The data elements that are processed, other than for identification purposes, indicate the roles, responsibilities and areas of expertise of the individual system users (who are both data subjects and recipients). The users have confirmed the accuracy of the data and have consented to it being processed for the purposes of fulfilling their roles within the system.
We take responsibility for complying with the GDPR, at the highest management level and throughout our organisation. We also ensure that organisations using our services comply with GDPR requirements insofar as their interactions with us allow.
We keep evidence of the steps we take to comply with the GDPR and have put into place appropriate technical and organisational measures, including adopting and implementing appropriate data protection policies.
We have a 'data protection by design and default' approach to ensure that appropriate data protection measures are built in to the design and structure of our service.
This policy is updated from time to time. The latest version is published on this web page. This policy was last updated on 15 May 2018.
If you have any questions about this policy, please send them by email using the Contact address at the foot of the page.
How and why
The purpose of the Collegium system is to facilitate case discussions between registered users. These users are healthcare professionals, usually medical practitioners. Account registration is controlled by the manager of the appropriate telemedicine network.
In the course of providing telemedicine services through the system, we gather certain information about people, i.e. healthcare staff and their patients. We also collect some limited information to better understand how registered account-holders use the website, in order to improve its functionality and performance.
What data we gather
If you create an account, you or your network manager will provide us with certain information that can be used to identify you, such as your name, email address and phone number. This is “Personally Identifiable Information” or PII. We may also collect non-identifying demographic information, such as your gender, city and country of residence. This is not considered PII because it cannot be used by itself to identify you.
When initiating a case discussion, registered users may collect the following information about their patients:
- name or hospital ID number
- age and sex
- location of the Hospital/Clinic where the patient is being treated.
In addition to the above, certain privacy-relevant Android permissions are requested by the Collegium app. These include:
- CAMERA. This permission allows the application to upload images or video chosen by the user in order for them to form part of a case discussion
- STORAGE. This permission allows the application to store encrypted data for the user's cases.
Other permissions, such as CALENDAR, CONTACTS, LOCATION, MICROPHONE, PHONE, SENSORS, SMS, are not used by the app. The app does not collect precise real-time information about the location of your mobile device.
Modifying your Personal Information
Registered users can access their PII and can modify certain data items, such as their email addresses. Other information in the user profile can be modified by the network manager.
If you cease to use the system, e.g. because your job changes, your network manager will inactivate your account. For reasons of medical audit, your past case discussions must be maintained in the system, but logging into your account will be disabled and no further case discussion will be possible.
How we use this data
Collecting this data allows the network manager(s) to provide a telemedicine service based on expertise that is carefully tailored to the patient's environment. For similar reasons, other registered users may view your profile information.
The data also help us understand how well the service is working, as part of a continuing improvement programme, i.e. quality assurance. Specifically, we may use the data:
- for our own internal records
- to improve the services we provide, e.g. by conducting research
- to contact you via email for research reasons
- to contact you in response to a specific enquiry, e.g. about a telemedicine case
- to customise the website for you
- to send you information that we think might be relevant to you.
We do not provide personally-identifiable information to third parties. We may provide aggregated data (non-personally-identifiable information) to healthcare or academic organisations, but only for research purposes.
Cookies and how we use them
What is a cookie?
A cookie is a small file placed on your computer's hard drive. It enables our website to identify your computer as you view different pages on our website. Cookies allow websites and applications to store your preferences in order to present content, options or functions that are specific to you. They also enable us to see information like how many people use the website and what pages they tend to visit.
- analyse our web traffic using an analytics package. Aggregated usage data help us to improve the website structure, design, content and functions
- identify whether you are signed in to our website. A cookie allows us to check whether you are signed in to the site
- test content on our website. For example, 50% of our users might see one piece of content, and the other 50% might see a different piece of content
- store information about your preferences. The website can then present you with information you will find more relevant, e.g. by storing your language preference, the user interface will appear automatically in that language
- recognise when you return to our website. We may show you relevant content, or provide functionality you used previously.
Cookies do not provide us with access to your computer or any information about you, other than that which you have already chosen to share with us.
Sharing your data
We will not lease, distribute or sell your personal information to third parties unless we have your permission or the law requires us to. Specifically, we will not share your data with other apps, resellers, social networks or advertisers. Any personal information that we hold about you is stored and processed under our data protection policy, in line with the EU GDPR.
We will always hold your information securely. To prevent unauthorised disclosure or access to your information, we have implemented strong physical and electronic security safeguards. We also follow stringent procedures to ensure that we work with all personal data in line with the EU GDPR.
How we protect your information
We take protecting your information seriously and have appropriate physical and technological security measures in place to keep it safe. All of the forms which gather or display personal information on our site are protected by a mechanism called Secure Socket Layer (SSL). This provides a secure, encrypted connection between internet browsers and websites, allowing you to transmit private data online. Firewalls are used to block unauthorised access to our servers, which are themselves located in a secure location. Within our organisation, we restrict access to personal information. Only employees who need the information in order to do their jobs have access to it.
The data stored in the Collegium system represent patient-care information. Legislation about the length of time that such data must be stored varies around the world, and also varies depending on the patient's age. To be on the safe side, the data in the Collegium system are archived onto storage media with a 30-year guaranteed lifetime.
We take a lot of time and trouble (and expense) to ensure that data security is as good as reasonably practicable. We believe that the security is better than is required by the HIPAA legislation in the US, for example.
Links from our site
Our website contains a small number of links to other websites. Please note that we have no control of websites outside the Collegium domain. If you provide information to a website to which we link, we are not responsible for its protection and privacy.
Always be wary when submitting data to websites. Read the site’s data protection and privacy policies carefully.