GDPR Information
Lawful basis and transparency
Information audit, type of information processed and access
Med App has less than 250 employees so is not required to conduct an audit of our processing activities under GDPR. Further the data processing being carried out is not likely to result in a risk to the rights and freedoms of users.
Legal justification for data processing activities
Med App processes data for the legitimate interest of the controller (customer hospitals and health facilities) under Article 6(1)(f) GDPR.
Customer hospitals and health facilities engage Med App for a range of legitimate purposes. Primarily these are to provide high quality clinician orientation and communication. Med App is engaged under subscription based contracts which determine what is customer data and the reasons that Med App is being engaged.
Med App has conducted a Data Privacy Impact Assessment in relation to our primary operations which can be found here.
Information about data processing and legal justification in privacy policy
You can find our full privacy policy on our website here: https://www.med.app/privacy-policy/
Access to the privacy policy is also provided when users are registering or logging in to the mobile app.
Data security
Data protection is taken into account at all times
Data protection is core to the Med App development process, both for our engineering and operations team. Company policies addressing this are listed below:
- Data Protection Policy
- Data Retention Policy
- Information Security Policy
- Software Development Life Cycle
*Access our Trust Centre and request access to the relevant policies as required. Your request will be reviewed in a timely manner: https://app.drata.com/trust/9cbe4359-0c38-11ee-865f-029d78a187d9
Encryption, pseudonymisation or anonymisation of personal data
Med App is committed to only collecting data necessary to provide our services effectively and improve the experience for clinicians and other users that use our products and services.
Med App maintains a company encryption policy which can be found here (Encryption Policy).
All mobile app data is anonymised so that people are free to access information and content that may be useful to them without feeling like their actions are being monitored. The anonymised data is used to help the Med App team and hospital teams improve the information on the app for each particular hospital and improve the overall experience.
For admin users of the platform (dashboard users responsible for management of content or communications) we do not anonymise data as it is required for maintaining appropriate governance and transparency for the organisations using Med App.
*Access our Trust Centre and request access to the relevant policies as required. Your request will be reviewed in a timely manner: https://app.drata.com/trust/9cbe4359-0c38-11ee-865f-029d78a187d9
Internal security policies and awareness
Med App maintains a suit of policies and automated monitoring systems to ensure we are complying with up to date standards. All our policies are mapped to the ISO27001 standard.
Some relevant policies that apply to internal security are:
- Data Protection Policy
- Data Retention Policy
- Information Security Policy
- Software Development Life Cycle
- Password Policy
- Physical Security Policy
- System Access Control Policy
- Vulnerability Management Policy
- *Access our Trust Centre and request access to the relevant policies as required. Your request will be reviewed in a timely manner: https://app.drata.com/trust/9cbe4359-0c38-11ee-865f-029d78a187d9
Med App also ensures staff and contractors have criminal history background checks and conduct security awareness training annually.
When data protection impact assessments are conducted
Med App will conduct a data protection impact assessment whenever a new engineering project is being commenced that may change or add to the data being collected and processed through the platform.
Where a new implementation is setup using the standard Med App feature set then the existing data protection impact assessment for the core platform will apply.
Notification of authorities and data subjects in the event of a data breach
Med App maintains policies that govern notification of affected users and relevant authorities in the case of a data breach. The policy can be found here (Incident Management Policy; Disaster Recovery Plan)
*Access our Trust Centre and request access to the relevant policies as required. Your request will be reviewed in a timely manner: https://app.drata.com/trust/9cbe4359-0c38-11ee-865f-029d78a187d9
Accountability and governance
Responsible roles for ensuring GDPR compliance across your organisation
Med App have senior officers whose duties cover privacy and security within the organisation and across our products. This includes responsibility for compliance with GDPR.
- Security Officer: Luke Godeassi (Head of Engineering)
- Privacy Officer: Duncan Paradice (Chief Operating Officer)
Data processing agreements with third parties that process personal data on Med App’s behalf
All third party organisations have a data processing addendum as part of their customer service terms. You can find links to the relevant addendums or processing agreements here:
- AWS Data processing agreement
- Twilio Data processing agreement
- Sendgrid Data processing agreement (see Twilio agreement)
- Intercom Data processing agreement
- Auth0 Data processing agreement
Designated EU member state representative
Med App is not a EU based company and does not have a registered office in the EU or the UK.
As a small company we do not yet have a designated GDPR representative in an EU member state. We are currently investigating options to have a designated representative and will update this page with that information as soon as possible..
Data Protection Officer requirement
Med App does not meet the criteria under the GDPR for requiring the hiring of a designated Data Protection Officer. Information on the roles responsible for managing privacy and security can be found in the questions above.
Privacy rights
Requesting and receiving all the information you have about users/customers
Customers and users can use a variety of channels to request information held about them.
- In-app, dashboard or website live chat. Always monitored by Med App Hospital Success and Support team.
- Email: [email protected] or [email protected]
Correcting or updating inaccurate or incomplete information
Users can see and update the personal information in the app via the ‘more’ tab the tapping the ‘edit details’ button.
There may be other information processed through the app as part of the ‘Forms’ workflow that needs to be edited by the clinicians hospital. These include things like workplace based assessments or mid and end of term assessments. While the information is processed in the app, the data is managed as part of legal requirements by the clinicians hospital.
Note that not all customer sites use or have access to the ‘Forms’ feature, so this may or may not apply to your particular site.
Requesting personal data be deleted
Users can delete their Med App account directly from the mobile app. This will wipe their account and associated data from the data base.
Note that this will not delete some kinds of data from the database. For example forms data associated with assessments, education session attendance data or orientation letter read receipts. This information is required to be maintained by the hospital sites as part of their accreditation duties so cannot be edited or deleted by the self-service account deletion process.
Requesting to stop processing data
Customers and users can use a variety of channels to ask us to stop processing their data if circumstances under Article 18 of the GDPR apply:
- In-app, dashboard or website live chat. Always monitored by Med App Hospital Success and Support team.
- Email: [email protected] or [email protected]
Receiving a copy of personal data
Customers and users can use a variety of channels to ask us for a copy of the data held by them. The majority of the information can be exported or extracted directly from the mobile app, however users can contact the team if additional information is required or they have questions about the format. All data is provided to users in common formats such as excel readable files, PDFs or rich text/Word files. Contact methods are:
- In-app, dashboard or website live chat. Always monitored by Med App Hospital Success and Support team.
- Email: [email protected] or [email protected]
Objecting to processing data
Customers and users can use a variety of channels to object to processing their data if relevant circumstances apply:
- In-app, dashboard or website live chat. Always monitored by Med App Hospital Success and Support team.
- Email: [email protected] or [email protected]
Making decisions about people based on automated processes
Med App does not make decisions about people based on automated processes.