Attend Anywhere Privacy Notice
Attend Anywhere respects and values your privacy and is committed to protecting your personal data. This privacy notice tells you how we use and look after your personal data when you use Attend Anywhere.
Attend Anywhere is also known as 'Near Me' in Scotland.
About us
Attend Anywhere is a subsidiary of Induction Healthcare Group Plc whose registered office is at: c/o Pinsent Masons, 30 Crown Place, Earl Street, London, EC2A 4ES.
If you use the Induction Attend Anywhere platform we collect, use and are responsible for certain personal information about you. Our use of your information is regulated under the Data Protection Act 2018, the UK General Data Protection Regulation and the need to uphold the common law duty of confidentiality.
We have appointed a Head of Information Governance who is the Data Protection Officer responsible for overseeing questions in relation to this privacy notice.
Contact details
Contact our Data Protection Officer:
Email Address: dpo@inductionhealthcare.com
Postal address: c/o Pinsent Masons, 30 Crown Place, Earl Street, London, EC2A 4ES
ICO Registration: ZA792302
Purposes of our processing
The purpose of Induction Attend Anywhere is to provide an online platform and associated infrastructure which enables users to access services via remote secure videoconferencing. Appointments may be health related or for other purposes.
We will occasionally undertake audits to monitor waiting times and system usage for quality control and service improvement.
What we collect
When you use the Induction Attend Anywhere platform we collect and process your:
- Name
- Contact telephone number and/or email address
- Date of Birth
This information is encrypted and used to identify you as a user to the service provider / clinician hosting your online appointment. At the end of the call this data will be deleted from the Induction Attend Anywhere system within one hour. We do not use, disclose, or store any of the personal information you have provided to access the Platform.
We may also collect your IP address. When collected, a record of your IP address is retained for 3 months to support system performance, reporting and troubleshooting.
For Group consultations, a user’s initials, phone dial-in and IP addresses are captured. This data is encrypted and retained for 2 weeks in log files. The user phone dial-in is retained for a maximum of 1 month for debugging purposes.
The platform may also transmit special category data depending on the nature of the appointment you are attending. Induction Attend Anywhere does not have access to the consultations, these are between yourself and your NHS Trust or other host organisation only.
In some circumstances audio recordings of consultations are made. If this is the case you will be made aware that your consultation will be recorded prior to it commencing by the organisation hosting the consultation, and they are responsible for gaining your consent. If you are not notified recording will take place this means your consultation will not be recorded. Where consultations are recorded, the organisation hosting the consultation is the controller of the recording and we advise you to refer to their privacy policy regarding the uses of your data.
We also refer you to the privacy policy of the hosting organisation (controller) for information regarding analytics which may be carried out on the platform.
Induction Attend Anywhere does not collect any information about the subject of your Induction Attend Anywhere consulting session.
For NHS Trust or other Organisational employees to set up accounts with Attend Anywhere
Staff data of the NHS Trust or other organisation hosting the consultation is required to set up a user account within the platform. To set up a user account for an employee of the NHS Trust or other host organisation we will need to process:
- Name
- Email Address
- Profile photos (if uploaded)
- IP Address
- Device model
- Browser version
These details will also be used for user support, education and customer success management purposes.
The data collected regarding authorised staff members who set up an account is deleted when the user account is no longer in use
If you report a technical problem, we will ask you to provide your:
- Name, and
- Email address
This information is required so that we so that we can get in touch to help to resolve the issues you are having. The system that we use to record technical problems will also collect some information that we need to help identify the problem. This information includes the device type you are using, the browser and browser version along with a link to the page you are on if you are logged in to the platform when reporting the problem. Log files are maintained for analysis.
Analytics
We or our hosting services might collect information on:
- the time of your call
- the length of your call
- similar technical data.
Any information collected in this way will only be used for the purposes of further developing and improving the Induction Attend Anywhere service. The information that we collect will not include any of your personal data other than your IP address in some cases.
We do not collect any information about the subject of your Induction Attend Anywhere appointment.
The lawful basis of processing
Attend Anywhere Limited is a processor of the personal data provided by users prior to participating in an online consultation. This data is required to let the host of the appointment know that you are in the ‘waiting room’. This information will be verified by the host prior to the consultation commencing and is deleted within 1 hour of the end of the consultation.
The NHS Trust or other host organisation is the controller of any audio recording which may be taken during a consultation. Attend Anywhere is the processor of any such recordings.
Where the controller is an NHS Trust, their data protection lawful basis for processing your personal data is likely to be:
- UK GDPR Article 6(1)(e) in that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, and
- UK GDPR Article 9(2)(h) in that the processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law and pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
When relying on UK GDPR Article 9(2)(h) to process data concerning health, the controller is also required to meet the associated condition in UK law. It is likely that the controller is relying on paragraph 2 of Schedule 1 of the Data Protection Act 2018 in that the processing is necessary for health or social care purposes.
Where the controller is another organisation, their data protection lawful basis for processing your personal data is likely to be:
- UK GDPR Article 6(c) in that the processing is necessary to comply with the law
- UK GDPR Article 6(e) in that the processing is necessary to perform a task in the public interest, or for official functions where the task or function has a clear basis in law.
The controller may also be relying on Schedule 1, paragraph 10 of the Data Protection Act 2018 in that processing is necessary for the prevention or detection of unlawful acts.
The recipients or categories of recipients of the personal data
In order to provide our services, we may share your data with third parties (sub-processors). These sub-processors must conform to the same information governance rules as we do through separate specific data processing contracts with us. Induction Attend Anywhere is using the sub-processors as detailed below:
- Twilio Inc: Twilio process data in order to provide SMS notifications to users
- Amazon Web Services (AWS): AWS host our data. AWS is also used to facilitate the sending of email notifications to patients / users and to store user profile images (if uploaded).
- 8x8 Jaas (Jitsu as a Service) provide capability for both individual and group consultations.
- 8x8 callstat.io analyse call quality for improvement purposes (recordings are not made).
- New Relic supports responses to web requests and database queries
The retention periods for the personal data
Attend Anywhere is a processor for controllers such as NHS Trusts who are Providers or other care organisations who are part of the NHS or adult social care system. We therefore set our retention and deletion standards based on the NHS records management standard unless otherwise instructed by the controller. We adhere to the Records Management Code of Practice for Health and Social Care 2021 and as such have adopted Appendix II of the Code which contains the detailed retention schedules. The Code sets out how long records should be retained, either due to their ongoing administrative value or as a result of statutory requirement.
When you use Induction Attend Anywhere, we will only retain your data for as long as necessary and most personal data is deleted immediately after processing.
Service user name, date of birth and phone number are deleted within one hour of the video call ending.
IP addresses are stored for a maximum of 3 months and subsequently securely deleted.
The email addresses and names of authorised staff members (ie administrators / consultation hosts) are deleted when the user account is no longer in use.
Where recordings of consultations are taken the host (NHS Trust or other organisation) are controller of these recordings and will inform you of the retention period.
Where group consultations are enabled, user phone dial in data is retained for a maximum of 1 month.
The rights available to individuals in respect of the processing
Under certain circumstances you have the following rights under data protection legislation in relation to your personal data.
You have the right to:
- Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- if you want us to establish the data's accuracy;
- where our use of the data is unlawful but you do not want us to erase it;
- where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
- you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
To exercise any of your rights, we would advise that you contact the controller organisation in the first instance. Alternatively you can contact us directly at dpo@inductionhealthcare.com.
For any other queries or concerns about Induction Attend Anywhere’s processing of your personal data please contact our Data Protection Officer at dpo@inductionhealthcare.com.
The right to lodge a complaint with a supervisory authority
You also have the right to lodge a complaint with a supervisory authority about the processing of your personal data. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us, or the relevant controller where we are a processor, in the first instance.
Changes to this privacy notice
We may amend this privacy notice from time to time, but if we do so we will notify you by providing the updated privacy notice when you next use the platform. Every time you wish to use the platform, please check this privacy notice to ensure you understand how we will use your data at that time.