1.1.1
Echelon Health is committed to respecting and protecting your privacy and complying with Data Protection Legislation including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).
1.1.2
This policy refers to the GDPR and unless otherwise explicitly expressed, the GDPR refers to the UKGDPR pursuant to the Data Protection Act 2018, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019
1.1.3
This policy describes the personal data about you that we process and the legal basis for processing. It also describes your rights as a data subject.
1.2.1
“Echelon Health” (and “we”, “us”, or “our”) refers to Echelon Health Ltd (company number 06035906) with registered office at 68 Harley Street, LONDON, W1G 7HE.
1.2.2
Echelon Health is the controller of all personal data processed about you during the provision of our services to you.
Echelon Health’s Privacy Officer is:
Claire Johnson
Echelon Health Ltd
68 Harley Street
LONDON
W1G 7HE
(t) 020 7580 7688
(email) [email protected]
We are supported in our compliance with and management of Data
Protection matters by:
Data Protection People Limited
Round Foundry Media Centre
Foundry Street
Leeds
LS11 5QP
(t) 0345 340 5412
1.4
How we obtain your personal data
1.4.1
Any personal data that you provide to us by:
- speaking to us in person;
- filling in forms on our website https://www.echelon.health;
- corresponding with us by telephone;
- corresponding with us by email;
- corresponding with us via WhatsApp;
- corresponding with us by letter.
1.4.2
Personal data obtained from sources other than you
- Your contact and medical details from your parent or guardian if you are under 18 years old;
- Your contact and medical details from a family member or somebody else acting on your behalf;
- Your contact and medical details from a physician referring you to us;
- Images resulting from scans of your body and other diagnostic procedures from our specialist service providers;
- Radiologists’ interpretations of scans of your body and interpretations of other diagnostic procedures from our specialist service providers.
1.5
The personal data that we process about you
1.5.1
We process the following personal data about you:
- Title
- First name
- Last name
- Date of Birth
- Home address
- Home telephone number
- Email address
- Marital status
- Height
- Weight
- Gender
- Answers to questions about your medical history
- Answers to questions about your family medical history
- Contact details of your General Practitioner (GP)
- Financial details, such as details about your payments, your bank or credit/debit card details or health insurance policy details;
- Information about how you use our products and services, such as insurance claims;
- Images resulting from scans of your body
- Radiologists’ interpretations of scans of your body
- Results of other diagnostic procedures
- Interpretations of other diagnostic procedures
1.5.2
If you are a corporate customer or have been introduced to Echelon Health by a company which has a commercial relationship with Echelon Health for us to provide Health Assessments to directors, officers or employees of such company or other third parties with a commercial relationship with such company then we also process the following:
- Company name
- Company address
- Name of company contact
- Telephone number of company contact
- Email address of company contact
1.5.3
If you receive emails from us and interact with them we collect:
- Time you received the email;
- time you opened the email;
- device you used to open the email;
- geographical location when you opened the email;
- which parts of the email you interacted with.
1.5.4
If you use social media accounts which are registered using the same email address you have provided to us elsewhere our systems enable us to link your social media accounts to your account and so we will process:
- Links to any social media accounts that you use.
1.6
Purpose for the processing and the lawful basis for the processing
1.6.1
Purpose of processing
1.6.1.1
We process your personal data and special category (medical) personal data solely to provide you with the service you have requested.
1.6.2
Lawful basis for processing
1.6.2.1
We process your personal data and special category (medical) personal data solely to provide you with the service you have requested.
1.6.2.2
The lawful basis for processing your personal data is that it is necessary for the performance of our contract with you.
1.6.2.3
The lawful basis for processing your special category (medical) personal data is processing that is necessary for preventive or occupational medicine, the assessment of the working capacity of an employee, medical diagnosis, and / or the provision of health care or treatment (UK GDPR Article 9(2)(h)). We also rely on related conditions under the Data Protection Act 2018, Schedule 1, Part 1, Section 2(2)(a)(b)(c) and (d) for its processing. We may also share your data with third parties where you have provided your explicit consent for a particular service or services (UK GDPR Article 9(2)(a)).
1.6.2.4
We also process your personal information for a number of legitimate interests, including managing all aspects of our relationship with you, to provide important updates to you and on occasion to inform you about future health assessments that may be relevant to you, to help us improve our services and products, and to exercise our rights or handle insurance claims.
1.6.2.5
Taking into account your interests, rights and freedoms, legitimate interests which allow us to process your personal data include:
- to manage our relationship with you, our business and third parties who provide services for us;
- to provide health-care services on behalf of a third party (for example, your employer);
- to make sure that diagnostic imaging services are handled efficiently and to investigate complaints (for example, we may ask your referring doctor/consultant for information to make sure we receive accurate information and to monitor the quality of your treatment and care);
- to keep our records up to date and to provide you with marketing as allowed by law;
- for statistical research and analysis so that we can monitor and improve products, services, websites and apps, or develop new ones;
- to monitor how well we are meeting our clinical and non-clinical performance expectations through patient feedback surveys;
- to enforce or apply our website terms of use, our policy terms and conditions or other contracts, or to protect our (or our customers’ or other people’s) rights, property or safety;
- to exercise our rights, to defend ourselves from claims and to keep to laws and regulations that apply to us and the third parties we work with.
1.6.2.6
In very rare situations (such as suspicion of an infectious disease) we would have a legal obligation to disclose your personal data to relevant authorities.
1.6.2.7
In very rare situations (such as investigations in response to a safeguarding concern, a patient’s complaint or a regulator (such as the Care Quality Commission or the General Medical Council) contacting us, we would have a legal obligation to disclose your personal data to relevant authorities.
1.7
Retention of personal data
1.7.1
We are under a legal and ethical obligation to maintain records safely and securely for a minimum period as set out by the Department of Health (2006) Records management: NHS code of practice. The minimum retention period is currently 8 years.
1.8
Sharing your personal data
1.8.1
We will share your personal data with:
- Medical professionals directly involved in your health assessment and, as appropriate, any diagnosis and treatment. The care team directly involved with your health assessment, diagnosis and treatment are deemed to have a “legitimate relationship” with you. This includes medical professionals employed by our service providers such as (though not limited to) Alliance Medical Harley Street (European Scanning Centre (Harley Street) Limited) who are involved with your “direct care”. Members of your care team are expected to share confidential information when it is needed for your safe and effective care, including referrals to consultants. However, you will be informed about who will see your confidential information;
- Third parties where you have provided your explicit consent to the sharing for a specific purpose or service.
- Your employer (or their broker or agent), for service administration purposes if your employer is paying for the services we are providing or if you are a member or beneficiary under your employer’s group scheme;
- Any other organisation paying for the services we provide to you, including insurers, public-sector commissioners and embassies;
- Other organisations you belong to, or are professionally associated with, to confirm your entitlement to claim discounts on our services;
- government authorities and agencies, including the Health Protection Agency (for infectious diseases such as TB and meningitis);
- people or organisations we have to, or are allowed to, share your personal information with by law (for example, for fraud-prevention or safeguarding purposes, including with the Care Quality Commission);
- the police and other law-enforcement agencies to help them perform their duties, or with others if we have to do this by law or under a court order;
- other third parties we work with to provide our services, such as specialist Consultant Radiologists and Consultant Physicians, medical diagnostic partners, agents working on our behalf, insurers, actuaries, auditors, solicitors, translators and interpreters, tax advisers, debt-collection agencies, credit-reference agencies, fraud-detection agencies (including health-insurance counter-fraud groups), regulators, data-protection supervisory authorities, health-care professionals, health-care providers and medical-assistance providers.
1.9
Processing of your personal data by organisations (Controllers) employed by Echelon Health
1.9.1
Echelon Health contracts with a small number of external organisations who are categorised as Data Controllers in their own right to provide us with specialist services. Data protection legislation obliges us to define precisely what such organisations are expected to do in a legally binding contract. An important part of these contracts is that it obliges our service providers to be as equally committed to the care and privacy of your personal data as we are.
1.9.2
We only employ organisations that comply with data protection legislation and these organisations are audited to ensure compliance.
1.9.3
Echelon share your data with various third parties to support you with your healthcare and help us provide our service to you. These include providers of scanning, x-ray and imaging services, ultrasound services, blood screening services, health check providers and mole and skin screening services. We share your data for these services as part of our contract with you. On occasion, and where you have consented, we may also share your data with other third parties, for example for provision of additional and / or optional services and advice. Echelon can provide specific details of our partners on request.
1.10
Processing of your personal data by organisations (Processors) employed by Echelon Health
1.10.1
Echelon Health contracts with a small number of external organisations who are categorised as Data Processors and who provide us with specialist services. Data protection legislation obliges us to define precisely what such organisations are expected to do in a legally binding contract. An important part of these contracts is that it obliges our service providers to be as equally committed to the care and privacy of your personal data as we are.
1.10.2
We only employ organisations that comply with data protection legislation and these organisations are audited to ensure compliance.
1.10.3
The following categories of processors are currently used by Echelon Health although we reserve the right, at our absolute discretion, to amend this list from time to time:
Category of Processor |
Service Provided |
Healthcare Providers |
We utilise the services of specialist third parties for services such as Blood tests and screening services. |
IT Service Providers |
We employ third party service providers to help manage our IT infrastructure. These companies have administrator access to those systems to enable their continuous and effective operation. We have contracts in place with them and can revoke their access if needs be. |
Marketing Agencies |
We employ a number of third party specialist providers (often by means of license) to help manage our marketing activity. These include email marketing providers and CRM system providers. |
Finance System Providers |
We utilise third party providers accounting and bookkeeping software and services to help manage our financial and management accounts. |
HR Specialists |
From time to time we use recruitment specialists to help us hire our team members. |
1.11
Profiling and automated decision-making
1.11.1
We do not perform any profiling based on personal data that has a legal or significant effect.
1.11.2
We do not perform any automated decision-making involving personal data.
1.12
International Transfers
1.12.1
We will neither transfer nor process personal data outside the United Kingdom, nor will we permit personal data to be transferred or processed outside the United Kingdom, unless it is under one or more of the following conditions:
- the territory into which the data are being transferred is covered by UK adequacy regulations;
- the transfer is made under the unaltered terms of the standard contractual clauses issued by the European Commission for such purposes;
- the transfer is made under the provision of UK binding corporate rules;
- the transfer is made in accordance with one of the exceptions set out in Data Protection Legislation.
- the transfer is made under International Data Transfer Agreement (IDTA) which is a contract that regulates and protects transfers of personal data between countries and / or the International Data Transfer Addendum (Addendum) which is an addendum to the new standard contractual clauses issued by the European Commission.
1.13
Marketing and preferences
1.13.1
We can only use your personal data to send you marketing material if we have your consent or a legitimate interest as described above.
1.13.2
If you consent (opt-in) to receiving marketing materials from us, you can remove that consent (opt-out) at any time by either, clicking on the ‘unsubscribe’ link that appears in all marketing emails we send. If you don’t want to receive texts from us you can tell us by contacting us at any time. Otherwise, you can always contact us to update your contact preferences.
1.14
Use of Consumer Finance
1.14.1
If you choose to make a purchase from us using a loan, we will share your information with lenders with whom we have a relationship. We will only share your information where we have your consent. If you decide to proceed with a loan application, we will share your information with the relevant lender for the purpose of introducing you to their loan product(s). The lender will then become a data controller for the purpose of providing your loan and you should refer to the lender’s privacy notice for information on how they process your data.
1.14.2
If you choose to make a purchase from us using a loan, we will provide you with relevant information about lenders with whom we have a relationship. If you decide to proceed with a loan application, we will share your information with the relevant lender for the purpose of introducing you to their loan product(s). We will only share your information where we have your consent. The lender will then become a data controller for the purpose of providing your loan and you should refer to the lender’s privacy notice for information on how they process your data.
Your Rights
1.15.1
You have the following rights concerning your personal data:
Right of access |
You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to that personal data. |
Right to rectification |
You have the right to oblige us to rectify inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed by providing a supplementary statement. |
Right to erasure (right to be forgotten) |
You have the right (under certain circumstances, but not all) to oblige us to erase personal data concerning you. |
Right to restriction of processing |
You have the right (under certain circumstances, but not all) to oblige us to restrict processing of your personal data. For example, you may request this if you are contesting the accuracy of personal data held about you. |
Right to data portability |
You have the right (under certain circumstances, but not all) to oblige us to provide you with the personal data about you which you have provided in a structured, commonly used and machine-readable format.
You also have the right to oblige us to transmit those data to another controller. |
Right to withdraw consent |
If the lawful basis for processing is consent, you have the right to withdraw that consent. |
Right to object to direct marketing |
Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for marketing, which includes profiling to the extent that it is related to such direct marketing. |
Rights in relation to automated decision making and profiling |
We do not perform any automated decision-making based on personal data that produces legal effects or similarly significantly affects you. |
1.16
Your right to lodge a complaint with a supervisory authority
1.16.1
If you wish to exercise any of your rights concerning your personal data, you should contact us at the address shown above. If you are not satisfied with the response you receive you have the right to lodge a complaint with the supervisory authority. In the United Kingdom this is:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
(t) 0303 123 1113
(e) [email protected]
2.1.1
This policy provides information about how and why we use cookies on the website
www.echelon.health [“Our Website”] and our dedicated portal My.Echelon.
2.2.1
Cookies are small text files containing identifiers that are sent by web servers to web browsers and are located in browser directories. Each time a browser requests a page from the web server the identifier is sent back to the server.
2.2.2
Cookies are used by web developers to help users navigate their websites efficiently and perform certain functions. Cookies are created not just by the website the user is browsing but also by other websites that run ads, widgets, or other elements on the page being loaded. These cookies regulate how the ads appear or how the widgets and other elements function on the page.
2.3
What cookies do we use?
2.3.1
Cookies are categorised into 4 types:
-
- Strictly necessary cookies. These are cookies that are required for the operation of Our Website. They include, for example, cookies that enable you to log into secure areas of Our Website. Without these cookies services you have asked for cannot be provided.
- Performance cookies. These cookies collect information about how visitors use Our Website, for example which web page you visit and if you get error messages from web pages. These cookies help us to improve the way Our Website works. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works. Please note that third parties (including, for example, providers of external services like web traffic analysis services) may have placed performance cookies on Our Website.
- Functionality cookies. These cookies allow Our Website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. For instance, a website may be able to provide you with local weather reports or traffic news by storing in a cookie the region in which you are currently located. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.
- Tracking cookies. These are cookies that collect information about your browsing habits to make advertising relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaigns. They are usually placed by advertising networks with the website operator’s permission. They remember that you have visited a website and this information is shared with other organisations such as advertisers.
2.3.2
These are the cookies that we use on Our Website.
Cookie Name |
Default Expiration Time |
Description |
__utma |
2 years from set/update |
Used to distinguish users and sessions. The cookie is created when the JavaScript library executes and no existing __utma cookies exists. The cookie is updated every time data is sent to Google Analytics. |
__utmt |
10 minutes |
Used to throttle request rate. |
__utmb |
30 mins from set/update |
Used to determine new sessions/visits. The cookie is created when the JavaScript library executes and no existing __utmb cookies exists. The cookie is updated every time data is sent to Google Analytics. |
__utmc |
End of browser session |
Not used in ga.js. Set for interoperability with urchin.js. Historically, this cookie operated in conjunction with the __utmb cookie to determine whether the user was in a new session/visit. |
__utmz |
6 months from set/update |
Stores the traffic source or campaign that explains how the user reached your site. The cookie is created when the JavaScript library executes and is updated every time data is sent to Google Analytics. |
__utmv |
2 years from set/update |
Used to store visitor-level custom variable data. This cookie is created when a developer uses the _setCustomVar method with a visitor level custom variable. This cookie was also used for the deprecated _setVar method. The cookie is updated every time data is sent to Google Analytics. |
fbevents.js |
|
This Cookie is placed by Facebook. It enables Echelon Health to measure, optimize and build audiences for advertising campaigns served on Facebook. In particular it enables us to see how our users move between devices when accessing our web site and Facebook, to ensure that our Facebook advertising is seen by our users most likely to be interested in such advertising by analysing which content a
user has viewed and interacted with on the Echelon Health web site.To opt-out go to
https://www.facebook.com/ads/preferences |
porememberme |
|
Used to store the user’s name (only) if the user selects the option to “remember me next time I log in” |
2.3.3
The following cookies are used by our CRM system, HubSpot (www.hubspot.com).
_hs_opt_out |
13 months from set/update |
This cookie is used by the opt-in privacy policy to remember not to
ask the visitor to accept cookies again. This cookie is set when you give visitors the choice to opt out of cookies. It contains the string “yes” or “no”. |
_hs_do_not_track |
13 months from set/update |
This cookie can be set to prevent the tracking code from sending any information to HubSpot. Setting this cookie is different from opting out of cookies, as it still
allows anonymized information to be sent to HubSpot. It contains the string “yes”. |
_hs_initial_opt_in |
7 days from set/update |
This cookie is used to prevent the banner from always displaying when visitors are browsing in strict mode. I tcontains the string “yes” or “no” |
hs_ab_test |
End of browser session |
This cookie is used to consistently serve visitors the same version of an A/B test page they’ve seen before It contains the id of the A/B test page and the id of the variation that was chosen for the visitor. |
[id]_key |
14 days |
When visiting a password-protected page, this cookie is set so future visits to the page from the same browser do not require login again. The cookie name is unique for each password-protected page. It contains an encrypted version of the password
so future visits to the page will not require the password again. |
hs-message-is-open |
30 minutes |
This cookie is used to determine and save whether the chat widget is open for future visits. It is set when startomg a new chat, and resets to re-close the widget after 30 minutes of inactivity. It contains a boolean value of True if present. |
hs-messages-hide-welcome-message |
One day |
This cookie is used to prevent the chat widget welcome message from appearing again for one day after it is dismissed. It contains a boolean value of True or False. |
_hstc |
13 months |
This cookie keeps track of a visitor’s identity. It is passed to HubSpot on form submission and used when deduplicating contacts. It contains an opaque GUID to represent the current visitor. |
_hssc |
30 minutes |
This cookie keeps track of sessions. Used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp. |
_hssrc |
End of browser session |
Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session. It contains the value “1” when present. |
2.4.1
When you visit our website you will be presented with a Cookie Banner that will provide you with some details regarding cookies and provide you with a choice whether to accept or decline the cookies that we use.
2.4.2
You can also manage your cookies through your browser. The management method varies from browser to browser and if you want to block or delete cookies you should check for information about your browser’s settings.
2.5.1
Echelon Health Limited, a company registered in UK with company number 06035906 and whose registered office is located at 68 Harley Street, London, W1G 7HE [the “Company” or “we” or “us”] is committed to protecting and respecting the personal data of all those whose data we handle in connection with the services we provide to our users.
2.5.2
Our Website is operated under the legal jurisdiction of the United Kingdom. For the purpose of the Data Protection Act 2018 (the “Act”) and the General Data Protection Regulation (Regulation [EU] 2016/679 of the European Parliament and of the Council) (the “GDPR”), Echelon Health Limited is the controller, and determines the purposes and means of processing of your personal data.
2.5.3
The contact details of our Privacy Officer are:
Claire Johnson
Echelon Health Ltd
68 Harley Street LONDON
W1G 7HE
(t) 020 7580 7688
(email) [email protected]
We respect your privacy. If you have any other questions, please get in touch with us at:
Echelon Health Ltd
68 Harley Street
LONDON
W1G 7HE
(t) 020 7580 7688
(e) [email protected]