Last updated: October 25, 2019
- Information we collect
- Introduction to the WeCudos Data Bank
- Locations of processing
- Grounds for processing
- Information for patients
Welcome to the WECUDOS LIMITED’s privacy notice.
WECUDOS LIMITED is a company registered in England and Wales under registration number 08096172 whose registered address is 91 Wimpole Street, W1G 0EF. We are committed to protecting and respecting your privacy.
Wecudos Limited (which is also referred to in the Terms as “Wecudos” and “we”, “us” and “our”) respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you. Nothing in these terms will be construed as placing an obligation on us that we are not by law obliged to accept (and any such provision shall be construed as a statement of current intent by us but does not create a binding obligation on us). If and to the extent that any provision of these terms contradicts applicable law, the applicable law shall apply. Wecudos helps uses social media and electronic communications made available by devices you use (together referred to in this policy as “Your Accounts”) to assist you to interact with medical, health, fitness and well-being advisers and others to whom you grant access (together referred to in this policy as “Your Advisers”).
1 IMPORTANT INFORMATION AND WHO WE ARE
PURPOSE OF THIS PRIVACY NOTICE
1.1 This privacy notice aims to give you information on how Wecudos collects and processes your personal data through your use of this website, including any data you may provide through this website when you sign up to accept our services, purchase a product or service or otherwise engage with us.
1.2 Our websites and applications are not intended for children and we do not knowingly collect data relating to children.
1.3 It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.
1.4 Wecudos Limited is the controller and responsible for your personal data to the extent that it collects it through Your Accounts and as a result of interactions with Your Advisers.
1.5 We have appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the data privacy manager using the details set out below.
1.6 Our full details are:
Full name of legal entity: Wecudos Limited
Title of data privacy manager: Data Privacy Manager
Email address: email@example.com
Postal address: 91 Wimpole Street, W1G 0EF
1.7 You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Information we collect
We collect information about you in three ways: directly from your input, from third-party sources, and through automated technologies.
Information you provide to us
The types of personal information that we collect directly from you depends on the content and features of the Service you use and how you otherwise interact with us and may include:
- Contact details, such as your name, email address, postal address, phone number and social media handle;
- Account login credentials, such as usernames and passwords, password hints and similar security information;
- Other account registration and profile information, including educational, professional and other background information, such as your field of study, current position, practice area and areas of interests, ORCID ID and photo;
- Content that you upload and share or store in your account, such as annotations, comments, contributions and replies;
- Payment information, such as a credit or debit card number;
- Information that you communicate to us, such as questions or information you send to customer support;
- Data that you provide to us as part of interacting with the Service, such as your favorites and search queries; and/or
- Communications preferences, such as your preferred language and the frequency, type and format of the alerts you sign up to receive.
Data from your institution
We may obtain information about you from the institution with which you are employed or affiliated in order to activate and manage your access to and use of the institution’s subscription to the Service, including:
- Contact details, such as your name and institutional email address, postal address and phone number;
- Other account registration information, such as job title; and/or
- Institutional user ID.
Data from other sources
We also may obtain contact details and other information about you from other entities from third parties, including:
- Social networks when that you grant permission to the Service to access your data on one or more networks;
- Service providers that help us determine a location in order to customize certain products to your location;
- Partners with which we offer co-branded services or engage in joint marketing activities; and/or
- Publicly -available sources and data suppliers from which we obtain data to validate or supplement the information we hold and to support the Service.
Device and usage data
The Service may automatically collect information about how you and your device interact with the Service, such as:
- Computer, device and connection information, such as IP address, browser type and version, operating system and other software installed on your device, unique device identifier and other technical identifiers, error reports and performance data;
- Usage data, such as the features you used, the settings you selected, URL click stream data, including date and time stamp and referring and exit pages, and pages you visited on the Service;
- For educational Services, the course modules and test questions you view, answer or complete; and/or
- For location-aware Services, the physical location of your device.
Locations of processing
Your personal information may be stored and processed in your region or another country where WeCudos companies and their service providers maintain servers and facilities.
We take steps, including through contracts, to ensure that the information continues to be protected wherever it is located in a manner consistent with the standards of protection required under applicable law. Where personal information is transferred from the European Economic Area (“EEA”) or Switzerland to a country that has not received an adequacy decision by the European Commission, we rely on appropriate safeguards such as the European Commission-approved Standard Contractual Clauses and Privacy Shield Frameworks to transfer the data.
Grounds for processing
When we collect from you any personal information within the scope of European data protection laws, we do so:
- where necessary to provide the Service, fulfill a transaction or otherwise perform a contract with you or at your request prior to entering into a contract;
- where necessary for our compliance with applicable law or other legal obligation;
- where necessary for the performance of a task carried out in the public interest;
- where applicable, with your consent; and/or
- as necessary to operate our business, protect the security of our systems, customers and users, detect or prevent fraud, or fulfill our other legitimate interests as described in the sections above, except where our interests are overridden by your privacy rights.
Where we rely on your consent to process personal information, you have the right to withdraw your consent at any time, and where we rely on legitimate interests, you may have the right to object to our processing.
Information for Patients
WECUDOS DATA BANK
“INSPIRING RADICAL TRANSPARENCY IN HEALTHCARE”
Redistribution without authorisation from WeCudos Ltd is prohibited
TABLE OF CONTENTS
- BACKGROUND AND CONTEXT
- BIOBANK OVERVIEW
- PROPOSED SYSTEM ARCHITECTURE
- DATA SECURITY
- DATA STORAGE AND INTEGRITY PRINCIPLES
Our goal is to improve the efficiency and success of a wide variety of clinical research through the collection, storage and access of health data.
The WeCudos Data Bank aims to:
- Allow quick access to anonymised, comprehensive data sets on large populations with a range of disease-related illnesses, concomitant medication consumption and other relevant health related data
- Provide a secure facility to store data using the most sophisticated encryption software
- Facilitate the analysis of specific data sets, health conditions and medication/supplements, which will accelerate the development of new treatments and/or methods in clinical care through scientific data research
- Improve the healthcare and treatment options for future generations through thorough data analysis on large populations
- BACKGROUND AND CONTEXT
WeCudos is dedicated to promoting research across the United Kingdom, by providing a novel way of collecting real-world data and creating an environment that fosters new research pathways. One way in which we aim to do this is by sponsoring world-class research at a range of academic institutions and hospitals. Furthermore, we hope that by creating the WeCudos Data Bank (WDB) we can create a source of data that inspires and promotes comprehensive, ethical research across healthcare.
Specifically, the WeCudos Data Bank (WDB) is derived from a model currently used in clinical research, called a ‘Biobank’.
Biobanks collect data and biological material and store it for future use, without knowing the exact purpose/requirements of the collected samples and data. This has facilitated researchers and organisations with instant access to essential biological and data samples, allowing them to carry out their research efficiently and cost effectively.
In the past 20 years, the science of biobanks has become an integral part of the personalised medicine era, facilitating ground-breaking, tailored research in a fraction of the time it would take using conventional clinical trial models.
Biobanks as brokers:
The main-stream definition of data quality is problematic for biobanks as the use of such data is not known in advance. Hence, many biobanks act as data brokers rather than being actual data producers. The intended use is then the search for suitable samples.
A major expectation of biobank users are the quality of the samples and the quality of related data documentations. Maintaining quality documentation is a critical aspect for Biobanks. Thus, for data brokers, the primary target of data quality is to have a good quality of the meta-data, i.e. quality data documentation.
It is necessary to document the quality of the received data from the beginning of the process. It should include information such as data origin, data provenance, i.e., how, by whom and with which means had the data been produced/collected (e.g. quick test vs. diagnose test).
- BIOBANK OVERVIEW
The process of recruiting a patient to a Biobank is summarised below:
- Identification: Patient is identified by a clinician or study coordinator
- Consent: Patient is asked whether they would like to consent to the Biobank.
- Sample/Data collection: Data is collected from electronic patient records, samples are collected from clinics/theatres, and all the details are booked into the research database (ranging from Excel to sophisticated research sample databases across NHS hospitals/Academic Institutions/Private Research Facilities).
- Sample and Data Entry: Data relating to that individual is entered into the system, generating a study ID to that patients’ sample and data set.
- Storage: Unique Storage IDs/locations are allocated to samples in ‘virtual freezers’ in the database, that correspond to actual freezer spaces/free locations in the Biobank to facilitate efficient sample tracking and retrieval.
- Dissemination to 3rd Parties: Anonymised reports can be generated from the databases, displaying the total number of samples/data sets for a specific diagnoses/age/treatment pathways.
The WeCudos Data Bank aims to utilise this model in order to collect data of high quality and integrity, as demonstrated below.
- DATA SECURITY
WeCudos Data Bank Security Principles
WeCudos abides by the below principles to assure clients and auditors that the data compiled in the system is of high integrity and quality:
- WeCudos restricts the ability of users in both WeCudos offices and external parties to change certain data, such as time stamps, dates and other source data that must not be altered to allow a clear audit trail of all data.
- Ensures access to original electronic data for staff performing data checking activities.
- Applies appropriate quality metrics
- Assures that personnel are not subject to commercial, political, financial and other organizational pressures or incentives that may adversely affect the quality and integrity of their work
- Allocates adequate human and technical resources such that the workload, work hours and pressures on those responsible for data generation and record keeping do not increase errors
6. DATA STORAGE AND INTEGRITY PRINCIPLES
- WeCudos will not keep personal data for longer than required.
- WeCudos utilises a policy setting standard retention periods of all personal data, to comply with GDPR requirements.
- WeCudos periodically review the data to re-evaluate its necessity, accuracy and security.
- Internal audits will occur bi-annually and data that has been dormant for 20 years will be removed from the data bank.
- Data protection impact assessments will occur bi-annually led by the DPO, and will meet the GDPR standard by describing the nature, scope, context and purposes of the processing; assess necessity, proportionality and compliance measures; identify and assess risks to individuals; and identify any additional measures to mitigate those risks.
- Personal data breaches will be reported to the relevant national supervisory authority
- Data security breaches will be reported to the controller
- If you choose to take part now, you can change your mind later and withdraw, meaning no further data will be collected from you from the point of withdrawal. You can withdraw at any time by contacting our designated DPO by email under firstname.lastname@example.org. You will receive an email confirming your withdrawal. If you withdraw, your identifiable information will be destroyed if possible. Data that is already being used for research cannot be destroyed or removed. The code that enables us to re-link your samples and personal information will be deleted so that no further information about you will be collected and your information will no longer be used for future research studies. Only your signed consent form and a copy of the letter confirming your withdrawal will be kept as a record of your wishes. Such a withdrawal will prevent information about you from contributing to further research and analyses.
All data will be:
- The identity of the person creating, accessing and moving a record will be documented during every step for audit purposes
Legible and Traceable
- A record that cannot be traced has no value.
- All records will be created so they conform to internal uniformity, which is consistent throughout a system.
- All records will be made at the time an activity takes place to ensure accuracy.
- All records will be original; information will be recorded directly. This avoids the potential of introducing errors in transcribing information.
- The record will reflect what actually happened. Any changes are made in the system without obscuring or obliterating the original information.
- Any changes made to a record will be signed or authorised by the person making the change and a date is captured to show when it was made for audit purposes.
91 Wimpole Street