ORCHA Data Protection Principles
ORCHA respects the privacy and confidentiality of all users who engage with the ORCHA App Review platform, organisations who engage in partnership or project work with ORCHA, who we engage with in connection with the marketing and promotion of our products and services, and who use our website.
For the purposes of applicable data protection laws, ORCHA Health Limited is the Data Controller of personal data processed for the purposes described in this policy.
There are seven key principles that underpin Data Protection legislation:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
These principles are central to how we store, manage and process data at ORCHA.
ORCHA strives to ensure that all data that is shared with us is treated with respect for personal, and client, privacy and protected in line with all our legal responsibilities and recognised best practice standards and processes.
ORCHA will only collect the minimum levels of personal data necessary to support our operational processes and will only use your personal data as described within this policy.
Why do we publish this policy?
We publish this policy to demonstrate compliance with the requirements of the Data Protection Act 2018 and with the UK GDPR (General Data Protection Regulation).
ORCHA also publishes this policy to ensure all ORCHA data capture, data management and data utilisation processes are transparent to our end users; and to clearly explain what data we collect and how ORCHA uses any personal information that you supply to us.
How we collect information
ORCHA collects personal information about you directly from you when you:
- register with us to become a member of an ORCHA site
- undertake actions on the ORCHA site such as:
- Recommend an App to another user
- Visit webpages on an ORCHA site
- Complete specific actions on an ORCHA webpage – e.g. Click on the ‘Download an App’ button
- Request certain content on our site, such as reports or brochures
- complete an ORCHA survey
- take part in an ORCHA event or competition
- provide us with personal information in any other way
- enquire about the fundraising campaigns that we run
- engage us to provide ORCHA Review services in connection with an app that you have developed
All of these actions are required to enable ORCHA to deliver its services and only the minimum level of data is captured at each point.
We may also collect information about you from third party sources, such as LinkedIn or Companies House, where we identify you as someone who we think would be interested to hear more about our products and services.
What information we collect
The types of personal information ORCHA collects from you directly will vary depending on our interaction with you, but may include:
- Your name
- Your address
- Your gender
- Your email address or mobile telephone number
- Your credit/debit card or direct debit details (if applicable)
- Non-mandated additional information volunteered by yourself (e.g. Age).
- The pages you view on ORCHA websites
- The Apps you recommend to others
- The Apps you download via the ORCHA sites
- The address and name of your business
- The address and name of your GP (if applicable)
- In relation to our ORCHA Review services, the app(s) you have developed
A user can access the ORCHA site without providing access to any of their personal data without hindrance, as the personal data collections only support the delivery of additional functionality for those users who proactively choose to share their data.
Where we collect information about you from third party sources (such as LinkedIn or Companies House) because we think you would be interested in hearing more about our products and services, we will limit that information to your name, basic contact information (such as a business email address) and limited information about your job role and employer.
How we use your information
ORCHA uses the information that you give to us:
- to send you information, products or services that you have requested to receive
- to improve the information, products and services ORCHA offers to its users. (This includes improving our capability to match Health Apps specific to your health need/age/preferences, and general improvement of ORCHA website and review functionality and presentation)
- to contact you about events, fundraising, campaigning and our other work, where you have requested to receiving marketing information or where we have identified you as someone who may be interested in hearing more about us and we are satisfied that we have a legitimate business interest in contacting you for marketing purposes
- to develop aggregated reports and analysis, using anonymised data, to support research into the broader ongoing development of the Health App market and the utilisation of Health Apps within a defined Health Economy
ORCHA may link data captured from different ORCHA services, at a personal level, in order to improve our understanding of service utilisation and to support analyses on site utilisation and activity, but ORCHA will never publish, share or sell personally identifiable data without explicit, and informed, consent being received from all parties whose data is being used for those purposes.
Our legal basis for processing
We will only collect, use and share your personal information where we are satisfied that we have an appropriate legal basis to do this. This may be because:
- you have provided your consent to us using the personal information, for example where you are an individual consumer or customer and we wish to use your information to send you marketing communications by email;
- our use of your personal information is in our legitimate interest as a commercial organisation (for example, where we look to contact you as a business contact to let you know more about our products and service) – in these cases we will look after your information at all times in a way that is proportionate and respects your privacy rights. You have a right to object to processing as explained in the “Your individual rights as a data subject” section below;
- our use of your personal information is necessary to perform a contract or take steps to enter into a contract with you, for example, when you download one of our apps or where you are a user of our ORCHA Review service; and/or
- our use of your personal information is necessary to comply with a relevant legal or regulatory obligation that we have.
If you would like to find out more about the legal basis for which we process personal information please contact us by e-mail at firstname.lastname@example.org
We may share your data with certain third parties set out below for the purposes described in the section above:
- Service providers (acting as data processors) who provide IT and system administration services in connection with our business and the manner in which we provide our products and services. These include (but are not limited to) third parties who support and maintain our website, webchat functionality, and customer relationship management system
- ORCHA reserves the right to share your information with other companies that we own or other companies that help us provide any of our services.
- We may be required to share your personal information with agencies to comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
There may be rare occasions where information gathered through the day to day collection of ORCHA data identifies a clear need to safeguard the welfare of the individual and/or his/her family and, on those occasions, it may be necessary to contact relevant authorities to address this. ORCHA will only undertake these actions in line with appropriate legal guidelines and using formal, recognised and auditable processes.
Transfers of your personal data to locations outside the United Kingdom
Our sharing of your personal data with the third parties identified above may result in the transfer of your personal data to locations outside of the UK. Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data. This applies in respect of any transfer of your personal data to locations within the European Economic Area.
- Where we share personal data with certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK. For further details please contact us.
Retention of your personal data
ORCHA will retain any personal data it captures for the duration of a registered relationship with the data subject. Once this formal, contractual relationship has ended ORCHA will maintain the personal data for a period of 2 years to support any operational management, or legal requirements that may arise. After this period, ORCHA converts any personally identifiable data into anonymous data and the personally identifiable elements of the stored data is destroyed using best practice data deletion standards.
Accuracy of your personal data
Where possible, ORCHA strives to ensure that any personal data held by us is accurate and of a high quality, but individuals can inform us of any issues with data related to them and we will amend the data accordingly to ensure its ongoing accuracy. To request changes to your personal data, please see below under Right to rectification and we will make the necessary changes to your records as requested.
How do we protect personal information?
ORCHA implements a range of measures to ensure that any personal information that you provide to us is kept secure, accurate and up to date.
ORCHA’s protective measures include:
- Regular reviews of data capture processes to ensure only data that is necessary to support the delivery of ORCHA services is captured
- The implementation of transparent, informative Consent capture mechanisms to ensure that all ORCHA service users understand why ORCHA collects their data and how ORCHA manages that data. In addition, ORCHA consent processes allow users to monitor and amend their consent preferences should their preferences change
- The encryption of data in transit between the ORCHA sites/Apps to the secure data storage facilities
- The maintenance of secure data management environments through strong application of Data Warehousing standards and role-based access controls for authenticated and accredited users. Access to the raw data collected through ORCHA interactions with end users of our services is limited to only those with the appropriate administrative permissions
- ORCHA only keeps personally identifiable data for as long as it is needed and only for the purposes for which our end users have agreed we can use it.
Access to this data is limited to accredited ORCHA staff and access is managed using role-based access controls.
The data that is captured through your interactions with ORCHA are stored securely in a protected data warehouse and are only accessible to accredited administrative users with specific access permissions. Data in transit between webpages and the data store are fully encrypted in transit, in line with best practice encryption methodologies to minimise the risk of interception.
Your individual rights as a data subject
Under the UK GDPR you have certain rights regarding the data which we gather and hold about you.
Right to be Informed
Individuals have the right to be informed about the collection and use of their personal data.
- Why we need to access your personal data?
- How long we will hold that data after your interaction with ORCHA has completed?
- Who we share your data with?
Right of access
You have the right at any time to ask for a copy of the information that ORCHA holds about you, and ORCHA will supply that data to you in line with its legal requirements to do so.
To request access to your data please place your request in an email to email@example.com quoting ‘Right of Access’ in the email header.
Right to rectification
If any information that ORCHA holds about you is wrong, you have the right to ask ORCHA to make the necessary corrections.
To request amendments to your data please place your request in an email to firstname.lastname@example.org quoting ‘Right to Rectification’ in the email header.
Right to erasure
You have the right to ask ORCHA to remove all personal data we hold about you from our systems.
To request that your personal data is securely deleted from our records, please place your request in an email to email@example.com quoting ‘Right to Erasure’ in the email header.
Right to restrict processing
You have the right to request that your data is not used for specific forms of processing that ORCHA undertakes.
To request limits to be placed on how your data is processed by the ORCHA team, please place your request in an email to firstname.lastname@example.org quoting ‘Right to Restrict Processing’ in the email header.
Right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
The data that ORCHA holds about you can be delivered directly to you, or to external organisations you grant permission to, in a variety of electronic formats depending on your request. This data will only be delivered when a written request is received from a validated user.
To request that your data can be shared/transferred to another system external to ORCHA, by the ORCHA team, please place your request in an email to email@example.com quoting ‘Right to Data Portability’ in the email header.
Right to object
The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
To request that your data is not processed under certain circumstances, please place your request in an email to firstname.lastname@example.org quoting ‘Right to Object’ in the email header. It is important to understand that certain types of processing are essential to ensure that ORCHA can deliver its services and requesting to be excluded from these processing tasks may limit your ability to access all of the functionality provided by the ORCHA platforms.
Right to withdraw consent
Where we rely on your consent to process your personal information, you have the right to withdraw that consent at any time.
Consent preference can be changed through accessing the User Profile page at any time.
Alternatively, you can email email@example.com to request that your consent is withdrawn. Please use ‘Consent Management’ in the header of the email you send for this purpose.
Rights related to automated decision making, including profiling
The UK GDPR has provisions on:
- automated individual decision-making (e.g. making a decision solely by automated means without any human involvement)
- profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process
Please inform us if you do not want your data to be used in this way.
The ORCHA team will acknowledge all requests as soon as possible, and aims to address any queries you may have within 7 working days. However under UK GDPR we have up to 30 days to respond to requests.
How to complain
If you have any complaint about the use of your personal data please contact firstname.lastname@example.org
If you remain dissatisfied you can also complain to the Information Commissioner’s Office about how we have used your data. The ICO’s address is:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
Under 18-year olds
For users who are 18 or under, a parent/guardian’s permission is required before any personal information is captured relating to the individual.