms, the following information will be collected from you when required:
Affiliated organisation
Job role
The content of communications with, or about, patients sent via LungHealth
Data about the way you have used LungHealth software, such as the functions you’ve used, and the devices and software you used to connect to LungHealth
Contact phone number
Collection of this data allows LungHealth to provide clear audit trails to improve the software and maintain the clinical safety of our products and services. LungHealth also monitor the functioning of the software and to prevent fraud, cyber attacks and other dishonest behaviour.
LungHealth will collect this data to provide you with software services that your organisation/practice has agreed for us to provide to them, as governed by our Terms and Conditions and any contractual relationship we have in place with them.
We may also rely on legitimate interests as a lawful basis to use your contact details to tell you about other relevant solutions that we have built that we think your organisation may be interested in, subject to your right to object to direct marketing.
As a patient whose healthcare providers use LungHealth software
Depending on the software services used by your provider, the information we handle on their behalf will vary. We only collect the minimum data set required during your consultation for the sole purpose of delivering a guideline level review, for the condition for which you are receiving your LungHealth review i.e. COPD, asthma or sleep related conditions. At a minimum, when our software is first used in relation to any communication about you, we will safely store and use the following information about you:
Name
General Identifier/NHS number
Age/Date of Birth
Full address/Post code
Marital status/Family/Lifestyle/Social circumstance
Employment/Career history
Various clinical codes and indicators related to the condition for which LungHealth software is being used to conduct your review. (e.g., Date Of Asthma or COPD Diagnosis, Date of Day & Time of Asthma or COPD Symptoms, Date of Emergency Hospital Admission, duration of breathlessness etc.) For the avoidance of doubt LungHealth does not collect medical information which is not relevant to your LungHealth review or presenting symptoms.
Physical and/or Mental Health Data
Gender (self-declared or observed)
Dates you have/have not attended appointments
Details about your weight
Whether you are a smoker or non-smoker
We use the following contact information when healthcare professionals communicate with you using our software:
Mobile phone number
Other contact phone numbers (if applicable)
Email address
IP address
General Wellness Data
Other (medical information related to your condition and/or observational data captured during the LungHealth consultation)
We use this information to enable your healthcare provider to communicate with you, either through SMS and email messages sent on our platform, or for them to call you.
We safely collect, store and transmit communications and documents sent to you, or received from you through LungHealth software for healthcare organisations. These communications and documents may include:
messages from these healthcare providers (e.g. your GP)
communications you have sent back to healthcare professionals after they asked you, including survey responses, images or information about appointments with their service
clinical records of your treatment created by professionals using our software
links to secure meeting rooms for video consultations
information about the devices and software you use to connect to our services.
When explicitly instructed by your GP (Data Controller), we may use information from clinical records in other systems to which your healthcare provider has access e.g., NHS Digital Personal Demographics Service (PDS). We do this in order to make those records available to your provider or to other professionals involved in your care.
Most of the personal information we process is provided to us directly by you or is accessed through your clinical record. All processing undertaken will be fully compliant with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
3. How the LungHealth software works
As a patient , when your healthcare professional/organisation uses our software within their practice, hospital or community hub, they provide us with information they hold about you so a Respiratory Nurse Advisor (RNA) or other appropriately qualified healthcare professional from National Services for Health Improvement (NSHI) is given access to the general practitioners’ (GP) system and can conduct an initial audit at practice level. This is achieved by, for example running a respiratory audit (or other clinical audit) using the GP clinical system for all patients with an existing diagnosis of COPD and/or asthma or another specified condition. The output of this will be used to inform a discussion with the GP Lead to prioritise patients for review by the RNA or other appropriate individual. Alternatively, practices may provide NSHI nurses with a list of patients whom the practice have identified that may benefit from a LungHealth Review e.g. COPD / Asthma/breathless patient. The LungHealth review may be conducted by NSHI staff or alternatively by a practice nurse/GP following suitable training as outlined in a service level agreement between LungHealth/NSHI and the healthcare organisation. In relation to our LungHealth Sleep product, patients invited for a review will undergo reviews by individuals within the Health Organisation acting on their behalf. Patient reviews may be conducted by either NSHI nurses and/or healthcare organisation staff (GP, Consultant) in line with the applicable service level agreement.
The GP Practice/Healthcare organisation can then invite the selected patients to a review with the nurse/appropriate healthcare professional. This will be via letter or SMS message to the patient. Reviews can be provided within the practice/hospital (where this is currently possible based on national guidance for COVID-19) or remotely. If carried out remotely (which is optional), the nurse would utilise the video conferencing software 8x8 or the practices/hospitals own video consultation platform.
Reviews will use LungHealth Clinical Decision Support Software (www.lunghealth.co.uk) to support clinical review based on national guidance (National Institute for Health and Clinical Excellence and Respiratory Guideline – Global GOLD, for COPD, British Thoracic Society (BTS)/Scottish Intercollegiate Guidelines Network (SIGN) for Asthma and the American Academy of Sleep Medicine/NICE for Sleep).
This requires (special category) patient data to be transferred from the GP system onto the LungHealth system; the software reads and writes back READ coded information to and from the GP computer system using relevant disease specific codes. In relation to Sleep this data is entered onto a sleep database hosted on a secure server by ARO or by the healthcare organisation to which LungHealth have licenced the software.
The software supports history taking, relevant to the disease condition and provides prompts to consider guidelines-based treatment interventions, together with providing the user with medical alerts. A one-year licence may be provided free of charge to the practice, if the licence has been sponsored by a pharmaceutical company, however renewal of this licence is negotiable between the practice through a separate agreement with LungHealth. All consultations and READ codes related to QOF resulting from the LungHealth Reviews are written back into the GP clinical system and the hospital management system in relation to Sleep.
READ codes generated as a result of the patient consultation are extracted from the LungHealth guided consultation programme and written back to the clinical system using EMIS/SystmOne approved extension middleware for COPD and Asthma Consultations.
If service delivery, requires a patient audit to be undertaken in line with a service level agreement, patient information from the practice audits is stated to be held on the Health and Social Care Network (HSCN) server. The server is hosted on behalf of NSHI by Harvey Walsh who are part of OpenHealth Limited. This will enable NSHI Nurse Advisors to generate a fully automated report at the end of the service detailing all service activity.
LungHealth also has the ability to provide dashboard level reports of its activity, at practice, PCN, ICB, Healthboard and National level, approval for which is contained within relevant service level agreement between LungHealth and user organisations.
Harvey Walsh is part of Open Health stated by NSHI that they are annually audited, hold ISO 27001, NHS IG Toolkit and Cyber Security Essentials.
We only ever act on your Healthcare Professionals instructions and in line with our data processing agreement with them. The data processing agreement is signed by participating practices prior to service commencement.
LungHealth software may be used in walk-in centres for health screening as part of wider public health initiatives e.g. to detect patients with undiagnosed breathlessness. In this context, LungHealth will collect data within individual patient consent and may or may not link to patients’ clinical records on GP computer systems. With the explicit consent of attending patients, details of the LungHealth review and any investigations undertaken, are collated and passed back to the patients GP for their consideration and to consider whether the patient requires any further investigations or interventions as a result of the findings. Data passed back to the GP may be a letter by post or secure and encrypted e-mail, in line with the service level agreement agreed with the participating healthcare organisation.
4. What is the legal basis for processing this data?
For the patient
4.1 LungHealth always acts as a data processor in relation to patients’ data that providers share with LungHealth through the use of its software services however some of the legal bases we may rely on include: -
a) Necessity for the performance of a contract between your Healthcare Professional (e.g. your GP practice) and LungHealth Ltd., to identify whether you would benefit from undergoing a review
b) Necessity for the provision of health or social care or treatment or the management of health or social care systems and services on the basis of UK law or pursuant to a contract with a Healthcare Professional and subject to conditions (e.g. we will only use the minimum amount of information that is required to review that specific condition) and safeguards (e.g. we will keep your data secure at rest and in transit and restrict access to it on a need to know basis).
Your rights under data protection law, you have rights we need to make you aware of:
The rights available to you depend on our reason for processing your information.
Your right of access:
You have the right to ask for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.
Your right to rectification:
You have the right to ask to rectify information you think is inaccurate. You also have the right to ask for information to be completed if you think it is incomplete. This right always applies.
Your right to erasure:
You have the right to ask for erasure of your personal information in certain circumstances.
Your right to restriction of processing:
You have the right to ask to restrict the processing of your information in certain circumstances.
Your right to object to processing:
You have the right to object to your personal data being processed, and we will respect your objection unless there is a clear lawful basis for continuing to process your data (e.g., if LungHealth Ltd. is subject to a legal obligation).
Your right to data portability:
This only applies to information you have given. You have the right to ask for the transfer of information you gave from one organisation to another or to give it to you. The right only applies if processing information is based on your consent or under, or in talks about entering into a contract and the processing is automated. Because LungHealth Ltd. does not control or retain any of your personal data you should contact your Healthcare Professional (who is the data controller) directly to raise any queries (for example about the accuracy of your data) and exercise your rights (including the right to access, rectification, and erasure). You are not required to pay any charge for exercising your rights. The Healthcare Professional / Clinician has one month to respond to you.
c) To access full medical records and any information provided to us about a patient’s health, the user requires their patient’s consent. The patient also has the right to withdraw their consent at any time.
For the Healthcare Professional
4.2 Healthcare providers’ lawful basis for processing patient data using LungHealth services is expected to be:
Article 6(1)(e) – ‘...exercise of official authority…’;
And their processing of special categories (health) data using LungHealth services, the conditions are expected to be:
9 (2) (a) – (…explicit consent…’;
9(2)(h) – ‘…health or social care…’; and
9(2)(i) – ‘…public health purposes…’.
For processing special categories (ethnicity) data using LungHealth services, the conditions are expected to be:
9(2)(h) – ‘…health or social care…’; and
9(2)(b) – ‘…social protection law…’ (for monitoring equality of access)
Anyone using LungHealth for purposes beyond those set out above are likely to be misusing the software and in breach of the terms and conditions. Any misuse of the software must be immediately reported to LungHealth.
Our other legal bases for processing personal data where we are data controllers are to perform our contract to provide a service, when the contract is with you (GDPR Act. 6 (1)(b)), or our legitimate interests, provided they are not overridden by your individual interests, rights and freedoms surrounding data protection GDPR Act. 6 (1)(f).
5. Prohibition on children’s access
LungHealth is not to be used or accessed by child (e.g. if a computer is left unattended in GP practice surgery).
6. Direct Marketing & Consent
LungHealth only conducts direct marketing activities when it has a legitimate interest to do so (e.g. communicating with existing clients or prospective clients that have expressed an interest in our products). We do not therefore rely upon consent for direct marketing purposes.
6.1 Right to opt out
If ever it is necessary to obtain consent from you for marketing (or other) purposes, we will ensure that it is freely given, specific, informed and unambiguous – and will respect your right to opt out.
6.2 Notification Settings
LungHealth users do not have to manage their own notification settings. We do not use any notifications in the browser. All communications which the user receives are clinically relevant. This app. is designed to support non-specialists in delivering guideline level care. It is therefore inappropriate to disable communications.
7. Automated decision making & profiling
Notwithstanding the fact that you have a right to object to automated decision making or profiling in a manner which produces legal effects concerning you or similarly significantly affects you. We do not conduct automated decision making or profiling in such a manner. Our solution provides recommendations; however, Healthcare Professionals make the ultimate decision in terms of management.
8. Do we share this data with third parties
Personal data will only be shared with third parties (i.e. any party other than the GP) if required to do so by law. Personal data is not shared with any third parties for direct marketing purposes. LungHealth may however contract third party data processors that provide solutions and services that enable us to meet your care needs. They include but are not limited to: -
National Services for Health Improvement Ltd (NSHI) www.nshi.co.uk/PrivacyPolicy.pdf
AIMES UK Ltd are now part of ARO Tech https://aro.tech/solutions/data-centre-services/
Health and Social Care Network Service by OpenHealth (which is part of Harvey Walsh, which is part of OpenHealth) www.openhealthgroup.com/privacy
AccuRx https://www.accurx.com/security-and-privacy/our-principles
There are GDPR and Data Protection Act 2018 compliant contracts in place with data processors that state that processors will not share any personal information with any organisation apart from LungHealth/NSHI.
Access to patient information and consultations by individuals has to be sought from the Managing Director of NSHI, though the reasons for granting access have to be made clear. NSHI may provide LungHealth with the Respiratory Nurse Advisors to deliver LungHealth reviews for practices and is subject to a separate tri-partite agreement between LungHealth, NSHI and the practice/healthcare organisation.
8.1 Preference for sharing data with other connected apps/other users in-app
There are no other connected apps. with which LungHealth shares data. As the data stored within the app. relates to a patient’s health record, the app. permits the sharing of the patient record with any other user authorised by the practice to deliver care to the patient.
9. How long do we retain data for?
Client data retention
We retain the data pertaining to our clients’ (namely healthcare organisations/professionals) that are actually or potentially involved in purchasing our services for as long as necessary for the purpose of providing the service, to pursue a sales transaction, or to market our services, subject to their right to object or not to be subject to direct marketing. You may also contact us at: info@lunghealth.co.uk to request that we delete the data that we hold about you.
Patient data retention
Patient data are generally kept in line with the Records Management Code of Practice for Health and Social Care 2016. However, we would delete the data earlier than suggested by this code if we are informed that the condition of Article 9(3) GDPR and s. 11(1) Data Protection Act 2018 no longer applies.
LungHealth will however maintain anonymised data indefinitely.
10. How do we keep your data secure?
LungHealth Ltd. has appropriate organisational and technological controls in place to secure your data, which include (but are by no means limited to) encrypting data at rest to the AES 256 bit standard, and in transit using TLS v1.2, as a minimum, complying with the NHS Data Security & Protection Toolkit (86K653), and maintaining Cyber Essentials Certification.
Any patient identifiable data, as outlined in section 2 of this document are stored the ARO Tech Health Cloud, situated within the Health and Social Care Network (HSCN) or equivalent equally secure and accredited environments utilised by the NHS for storing patient data e.g. Azure or AWS. Alternatively it is stored on a secure server by the NHS organisation that has purchased the LungHealth software directly e.g., this may be a hospital. Each NHS Organisation or hospital we work with is compliant with the NHS Data Security & Protection Toolkit.
The Health and Social Care Network (HSCN) provides a reliable, secure, efficient, and flexible way for health and care organisations to access and exchange electronic information. For more information, please visit https://digital.nhs.uk/services/health-and-social-care-network
AIMES part of ARO Tech is an ISO 27001 accredited industry leading commercial data centre service provider, with a head office based in the North West of England https://aro.tech/solutions/data-centre-services/
11. Data destruction
All personal data will be securely destroyed when no longer required to at least the BSEN 15713 standard. Certificates of destruction will also be maintained.
12. How to contact us?
If you have questions or concerns about privacy, or wish to exercise rights you have in relation to personal data we process about you, you may contact us though the following:
LungHealth Ltd., 33 Turbine Way Ecotech Business Park Swaffham Norfolk PE37 7XD
Our Data Protection Officer: Mrs Louise Dowie, LungHealth Ltd.
customersupport@lunghealth.co.uk
IG-Smart Ltd dpo@ig-smart.com
We will confirm receipt of your question/concern within 48 working hours of receiving it and provide you with a full response in writing within one month of receipt of your request. We may extend the time limit by a further period if the request is complex or if we receive a number of requests from the individual. The patient will be informed of any extension in terms of our response time.
Future updates to this Notice
This notice may change periodically and will be published on the LungHealth website and by e-mail to practices/healthcare organisations/users.
Your right to complain
If you are in any way dissatisfied with the way that we process your personal data you have a right to raise your concerns with our independent Data Protection Officer. You also have a right to raise any concerns you may have with the Information Commissioners Office, which can be contacted as follows:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
(Policy updated April 2024)
Use of cookies
Our website uses cookies so that we can understand user behaviour and create consistency across multiple visits, for example so you can continue an online support conversation that you were having with us. Please refer to our cookies & website policy for more detail about the use of cookies on the public website, and in our product.