Zesty Corporate Website and Platforms Privacy Notice

 

Zesty Limited (“Zesty”, “us”, “our” and “we”) respects and values your privacy and is committed to protecting your personal data. This privacy notice tells you how we look after your personal data when you use either of the Zesty platforms; the Consumer Platform and the Enterprise Platform (together the “Platforms”, each a “Platform”).

About us

Zesty Limited is a limited liability company incorporated in England and Wales with company number 08294659 whose registered office is at 82 St John Street, London, England, EC1M 4JN.

We collect, use and are responsible for certain personal information about you. When we do so we are regulated under the Data Protection Act 2018, the General Data Protection Regulation and need to uphold the common law duty of confidentiality.

We have appointed a Head of Information Governance who is the Data Protection Officer responsible for overseeing questions in relation to this privacy notice.

Contact details

Name or title of data privacy manager: Data Protection Officer
Email address: privacy@zesty.co.uk
Postal address: Zesty Limited, Runway East, 20 St Thomas Street, SE1 9RS

Purposes of our processing

Zesty Limited provides two platforms (*):

  • Zesty Consumer; a stand-alone clinic scheduling and booking application
  • Zesty Enterprise; an integrated suite of patient facing services

(*) ‘Platform’ means the digital service; you may also hear it referred to by the term ‘patient portal’. It will have a different name in each Provider Trust that commissions it from Zesty Limited

The Care Quality Commission registers Providers of health or social care who are then commissioned to deliver different types of care to patients and clients. Providers in turn purchase through contracts digital services to support their various care services in different ways. Zesty Limited supplies two platforms which are patient facing; that is they are directed primarily at the patient rather than the organisation or clinicians within the organisation.

Zesty Consumer is relatively narrow in focus and allows a Provider to set up a “clinic” or equivalent and the patient to book into a slot within it. Zesty Enterprise is more complex and is integrated with the Provider Electronic Patient Record (EPR) system or Patient Administration System (PAS) and currently supports a variety of services that enable improved patient contribution to care and/or greater efficiency of Provider processes by using a range of digital technologies for example:

  • Patients being able to register with a patient portal to their record
  • Reminders for appointments and registration can be sent to patients
  • Transfer of appointment letters and other appointment artefacts for example maps, instructions, background information etc can take place digitally without reliance on paper
  • Clinical communications for example discharge summaries can be sent to the patient in line with good professional practice
  • The ability of patients to re-schedule or cancel and self-discharge appointments
  • Patients can be speedily informed of the changes to their appointments e.g. the conversion of a face to face appointment to a telephone or video-consultation

The source of personal data used by the Platforms

There are currently two sources of personal data used by the platforms:

  1. The Provider, which in the case of Zesty Enterprise is data from the Provider EPR or PAS
  2. You, the patient as a direct input or via a form you fill in on-line or via a (medical) device prescribed or recommended by your responsible clinician or one of their team which collects data about you.

The lawful basis of processing

Zesty Limited is a Data Processor and works under contract to the health or social care Provider who is the Data Controller.

Zesty Enterprise supports the personal care and treatment (or direct care) of patients by the Provider and as such processes data under contract to the Data Controller, who are currently NHS Trusts. The legal basis for their processing of special category personal data is usually:

  • General Data Protection Regulation Article 6(1)(e) for personal data and Article 9(2)(h) for special category data
  • When relying on GDPR Article 9(2)(h) to process special category personal data, the controller is also required to meet the associated condition in UK law. It is likely that the controller is relying on paragraph 2 of Schedule 1 of the Data Protection Act 2018 in that the processing is necessary for health or social care purposes.

Zesty Enterprise registration for the patient facing services functions as both an authentication process and a consent process for meeting its processing duties from the Common Law Duty of Confidentiality.

Zesty Consumer supports the direct care of patients and as such processes data under contract to the Data Controller, who are currently NHS Trusts. The legal basis for their processing of special category personal data is usually:

  • General Data Protection Regulation Article 6(1)(e) and Article 9(2)(h)
  • When relying on GDPR Article 9(2)(h) to process special category personal data, the controller is also required to meet the associated condition in UK law. It is likely that the controller is relying on paragraph 2 of Schedule 1 of the Data Protection Act 2018 in that the processing is necessary for health or social care purposes.

The Trust gives the patient an access link to the web-based application and the patient uses the service (or not). Based on that positive action Zesty meets its processing duties from the Common Law Duty of Confidentiality

Zesty Limited works as a Data Controller for personal data from people who contact them through the corporate web site for a demonstration of either Platform and for the personal data on the platform required for demonstration purposes when using their own device. The lawful basis is explicit consent.

The recipients or categories of recipients of the personal data

The primary recipients of the personal data are patients themselves or people who have legal proxy or guardian roles for them. The secondary recipients are the Providers themselves when patients use the Platform to communicate with their hospital or other care provider. Finally there are the Zesty subcontractors who are part of Provider (DC-DP) contract and must conform to the same information governance rules as Zesty does through separate specific contracts (DP-DP) with Zesty. Zesty Limited have used or are using the following sub-contractors who access personal data under contract to Zesty:

  • Email services
  • Text services
  • Support function service

The details of transfers of the personal data to any third countries or international organisations

Zesty Limited does currently use one international sub-contractor, they are self-certified with the Privacy Shield (more information about the Privacy Shield here ; Privacy Shield is a mechanism that enables participating companies to meet the EU requirements for transferring personal data to non-EU countries i.e. meet the adequacy decision under Article 45 of GDPR).

The retention periods for the personal data

Zesty Limited is a data processor for health and care providers who are the Data Controllers and part of the NHS or adult social care system. Zesty therefore sets its retention and deletion standards based on the prevailing norm in that system. Zesty adheres to the Records Management Code of Practice for Health and Social Care 2016 and as such has adopted Appendix 3 of the Code which contains the detailed retention schedules. It sets out how long records should be retained, either due to their ongoing administrative value or as a result of statutory requirement.

In circumstances relating to demonstration of either Platform the retention period is for as long as the client, potential client or staff member consents to the continued requirement to demonstrate the Platform on their device.

The rights available to individuals in respect of the processing

Your rights to access, rectification, erasure, restriction, objection and data portability are determined by your health or social care Provider and should be described within their privacy notice. Zesty is able to support them meeting their legal duties to you but it is worth noting that the Zesty Platforms do give you access to the data it processes on behalf of the Provider and it uses information created by you or present in your medical record for that purpose. Zesty Limited does not undertake automated individual decision making and profiling.

The right to withdraw consent

The only processing that Zesty Limited relies on consent as the legal basis for processing under the General Data Protection Act is for demonstration of either platform. This consent can be withdrawn at any time the client representative or staff member wish to do so.

As a patient under the care of a Provider you can choose to use the services the Provider has purchased from Zesty. Equally you can choose to remove your registration from these services as and when you decide. The instructions on how you do this are included in the Platform when you are using it.

The right to lodge a complaint with a supervisory authority

You also have the right to lodge a complaint with a supervisory authority about the processing of your personal data. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us, or the relevant data controller where we are acting as a data processor, in the first instance.