GDPR Information

Lawful basis and transparency

Information audit, type of information processed and access

Med App has less than 250 employees so is not required to conduct an audit of our processing activities under GDPR. Further the data processing being carried out is not likely to result in a risk to the rights and freedoms of users.

Legal justification for data processing activities

Med App processes data for the legitimate interest of the controller (customer hospitals and health facilities) under Article 6(1)(f) GDPR.

Customer hospitals and health facilities engage Med App for a range of legitimate purposes. Primarily these are to provide high quality clinician orientation and communication. Med App is engaged under subscription based contracts which determine what is customer data and the reasons that Med App is being engaged.

Med App has conducted a Data Privacy Impact Assessment in relation to our primary operations which can be found here.

Information about data processing and legal justification in privacy policy

You can find our full privacy policy on our website here: https://www.med.app/privacy-policy/

Access to the privacy policy is also provided when users are registering or logging in to the mobile app.

Data security

Data protection is taken into account at all times

Data protection is core to the Med App development process, both for our engineering and operations team. Company policies addressing this are listed below:

  • Data Protection Policy
  • Data Retention Policy
  • Information Security Policy
  • Software Development Life Cycle

*Access our Trust Centre and request access to the relevant policies as required. Your request will be reviewed in a timely manner: https://app.drata.com/trust/9cbe4359-0c38-11ee-865f-029d78a187d9 

Encryption, pseudonymisation or anonymisation of personal data

Med App is committed to only collecting data necessary to provide our services effectively and improve the experience for clinicians and other users that use our products and services.

Med App maintains a company encryption policy which can be found here (Encryption Policy).

All mobile app data is anonymised so that people are free to access information and content that may be useful to them without feeling like their actions are being monitored. The anonymised data is used to help the Med App team and hospital teams improve the information on the app for each particular hospital and improve the overall experience.

For admin users of the platform (dashboard users responsible for management of content or communications) we do not anonymise data as it is required for maintaining appropriate governance and transparency for the organisations using Med App.

*Access our Trust Centre and request access to the relevant policies as required. Your request will be reviewed in a timely manner: https://app.drata.com/trust/9cbe4359-0c38-11ee-865f-029d78a187d9 

Internal security policies and awareness

Med App maintains a suit of policies and automated monitoring systems to ensure we are complying with up to date standards. All our policies are mapped to the ISO27001 standard.

Some relevant policies that apply to internal security are:

    • Data Protection Policy
    • Data Retention Policy
    • Information Security Policy
    • Software Development Life Cycle
    • Password Policy
    • Physical Security Policy
    • System Access Control Policy
    • Vulnerability Management Policy
  • *Access our Trust Centre and request access to the relevant policies as required. Your request will be reviewed in a timely manner: https://app.drata.com/trust/9cbe4359-0c38-11ee-865f-029d78a187d9 

Med App also ensures staff and contractors have criminal history background checks and conduct security awareness training annually.

When data protection impact assessments are conducted

Med App will conduct a data protection impact assessment whenever a new engineering project is being commenced that may change or add to the data being collected and processed through the platform.

Where a new implementation is setup using the standard Med App feature set then the existing data protection impact assessment for the core platform will apply.

Notification of authorities and data subjects in the event of a data breach

Med App maintains policies that govern notification of affected users and relevant authorities in the case of a data breach. The policy can be found here (Incident Management Policy; Disaster Recovery Plan)

*Access our Trust Centre and request access to the relevant policies as required. Your request will be reviewed in a timely manner: https://app.drata.com/trust/9cbe4359-0c38-11ee-865f-029d78a187d9 

Accountability and governance

Responsible roles for ensuring GDPR compliance across your organisation

Med App have senior officers whose duties cover privacy and security within the organisation and across our products. This includes responsibility for compliance with GDPR.

  • Security Officer: Luke Godeassi (Head of Engineering)
  • Privacy Officer: Duncan Paradice (Chief Operating Officer)

Data processing agreements with third parties that process personal data on Med App’s behalf

All third party organisations have a data processing addendum as part of their customer service terms. You can find links to the relevant addendums or processing agreements here:

Designated EU member state representative

Med App is not a EU based company and does not have a registered office in the EU or the UK.

As a small company we do not yet have a designated GDPR representative in an EU member state. We are currently investigating options to have a designated representative and will update this page with that information as soon as possible..

Data Protection Officer requirement

Med App does not meet the criteria under the GDPR for requiring the hiring of a designated Data Protection Officer. Information on the roles responsible for managing privacy and security can be found in the questions above.

Privacy rights

Requesting and receiving all the information you have about users/customers

Customers and users can use a variety of channels to request information held about them. 

Correcting or updating inaccurate or incomplete information

Users can see and update the personal information in the app via the ‘more’ tab the tapping the ‘edit details’ button.

There may be other information processed through the app as part of the ‘Forms’ workflow that needs to be edited by the clinicians hospital. These include things like workplace based assessments or mid and end of term assessments. While the information is processed in the app, the data is managed as part of legal requirements by the clinicians hospital.

Note that not all customer sites use or have access to the ‘Forms’ feature, so this may or may not apply to your particular site.

Requesting personal data be deleted

Users can delete their Med App account directly from the mobile app. This will wipe their account and associated data from the data base.

Note that this will not delete some kinds of data from the database. For example forms data associated with assessments, education session attendance data or orientation letter read receipts. This information is required to be maintained by the hospital sites as part of their accreditation duties so cannot be edited or deleted by the self-service account deletion process.

Requesting to stop processing data

Customers and users can use a variety of channels to ask us to stop processing their data if circumstances under Article 18 of the GDPR apply: 

Receiving a copy of personal data

Customers and users can use a variety of channels to ask us for a copy of the data held by them. The majority of the information can be exported or extracted directly from the mobile app, however users can contact the team if additional information is required or they have questions about the format. All data is provided to users in common formats such as excel readable files, PDFs or rich text/Word files. Contact methods are: 

Objecting to processing data

Customers and users can use a variety of channels to object to processing their data if relevant circumstances apply: 

Making decisions about people based on automated processes

Med App does not make decisions about people based on automated processes.