Privacy Policy: v1.0 (23rd May 2018)

Revisions

In order to comply with Government guidance and legislation, this Privacy Policy is routinely reviewed and updated in order to stay compliant.

Who We Are

We are Hearing Healthcare Centre, Head Office – 140 High Street, Chesterton, Cambridge, Cambs CB4 1NW, telephone number: 01223 360700, email: andy@hearinghealthcarecentre.co.uk. For the purpose of processing subject’s personal data, Hearing Healthcare Centre is the ‘Data Controller’

At Hearing Healthcare Centre, we take privacy very seriously, and will only use personal information to administer a subject’s account and to provide the products and services that have been requested from us.

At Hearing Healthcare Centre, we favour communication via e-mail and post, as it is often difficult to communicate with hearing impaired individuals over the telephone.

How We Collect Data

Hearing Healthcare Centre obtain data in a number of ways; from the subject (in person) via telephone, email, online forms, registration to our e-newsletter or by medical referrals.

A subject might also give consent implicitly, such as when they send a message by e-mail or online submission, to which they would reasonably expect a reply, or when they call us by telephone. All data that is submitted is responsibly stored and protected.

Contractual Interest

Where a subject initiates contact with us, either in person, via email, post or phone  in order to receive services or purchase products from us, an ‘interest’ is registered with us. By registering this ‘interest’, our terms and conditions are automatically agreed to, and a contract is formed between the subject and Hearing Healthcare Centre. We will process the information provided, in order to comply with our obligations under that contract. Some of this information may be personal information.

Where no contractual relationship between parties exists, consent to process any information that the subject has freely provided in making contact with us, is assumed.

Wherever possible, Hearing Healthcare Centre aims to obtain explicit consent to process information.

How We Store Data

Personal data is kept in a cloud based Office Management System, BluePrint Solutions OMS. No data is stored locally. No internal backups are performed. All information is located on a secure data centre in the UK, which is 128 bit encrypted. All computers with access to the data are biometrically password protected using FIDO (Fast IDentity Online) approved fingerprint scanners. Access to BluePrint is username/password protected.

Data Protection Principles

Data will, at all times, be;

  • Processed fairly, lawfully and in a clear and transparent way
  • Collected only for reasons that we find proper for the course of performing our duties, and in ways which we have explained
  • Ensured to be correct and up-to-date
  • Kept only for as long as it is needed
  • Processed in a way that ensures it will not be used for anything that a subject is not aware of, or has not consented to
  • Protected against loss or damage

What Information We Process

We process four main types of information; 1) Basic Personal Data including name, date of birth, address, telephone number, e-mail address, secondary contact information etc. 2) Health Information such as doctor’s details 3) Audiological Information which is used to assess and monitor hearing requirements and 3) Accounting Information which consists of previous or current orders and transaction history

Why We Need This Information

Basic Personal Data is collected in order to provide accurate records and perform the services that we have been engaged to perform, including, but not limited to; processing orders, managing an account etc. We do not collect any personal information which is not required to perform our duties as audiological professionals.

Health Information is, again, gathered in order to perform our statutory, legal and regulatory obligations with regards to accurate hearing aid prescription, appropriate treatment and all onward referrals for medical/emergency conditions. We ensure that the relevant doctor is kept informed of any audiological relevant information. We are also duty-bound to inform the relevant authorities if we suspect the potential for danger/or harm to the subject or others.

Audiological Information is obtained during all routine appointments, and is used to create an audiological profile. This information is used to accurately prescribe hearing instruments or perform audiological services. The information is also kept on record to track changes/deterioration in hearing ability in order to detect possible significant medical conditions.

Lawful Basis for Processing Data

Category of Data Lawful Basis Data Consists
Basic Personal Data Contract name, date of birth, address, telephone number, e-mail address, secondary contact information etc.
Health Information Legitimate Interest and for the provision of health diagnosis and treatment doctor’s surgery details etc.
Audiological Information Legitimate Interest and for the provision of health diagnosis and treatment treatment notes, audiological records, health questionnaires etc.
Accounting Information Legal Obligation previous/current orders, transaction history etc.

Who Processes This Information

Information is collected and processed solely by members (employees) of Hearing Healthcare Centre Ltd or approved third party sub-processors.

What We Do With This Information

We collect data in order to fulfil our contractual and legal obligations, and in order to provide the products and services that have been requested. We require this information to understand audiological needs and provide a better service, and in order to keep accurate, current records.

In order to ensure a high quality service, and that our customers are getting the best advice and support possible from us, we may, from time to time, send communication in the form of an after-appointment request for feedback. This is entirely voluntary, and clients can unsubscribe at any time through the email.

We may also occasionally use information to communicate (using email, phone, or mail) about relevant and suitable product developments and updates.

Who We Share This Information With

No third parties have access to personal data, unless either the law allows/requires them to do so, or it is required to provide the requested services, and/or fulfil an order. Where a third party is provided with data, we ensure that they are GDPR compliant and that data is not stored outside of the EEA.

No third party will engage in unsolicited mailings or correspondence, except if legally obligated to do so. We have a Data Protection regime in place to oversee the effective and secure processing of personal data. More information on this framework can be found on our website.

Protecting Personal Data

We are aware of the requirements to ensure data is protected against accidental loss or disclosure, destruction and abuse. We have ensured there are processes in place to guard against these possibilities, and that all parties are GDPR compliant.

Data is backed up hourly, for 24 hours, at the data centre

Data is backed up nightly, for 30 days, at a second secure site based in the UK

Data is protected in an SQL database, using 128 bit encryption

Data is protected by BluePrint who are ISO27001 accredited

How Long We Keep This Information

We are subject to legal, regulatory and professional obligations. We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.

Personal data processed by us is kept by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).

Because of the nature of our business and the necessity to monitor audiological changes over lengthy periods of time, our retention policy period for records and other documentary evidence created in the provision of services, is 20 years, or until a ‘right to erasure’ request is received by us, or notification of death is received by next-of-kin, or an executor.

In the absence of specific legal, regulatory or contractual requirements, once a right to erasure (also known as a ‘right to be forgotten’) has been received, Basic Personal Data, which includes; address, telephone number, email address is permanently deleted. Limited encrypted Health, Audiological and Accounting Information will be retained indefinitely in order to; comply with legal and regulatory standards and maintain the integrity of our data.

When notification of a client’s death is communicated to us, it will trigger a complete removal of Basic Personal Data from our encrypted database (including address, telephone number, email address), ensuring that no further correspondence will be sent. However, limited Health, Audiological and Accounting Information will be retained.

If a subject requests correspondence with regard to products, services, offers etc. the information that we use for this purposes will be kept by us until we receive notification to stop all communication.

Subject’s Rights

As we process a subject’s personal data, they have certain rights. This includes the ‘Right of Access’, ‘Right of Rectification’, ‘Right of Erasure’ and ‘Right to Restrict Processing’.

Right of Access

We do not hold any unnecessary information about any of our clients. However, if a subject wishes to see a record of what data we do hold, they should submit a Subject Access Requests in writing, by either email or post, stating what information they require. As this request would contain Health Information, we are permitted to charge an administration fee of £10.

Please note: in order to ensure that we are GDPR compliant, we are required to verify identity prior to providing this information. This process involves providing evidence of name, address, telephone number, email address and by attending one of our branches with photographic ID (either a passport or driving licence) to verify identity. Once identity has been confirmed by us, we will respond with the requested information within 30 days.

Right of Rectification

If a subject believes any of the personal information that we hold is incorrect, or incomplete, they should contact us directly. Any necessary corrections to data will be made without undue delay.

Right of Erasure

If a subject believes that we should erase their data, they should contact us at the address shown above.

Right to Restrict Processing

If a subject wishes us to stop storing or using their data, they should contact us at the address shown above.

Data Breach Procedure

Should the personal data that we control be lost, stolen or otherwise breached, where this constitutes a high risk to the subject’s rights and freedoms, we will contact the subject without delay. We will provide them with contact details of the person who is dealing with the breach, explain to them the nature of the breach and the steps we are taking to deal with it. GDPR regulations require us to report any serious breach (if not encrypted) to the ISO within 72 hours.

Accessing Our Website

Hearing Healthcare Centre may use software embedded in our website (such as JavaScript) to collect information about pages viewed, and how the subject has reached them, what they do when they visit a page, the length of time they remain on the page, and how we perform in providing content. We do not associate such information with an identifiable person.

Links to Other Web Sites

Links, or references, to other websites may be found on the Hearing Healthcare Centre website. Please be advised that we have no control over other websites, and that our Privacy Policy does not apply to any other website. We encourage you to examine the privacy policy of every website you visit.

Cookies

Cookies are small text files that are placed on a computer’s hard drive through it’s web browser when visiting any website. They are widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Like all other users of cookies, we may request the return of information from a subject’s computer when their browser requests a web page from our server.

Cookies enable our web server to identify a subject to us, and to track any actions and pages visited while using our website. The cookies we use may last for a single visit to our site (they are deleted from a computer when closing the browser), or may remain on a computer until deletion, or until a defined period has passed.

Although browser software enables cookies to be disabled, we recommend allowing the use of cookies to take advantage of the features of our website that rely on their use. If this is prevented, functionality of the website will be reduced.

Here are the ways we use cookies:

  • To record whether a subject has accepted the use of cookies on our website site. This is solely to comply with the law. If a subject has chosen not to accept cookies, we will not use cookies for the visit, but unfortunately, our site will not work as effectively.
  • To allow essential parts of our website site to operate.
  • To operate our content management system.
  • To operate the online notification form – the form used to contact us for any reason. This cookie is set on arrival at our website site, and deleted when the browser is closed.
  • To enhance security on our contact form. It is set for use only through the contact form. This cookie is deleted when the browser is closed.
  • To collect information about how visitors use our site. We use the information to improve visitor’s experience of our site. This cookie collects information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from, and the pages they visited.
  • To store any personal information so that a visitor does not have to provide it afresh when revisiting the site.
  • To enable visitors to watch videos we have placed on YouTube. YouTube will not store personally identifiable cookie information when using YouTube’s privacy-enhanced mode.

Should You Wish To Complain

If a subject wishes to raise a complaint on how we have handled their personal data, they can contact us, and our Data Controller will investigate the matter. Our Data Controller is Mr. Andrew Coughlan (Director, Hearing Healthcare Centre), and he can be contacted by emailing andy@hearinghealthcarecentre.co.uk

If a subject is not satisfied with our response, or believes we are processing their personal data not in accordance with the law, they can contact the Information Commissioner’s Office (ICO) https://ico.org.uk/