Zesty Limited (“Zesty”, “us”, “our” and “we”) respects and values your privacy and is committed to protecting your personal data. This privacy notice tells you how we look after your personal data when you use either of the Zesty platforms; the Consumer Platform and the Enterprise Platform (together the “Platforms”, each a “Platform”).
Zesty Limited is a limited liability company incorporated in England and Wales with company number 08294659 whose registered office is at 82 St John Street, London, England, EC1M 4JN.
We collect, use and are responsible for certain personal information about you. When we do so we are regulated under the Data Protection Act 2018, the General Data Protection Regulation and need to uphold the common law duty of confidentiality.
We have appointed a Head of Information Governance who is the Data Protection Officer responsible for overseeing questions in relation to this privacy notice.
Name or title of data privacy manager: Data Protection Officer
Email address: firstname.lastname@example.org
Postal address: Zesty Limited, Runway East, 20 St Thomas Street, SE1 9RS
Zesty Limited provides two platforms (*):
(*) ‘Platform’ means the digital service; you may also hear it referred to by the term ‘patient portal’. It will have a different name in each Provider Trust that commissions it from Zesty Limited
The Care Quality Commission registers Providers of health or social care who are then commissioned to deliver different types of care to patients and clients. Providers in turn purchase through contracts digital services to support their various care services in different ways. Zesty Limited supplies two platforms which are patient facing; that is they are directed primarily at the patient rather than the organisation or clinicians within the organisation.
Zesty Consumer is relatively narrow in focus and allows a Provider to set up a “clinic” or equivalent and the patient to book into a slot within it. Zesty Enterprise is more complex and is integrated with the Provider Electronic Patient Record (EPR) system or Patient Administration System (PAS) and currently supports a variety of services that enable improved patient contribution to care and/or greater efficiency of Provider processes by using a range of digital technologies for example:
There are currently two sources of personal data used by the platforms:
Zesty Limited is a Data Processor and works under contract to the health or social care Provider who is the Data Controller.
Zesty Enterprise supports the personal care and treatment (or direct care) of patients by the Provider and as such processes data under contract to the Data Controller, who are currently NHS Trusts. The legal basis for their processing of special category personal data is usually:
Zesty Enterprise registration for the patient facing services functions as both an authentication process and a consent process for meeting its processing duties from the Common Law Duty of Confidentiality.
Zesty Consumer supports the direct care of patients and as such processes data under contract to the Data Controller, who are currently NHS Trusts. The legal basis for their processing of special category personal data is usually:
The Trust gives the patient an access link to the web-based application and the patient uses the service (or not). Based on that positive action Zesty meets its processing duties from the Common Law Duty of Confidentiality
Zesty Limited works as a Data Controller for personal data from people who contact them through the corporate web site for a demonstration of either Platform and for the personal data on the platform required for demonstration purposes when using their own device. The lawful basis is explicit consent.
The primary recipients of the personal data are patients themselves or people who have legal proxy or guardian roles for them. The secondary recipients are the Providers themselves when patients use the Platform to communicate with their hospital or other care provider. Finally there are the Zesty subcontractors who are part of Provider (DC-DP) contract and must conform to the same information governance rules as Zesty does through separate specific contracts (DP-DP) with Zesty. Zesty Limited have used or are using the following sub-contractors who access personal data under contract to Zesty:
Zesty Limited does currently use one international sub-contractor, they are self-certified with the Privacy Shield (more information about the Privacy Shield here ; Privacy Shield is a mechanism that enables participating companies to meet the EU requirements for transferring personal data to non-EU countries i.e. meet the adequacy decision under Article 45 of GDPR).
Zesty Limited is a data processor for health and care providers who are the Data Controllers and part of the NHS or adult social care system. Zesty therefore sets its retention and deletion standards based on the prevailing norm in that system. Zesty adheres to the Records Management Code of Practice for Health and Social Care 2016 and as such has adopted Appendix 3 of the Code which contains the detailed retention schedules. It sets out how long records should be retained, either due to their ongoing administrative value or as a result of statutory requirement.
In circumstances relating to demonstration of either Platform the retention period is for as long as the client, potential client or staff member consents to the continued requirement to demonstrate the Platform on their device.
Your rights to access, rectification, erasure, restriction, objection and data portability are determined by your health or social care Provider and should be described within their privacy notice. Zesty is able to support them meeting their legal duties to you but it is worth noting that the Zesty Platforms do give you access to the data it processes on behalf of the Provider and it uses information created by you or present in your medical record for that purpose. Zesty Limited does not undertake automated individual decision making and profiling.
The only processing that Zesty Limited relies on consent as the legal basis for processing under the General Data Protection Act is for demonstration of either platform. This consent can be withdrawn at any time the client representative or staff member wish to do so.
As a patient under the care of a Provider you can choose to use the services the Provider has purchased from Zesty. Equally you can choose to remove your registration from these services as and when you decide. The instructions on how you do this are included in the Platform when you are using it.
You also have the right to lodge a complaint with a supervisory authority about the processing of your personal data. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us, or the relevant data controller where we are acting as a data processor, in the first instance.
To try the Zesty platform for yourself, simply give us a little information and we will text you an invitation to register on our demo platform. You’ll then be able to see exactly what our users see.