Lutra Health - Privacy Notice

Last updated: 24th October, 2022

Your privacy, and the security of the data you share with us is the most important part of our business. We want you to know why we need your data, and what we do with it. Our privacy policy defines why we need your data, and how we look after it.

Who are we?

Lutra Healthcare Ltd is a private company, based in the UK, which specialises in developing apps to help healthcare workers provide efficient and safe care for patients.
We have three shareholders, and are not owned by any corporation.
We are registered with the Information Commissioners Office to process personal and special categories of information under the Data Protection Act (2018), our registration number is A9028898.
For further information, please see our website www.lutrahealth.com

Why do we collect personal information about you?

We collect information about you – from healthcare professionals and from the information you give us – in order to transmit
it to other healthcare professionals who will then be able to make decisions about your care. We do not alter, adjust or
interfere with the data that you or healthcare professionals give us.

What is the legal basis for processing personal information about you?

Lutra Health Ltd collects personal data in order to effect a virtual review pathway for cataract referrals into the NHS and private healthcare establishments. The legal basis for the need to collect and process this data is outlined below.

Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

Where we process special categories data, for example data concerning/ including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the GDPR. Where we are processing special categories personal data for purposes related to the commissioning and provision of health services the condition is:

Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

Lutra healthcare may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. Where we process personal data for these purposes, the legal basis for doing so is:

Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or

Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.

Where we process special categories of personal data for these purposes, the legal basis for doing so is:

Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims; or

Article 9(2)(g) – processing is necessary for reasons of substantial public interest.

What personal information do we need to collect about you and how do we obtain it?

In order to effectively deliver the information required to make decisions about your care we need to collect four types of
data:

  • Optometrist practice
  • Demographic data – typically supplied by the patient/their carer and the examining Optometrist
  • Clinical data – typically supplied by the examining Optometrist
  • Medical history data – typically supplied by the patient/their carer
    We do not require or collect data relating to:
  • Your gender identity
  • Your race or religion
  • Your sexual orientation

What we will do with your personal information

Your records are used to directly, manage and deliver healthcare to you to ensure that:

  • The staff involved in your care have accurate and up to date information to assess and advise on the most appropriate care for you.
  • Staff have the information they need to be able to assess and improve the quality and type of care you receive.

What we may do with your personal information

The personal information we collect about you may also be used to:

  • Remind you about your appointments and send you relevant correspondence.
  • Review the way we provide information to healthcare organisations to ensure it is of the highest standard and quality
  • Prepare statistics on our performance to meet the needs of our customer
  • Help to train and educate healthcare professionals
  • Report and investigate complaints, claims and untoward incidents
  • Report events to the appropriate authorities when we are required to do so by law
  • Review your suitability for research study or clinical trial
  • Contact you with regards to patient satisfaction surveys relating to our services so as to further improve our services to patients
  • Where possible, we will always look to anonymise/ pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it and we will only use/ share the minimum information necessary.

Who do we share your data with, and why?

In order to provide the service we supply we must transfer the data we have collected about you to the healthcare organisation
who will take responsibility for your care. We may do this electronically or on paper.
There may be circumstances where we are under a duty to share your information, due to a legal requirement. This includes, but is not limited to, disclosure under a court order, sharing with the Care Quality Commission, the police for the prevention or
detection of crime or where there is an overriding public interest to prevent abuse or serious harm to others and other public
bodies (e.g. HMRC for the misuse of public funds in order to prevent and detect fraud).
We are required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared. Personal information you provide to us in confidence will only be used for the purposes explained to you and to which you have consented. Unless there are exceptional circumstances, such as when the health or safety of others is at risk, where the law requires it or there is an overriding public interest to do so. Where there is cause to do this, we will always do our best to notify you of this sharing.

How we maintain your data

Your data is held securely on AWS (Amazon Web Services) cloud servers, which achieve the relevant security for healthcare
records. AWS is the international gold standard for cloud based data storage as documented here and upheld by AWS’s customer contract terms.

We use Google Analytics software to ensure that the way people use our products is as efficient and streamlined as possible.
Google does not collect identifiable data, and cannot access your health record. Google Analytics is a web analytics service
offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our
Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the
ads of its own advertising network. You may opt-out of certain Google Analytics features through your mobile device settings,
such as your device advertising settings or by following the instructions provided by Google in their Privacy Policy: https://
policies.google.com/privacy

For more information on the general privacy practices of Google, please visit the Google Privacy & Terms
web page: https://policies.google.com/privacy

Links to other websites or services

Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site You visit.
We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Changes to our privacy policy

We may update our Privacy Policy from time to time.
We will let you know via email, a prominent notice on our service or by requesting that you read and accept the new Privacy notice before allowing access to our service. The change will become effective and when the “Last updated” date at the top of this Privacy Policy is published.
You are advised to review this Privacy Policy periodically for any changes.

Retention of your personal data

We will retain your data as described in our data retention policy. In general terms we retain data for adults for eight years after
the last point at which the data was accessed. We retain data destruction certificates for twenty years.

How do we transmit your data?

We send your data to the healthcare providers using either email or delivery within the app. We cannot guarantee the
security of your data if it is sent by email. We will only use email to transfer your data when this has been requested by the
receiving organisation (for example the NHS). We are not responsible for any data processing which occurs after we have
sent the information to the receiving healthcare organisation, you should refer to that organisations data protection policies
for information on how they will use the data we supply.

What are your rights?

If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and
ask for your explicit consent. The Data Protection Act 2018 gives you certain rights, including the right to:

  • Request access to the personal data we hold about you, e.g. in health records.
  • Request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards.
  • Refuse/withdraw consent to the sharing of your health records: Under the Data Protection Act 2018, we are authorised to process, i.e. share, your health records ‘for the management of healthcare systems and services’. Your consent will only be required if we intend to share your health records beyond these purposes, as explained above (e.g. research)
  • Any consent form you will be asked to sign will give you the option to ‘refuse’ consent and will explain how you can ‘withdraw’ any given consent at a later time. The consent form will also warn you about the possible consequences of such refusal/withdrawal.
  • Choose if data from your health records is shared for research and planning purposes.
  • In certain circumstances you may have the right to ‘object’ to the processing (i.e. sharing) of your information where the sharing would be for a purpose beyond your care and treatment (e.g. to plan and improve health and care services, to research and develop cures for serious illness).
  • If you wish to exercise any of these rights in relation to your data please contact us at “iris@lutrahealth.com”
  • We have to put systems and processes in place so they can be compliant with the national data opt-out and apply your “Information Governance – Patient Privacy Notice” choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is currently compliant with the national data opt-out policy which allows you to make your choice by emailing us at “contact@lutrahealth.com”.
  • We will always try to keep your information confidential and only share information when absolutely necessary. If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection team who will investigate the matter.

How can I contact you to discuss my data?

Please email us at “iris@lutrahealth.com” to discuss any questions you may have about how we collect, store and use
your data.

How can I contact the Information Commissioner?

The Information Commissioner’s Office (ICO) is the body that regulates the Trust under Data Protection and Freedom of
Information legislation. https://ico.org.uk/. If you are not satisfied with our response or believe we are processing your
personal data not in accordance with the law you can complain to the ICO at: Information Commissioner’s Office Wycliffe
House Water Lane Wilmslow Cheshire SK9 5AF Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national
rate number Fax: 01625 524 510 Email: casework@ico.org.uk