Unrecognizable female patient entering a mri scan while technician standing and looking at her.

Privacy & Cookies Policy

1.

Privacy Policy

1.1

Introduction

1.1.1
Echelon Health is committed to respecting and protecting your privacy and complying with Data Protection Legislation including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).
1.1.2
This policy describes the personal data about you that we process and the legal basis for processing. It also describes your rights as a data subject.

1.2

About Us

1.2.1
“Echelon Health” (and “we”, “us”, or “our”) refers to Echelon Health Ltd (company number 06035906) with registered office at 68 Harley Street, LONDON, W1G 7HE.
1.2.2
Echelon Health is the controller of all personal data processed about you during the provision of our services to you.

1.3

Privacy Officer

Echelon Health’s Privacy Officer is:

Claire Johnson
Echelon Health Ltd
68 Harley Street
LONDON
W1G 7HE

(t) 020 7580 7688
(email) privacy.officer@echelon.health

We are supported in our compliance with and management of Data
Protection matters by:

Data Protection People Limited
Round Foundry Media Centre
Foundry Street
Leeds
LS11 5QP

(t) 0345 340 5412

1.4

How we obtain your personal data

1.4.1

Any personal data that you provide to us by:

  • speaking to us in person;
  • filling in forms on our website https://www.echelon.health;
  • filling in forms on our My.Echelon Portal / in your My.Echelon Account;
  • corresponding with us by telephone;
  • corresponding with us by email;
  • corresponding with us by letter.

1.4.2

Personal data obtained from sources other than you

  • Your contact and medical details from your parent or guardian if you are under 18 years old;
  • Your contact and medical details from a family member or somebody else acting on your behalf;
  • Your contact and medical details from a physician referring you to us;
  • Images resulting from scans of your body and other diagnostic procedures from our specialist service providers;
  • Radiologists’ interpretations of scans of your body and interpretations of other diagnostic procedures from our specialist service providers.

1.5

The personal data that we process about you

1.5.1

We process the following personal data about you:

  • Title
  • First name
  • Last name
  • Date of Birth
  • Home address
  • Home telephone number
  • Email address
  • Marital status
  • Height
  • Weight
  • Gender
  • Answers to questions about your medical history
  • Answers to questions about your family medical history
  • Contact details of your General Practitioner (GP)
  • Financial details, such as details about your payments, your bank or credit/debit card details or health insurance policy details;
  • Information about how you use our products and services, such as insurance claims;
  • Images resulting from scans of your body
  • Radiologists’ interpretations of scans of your body
  • Results of other diagnostic procedures
  • Interpretations of other diagnostic procedures
1.5.2

If you are a corporate customer or have been introduced to Echelon Health by a company which has a commercial relationship with Echelon Health for us to provide Health Assessments to directors, officers or employees of such company or other third parties with a commercial relationship with such company then we also process the following:

  • Company name
  • Company address
  • Name of company contact
  • Telephone number of company contact
  • Email address of company contact
1.5.3

If you visit our website https://www.echelon.health/ or our dedicated portal My.Echelon we collect information about your computer:

  • IP address (where available);
  • geographic location (if you allow this when prompted by your browser);
  • operating system;
  • browser type;
  • to enable our systems to recognise your device and to provide features to you, we use cookies. For more information about cookies and how we use them, please read section 2 (Cookie Policy) below.
1.5.4

If you receive emails from us and interact with them we collect:

  • Time you received the email;
  • time you opened the email;
  • device you used to open the email;
  • geographical location when you opened the email;
  • which parts of the email you interacted with.
1.5.5

If you use social media accounts which are registered using the same email address you have provided to us elsewhere our systems enable us to link your social media accounts to your account and so we will process:

  • Links to any social media accounts that you use.

1.6

Purpose for the processing and the legal basis for the processing

1.6.1

Purpose of processing

1.6.1.1
We process your personal data and special category (medical) personal data solely to provide you with the service you have requested.

1.6.2

Legal basis for processing

1.6.2.1
We process your personal data and special category (medical) personal data solely to provide you with the service you have requested.
1.6.2.2
The legal basis for processing your personal data is that it is necessary for the performance of our contract with you.
1.6.2.3
The legal basis for processing your special category (medical) personal data is processing that is necessary for health or social care purposes, specifically: (a) preventive or occupational medicine, (b) the assessment of the working capacity of an employee, (c) medical diagnosis, (d) the provision of health care or treatment.
1.6.2.4
We also process your personal information for a number of legitimate interests, including managing all aspects of our relationship with you, for marketing including sending you further information about our products, services and any future health assessments that may be relevant to you, to help us improve our services and products, and to exercise our rights or handle insurance claims.
1.6.2.5

Taking into account your interests, rights and freedoms, legitimate interests which allow us to process your personal data include:

  • to manage our relationship with you, our business and third parties who provide services for us;
  • to provide health-care services on behalf of a third party (for example, your employer);
  • to make sure that diagnostic imaging services are handled efficiently and to investigate complaints (for example, we may ask your referring doctor/consultant for information to make sure we receive accurate information and to monitor the quality of your treatment and care);
  • to keep our records up to date and to provide you with marketing as allowed by law;
  • for statistical research and analysis so that we can monitor and improve products, services, websites and apps, or develop new ones;
  • to monitor how well we are meeting our clinical and non-clinical performance expectations through patient feedback surveys;
  • to enforce or apply our website terms of use, our policy terms and conditions or other contracts, or to protect our (or our customers’ or other people’s) rights, property or safety;
  • to exercise our rights, to defend ourselves from claims and to keep to laws and regulations that apply to us and the third parties we work with.
1.6.2.6
In very rare situations (such as suspicion of an infectious disease) we would have a legal obligation to disclose your personal data to relevant authorities.
1.6.2.7
In very rare situations (such as investigations in response to a safeguarding concern, a patient’s complaint or a regulator (such as the Care Quality Commission or the General Medical Council) contacting us, we would have a legal obligation to disclose your personal data to relevant authorities.

1.7

Retention of personal data

1.7.1
We are under a legal and ethical obligation to maintain records safely and securely for a minimum period as set out by the Department of Health (2006) Records management: NHS code of practice. The minimum retention period is currently 8 years.

1.8

Sharing your personal data

1.8.1
We will share your personal data with:
  • Medical professionals directly involved in your health assessment and, as appropriate, any diagnosis and treatment. The care team directly involved with your health assessment, diagnosis and treatment are deemed to have a “legitimate relationship” with you and furthermore are deemed to have “implied consent” to process your personal data and special category (medical) personal data. This includes medical professionals employed by our service providers such as ESC. Note that this “implied consent” only applies to healthcare professionals who have a “legitimate relationship” with you and are involved with your “direct care”.  Members of your care team are expected to share confidential information when it is needed for your safe and effective care, including referrals to consultants. However, you will be informed about who will see your confidential information;
  • Your employer (or their broker or agent), for service administration purposes if your employer is paying for the services we are providing or if you are a member or beneficiary under your employer’s group scheme;
  • Any other organisation paying for the services we provide to you, including insurers, public-sector commissioners and embassies;
  • Other organisations you belong to, or are professionally associated with, to confirm your entitlement to claim discounts on our services;
  • national registries such as the Cancer Registry;
  • national screening databases;
  • government authorities and agencies, including the Health Protection Agency (for infectious diseases such as TB and meningitis);
  • people or organisations we have to, or are allowed to, share your personal information with by law (for example, for fraud-prevention or safeguarding purposes, including with the Care Quality Commission);
  • the police and other law-enforcement agencies to help them perform their duties, or with others if we have to do this by law or under a court order;
  • other third parties we work with to provide our services, such as specialist Consultant Radiologists and Consultant Physicians, medical diagnostic partners, agents working on our behalf, insurers, actuaries, auditors, solicitors, translators and interpreters, tax advisers, debt-collection agencies, credit-reference agencies, fraud-detection agencies (including health-insurance counter-fraud groups), regulators, data-protection supervisory authorities, health-care professionals, health-care providers and medical-assistance providers.

1.9

Processing of your personal data by organisations (Controllers) employed by Echelon Health

1.9.1
Echelon Health contracts with a small number of external organisations who are categorised as Data Controllers in their own right to provide us with specialist services. Data protection legislation obliges us to define precisely what such organisations are expected to do in a legally binding contract. An important part of these contracts is that it obliges our service providers to be as equally committed to the care and privacy of your personal data as we are.
1.9.2
We only employ organisations that comply with data protection legislation and these organisations are audited to ensure compliance.
1.9.3
The following Controllers are currently used by Echelon Health although we reserve the right, at our absolute discretion, to amend this list from time to time:
Controller Service provided
European Scanning Centre (Harley Street) Limited (“ESC”) of 68 Harley Street, LONDON, W1G 7HE ESC provides us with scanning services. ESC operates the scanning equipment and employ the radiographers and radiologists who will be involved in your assessment.  It is ESC’s radiologists who supply us with the images resulting from the scans and their interpretation of those images. ESC is a trusted partner of long standing which operates from the same building as Echelon Health.
108 X-Ray and Imaging of 108 Harley Street, LONDON, W1G 7ET 108 X-Ray and Imaging provides us with mammography services.

1.10

Processing of your personal data by organisations (Processors) employed by Echelon Health

1.10.1
Echelon Health contracts with a small number of external organisations who are categorised as Data Processors and who provide us with specialist services. Data protection legislation obliges us to define precisely what such organisations are expected to do in a legally binding contract. An important part of these contracts is that it obliges our service providers to be as equally committed to the care and privacy of your personal data as we are.
1.10.2
We only employ organisations that comply with data protection legislation and these organisations are audited to ensure compliance.
1.10.3

The following categories of processors are currently used by Echelon Health although we reserve the right, at our absolute discretion, to amend this list from time to time:

 

Category of Processor Service Provided
Healthcare Providers We utilise the services of specialist third parties for services such as Blood tests and screening, digital mammography and skin cancer checks
IT Service Providers We employ third party service providers to help manage our IT infrastructure. These companies have administrator access to those systems to enable their continuous and effective operation. We have contracts in place with them and can revoke their access if needs be.
Marketing Agencies We employ a number of third party specialist providers (often by means of license) to help manage our marketing activity. These include email marketing providers and CRM system providers.
Finance System Providers We utilise third party providers accounting and bookkeeping software and services to help manage our financial and management accounts.
HR Specialists From time to time we use recruitment specialists to help us hire our team members.

1.11

Profiling and automated decision-making

1.11.1
We do not perform any profiling based on personal data that has a legal or significant effect.
1.11.2
We do not perform any automated decision-making involving personal data.

1.12

International Transfers

1.12.1

We will neither transfer nor process personal data outside the United Kingdom, nor will we permit personal data to be transferred or processed outside the United Kingdom, unless it is under one or more of the following conditions:

  • the territory into which the data are being transferred is one approved by the UK’s Information Commissioner;
  • the territory into which the data are being transferred is within the European Economic Area;
  • the territory into which the data are being transferred has an adequacy decision issued by the European Commission;
  • the transfer is to the United States of America and the recipient is registered under the EU/US Privacy Shield scheme;
  • the transfer is made under the unaltered terms of the standard contractual clauses issued by the European Commission for such purposes;
  • the transfer is made under the provision of binding corporate rules which have been approved and certified by the European Commission;
  • the transfer is made in accordance with one of the exceptions set out in Data Protection Legislation.

1.13

Marketing and preferences

1.13.1
We can only use your personal data to send you marketing material if we have your consent or a legitimate interest as described above.
1.13.2
If you consent (opt-in) to receiving marketing materials from us, you can remove that consent (opt-out) at any time by either, clicking on the ‘unsubscribe’ link that appears in all marketing emails we send. If you don’t want to receive texts from us you can tell us by contacting us at any time. Otherwise, you can always contact us to update your contact preferences.

1.14

Your Rights

1.14.1
You have the following rights concerning your personal data:
Right of access You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to that personal data.
Right to rectification You have the right to oblige us to rectify inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed by providing a supplementary statement.
Right to erasure (right to be forgotten) You have the right (under certain circumstances, but not all) to oblige us to erase personal data concerning you.
Right to restriction of processing You have the right (under certain circumstances, but not all) to oblige us to restrict processing of your personal data. For example, you may request this if you are contesting the accuracy of personal data held about you.
Right to data portability You have the right (under certain circumstances, but not all) to oblige us to provide you with the personal data about you which you have provided in a structured, commonly used and machine-readable format.

You also have the right to oblige us to transmit those data to another controller.

Right to withdraw consent If the lawful basis for processing is consent, you have the right to withdraw that consent.
Right to object to direct marketing Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for marketing, which includes profiling to the extent that it is related to such direct marketing.
Rights in relation to automated decision making and profiling We do not perform any automated decision-making based on personal data that produces legal effects or similarly significantly affects you.

1.15

Your right to lodge a complaint with a supervisory authority

1.15.1
If you wish to exercise any of your rights concerning your personal data, you should contact us at the address shown above. If you are not satisfied with the response you receive you have the right to lodge a complaint with the supervisory authority. In the United Kingdom this is:

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

(t) 0303 123 1113
(e) casework@ico.org.uk

2.

Cookie Policy

2.1

Introduction

2.1.1
This policy provides information about how and why we use cookies on the website www.echelon.health [“Our Website”] and our dedicated portal My.Echelon.

2.2

About cookies

2.2.1
Cookies are small text files containing identifiers that are sent by web servers to web browsers and are located in browser directories. Each time a browser requests a page from the web server the identifier is sent back to the server.
2.2.2
Cookies are used by web developers to help users navigate their websites efficiently and perform certain functions. Cookies are created not just by the website the user is browsing but also by other websites that run ads, widgets, or other elements on the page being loaded. These cookies regulate how the ads appear or how the widgets and other elements function on the page.
2.2.3
You can find more information about cookies at http://www.allaboutcookies.org/.

2.3

What cookies do we use?

2.3.1
Cookies are categorised into 4 types:
    • Strictly necessary cookies. These are cookies that are required for the operation of Our Website. They include, for example, cookies that enable you to log into secure areas of Our Website. Without these cookies services you have asked for cannot be provided.
    • Performance cookies. These cookies collect information about how visitors use Our Website, for example which web page you visit and if you get error messages from web pages. These cookies help us to improve the way Our Website works. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works. Please note that third parties (including, for example, providers of external services like web traffic analysis services) may have placed performance cookies on Our Website.
  • Functionality cookies. These cookies allow Our Website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. For instance, a website may be able to provide you with local weather reports or traffic news by storing in a cookie the region in which you are currently located. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.
  • Tracking cookies. These are cookies that collect information about your browsing habits to make advertising relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaigns. They are usually placed by advertising networks with the website operator’s permission. They remember that you have visited a website and this information is shared with other organisations such as advertisers.
2.3.2
These are the cookies that we use on Our Website.
Cookie Name Default Expiration Time Description
__utma 2 years from set/update Used to distinguish users and sessions. The cookie is created when the JavaScript library executes and no existing __utma cookies exists. The cookie is updated every time data is sent to Google Analytics.
__utmt 10 minutes Used to throttle request rate.
__utmb 30 mins from set/update Used to determine new sessions/visits. The cookie is created when the JavaScript library executes and no existing __utmb cookies exists. The cookie is updated every time data is sent to Google Analytics.
__utmc End of browser session Not used in ga.js. Set for interoperability with urchin.js. Historically, this cookie operated in conjunction with the __utmb cookie to determine whether the user was in a new session/visit.
__utmz 6 months from set/update Stores the traffic source or campaign that explains how the user reached your site. The cookie is created when the JavaScript library executes and is updated every time data is sent to Google Analytics.
__utmv 2 years from set/update Used to store visitor-level custom variable data. This cookie is created when a developer uses the _setCustomVar method with a visitor level custom variable. This cookie was also used for the deprecated _setVar method. The cookie is updated every time data is sent to Google Analytics.
fbevents.js This Cookie is placed by Facebook. It enables Echelon Health to measure, optimize and build audiences for advertising campaigns served on Facebook. In particular it enables us to see how our users move between devices when accessing our web site and Facebook, to ensure that our Facebook advertising is seen by our users most likely to be interested in such advertising by analysing which content a
user has viewed and interacted with on the Echelon Health web site.To opt-out go to
https://www.facebook.com/ads/preferences
porememberme Used to store the user’s name (only) if the user selects the option to “remember me next time I log in”
2.3.3
The following cookies are used by our CRM system, HubSpot (www.hubspot.com).
_hs_opt_out 13 months from set/update This cookie is used by the opt-in privacy policy to remember not to
ask the visitor to accept cookies again. This cookie is set when you give visitors the choice to opt out of cookies. It contains the string “yes” or “no”.
_hs_do_not_track 13 months from set/update This cookie can be set to prevent the tracking code from sending any information to HubSpot. Setting this cookie is different from opting out of cookies, as it still
allows anonymized information to be sent to HubSpot. It contains the string “yes”.
_hs_initial_opt_in 7 days from set/update This cookie is used to prevent the banner from always displaying when visitors are browsing in strict mode. I tcontains the string “yes” or “no”
hs_ab_test End of browser session This cookie is used to consistently serve visitors the same version of an A/B test page they’ve seen before It contains the id of the A/B test page and the id of the variation that was chosen for the visitor.
[id]_key 14 days When visiting a password-protected page, this cookie is set so future visits to the page from the same browser do not require login again. The cookie name is unique for each password-protected page. It contains an encrypted version of the password
so future visits to the page will not require the password again.
hs-message-is-open 30 minutes This cookie is used to determine and save whether the chat widget is open for future visits. It is set when startomg a new chat, and resets to re-close the widget after 30 minutes of inactivity. It contains a boolean value of True if present.
hs-messages-hide-welcome-message One day This cookie is used to prevent the chat widget welcome message from appearing again for one day after it is dismissed. It contains a boolean value of True or False.
_hstc 13 months This cookie keeps track of a visitor’s identity. It is passed to HubSpot on form submission and used when deduplicating contacts. It contains an opaque GUID to represent the current visitor.
_hssc 30 minutes This cookie keeps track of sessions. Used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
_hssrc End of browser session Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session. It contains the value “1” when present.

2.4

Managing Cookies

2.4.1
You can manage your cookies through your browser. The management method varies from browser to browser and if you want to block or delete cookies you should check for information about your browser.

2.5

Our details

2.5.1
Echelon Health Limited, a company registered in UK with company number 06035906 and whose registered office is located at 68 Harley Street, London, W1G 7HE [the “Company” or “we” or “us”] is committed to protecting and respecting the personal data of all those whose data we handle in connection with the services we provide to our users.
2.5.2
Our Website is operated under the legal jurisdiction of the United Kingdom. For the purpose of the Data Protection Act 2018 (the “Act”) and the General Data Protection Regulation (Regulation [EU] 2016/679 of the European Parliament and of the Council) (the “GDPR”), Echelon Health Limited is the controller, and determines the purposes and means of processing of your personal data.
2.5.3

The contact details of our Privacy Officer are:

Claire Johnson
Echelon Health Ltd
68 Harley Street LONDON
W1G 7HE

(t) 020 7580 7688
(email) privacy.officer@echelon.health

2.6

Consent for Cookies

2.6.1
By law, we are obliged to inform you about the cookies on Our Website, explain what the cookies are doing, and obtain your consent before placing any cookie files that store information on your device with the exception of strictly necessary cookies for the provision of information society service, requested by you.
2.6.2
We respect your privacy. If you have any other questions, please get in touch with us at:

Echelon Health Ltd

68 Harley Street

LONDON

W1G 7HE

(t) 020 7580 7688

(e) privacy.officer@echelon.health