1. Introduction

The GTT@home service (the “Service”) is provided by Digostics Limited, a private limited company incorporated in England and Wales with company number 11797881, whose registered office is at Harwell Innovation Centre, Curie Avenue, Harwell Oxford, Didcot, Oxfordshire, England, OX11 0QG, United Kingdom, ICO registration number: ZB281144, (referred to as “Digostics”, “we”, “us” and “our” in this notice).

This privacy notice is addressed to patients who use the Tests and App and explains our processing of personal data relating to patients that is collected, stored and processed by the App and Platform or in connection with the use of the Tests and App. 

For the purposes of data protection laws in the United Kingdom (“UK”) and European Union, some of the processing of this personal data is carried out by us as a controller for our own purposes and some is carried out by us as a processor on behalf of our healthcare provider customers, as detailed in Section 3.

2. Types of personal data we process

We process the following information relating to you in connection with the Service:

Patient data

The Platform contains personal data about you, which has been inputted by your healthcare provider. This includes your:

 

  • name
  • patient ID number used by your healthcare provider
  • NHS number
  • assigned healthcare professional
  • condition being tested for
  • reason for the test being taken
  • any notes added by your assigned healthcare professional in relation to the test
  • date of birth
  • phone number
  • email address
  • home address
  • communication preference
  • any notes added by your assigned healthcare professional in relation to the delivery of the test
  • height
  • weight
  • sex
  • ethnicity group
  • expected pregnancy date
  • Risk factors (including, but not limited to, BMI > 30, previous gestational diabetes, history of PCOS, IVF pregnancy, previous large baby >4.5kg) 
  • test results
  • date and time of tests taken
  • any notes added by your assigned healthcare professional in relation to the test results

This information is referred to as "patient data" in this notice.

Delivery data

The Platform uses your name, home address (for home deliveries), phone number and email address and shares those details with our delivery service provider to deliver Tests to you. These details are referred to as “delivery data” in this notice.

Test ID

The Test you have been provided with has a unique device ID stored on it which has been linked to your details on the Platform. This is referred to as the “Test ID” in this notice.

The Test ID is not personal data by itself as it cannot be used to identify you as an individual patient: only when it is linked by the Platform with your details on the Platform can it be attributed to you as an individual and therefore becomes personal data.

Results data

The Test transmits the Test ID and the Test results to the App and the App transmits those details to the Platform. These details are referred to as “results data” in this privacy notice.

The Test ID and results are not personal data by themselves as they cannot be used to identify you as an individual patient: only when they are linked by the Platform with your details on the Platform can they be attributed to you as an individual and therefore become personal data.

Technical data

The App also collects the following information about your mobile phone:

  • the IP address used to connect your phone to the internet
  • the operating system used on your phone
  • the make and model of your phone
  • device identifiers
  • time zone, language and location settings
  • your mobile network provider and your location (based on your IP address)
  • your interactions with the App
This information is collected automatically by the App. This is referred to as “technical data” in this privacy notice. See Section 8 for more information about the cookies used on the Platform.
Support contact data

If you contact us to request support in using the Test or App, we will obtain information about you depending on what method you use to contact us:

  • for live chat, we will obtain your name, email address, phone number, date of birth and test ID;

  • for email requests, we will obtain your name, email address, phone number, date of birth; test ID, any personal data you include in your message and the time and date the email was sent;

  • for phone requests, we will obtain name, email address, phone number, date of birth; test ID, any personal data you mention in your message and the time and date of the call.

This information is referred to as “support contact data” in this privacy notice.

3. Our purposes for processing personal data

Below we describe the purposes for which we use personal data, whether we act as a controller or processor for each purpose, the types of personal data we use for each purpose and the legal bases for doing so.

Purpose

Controller or processor

Type of personal data used

Legal basis

Enabling healthcare professionals to assign Tests to patients.

 Processor

Patient data
Test ID

 


 Our healthcare provider customers are the controller for this processing and determine the legal basis for it.  Please contact or refer to the privacy notice of your healthcare provider to confirm which legal basis it relies on for this processing.


 


 

Enabling Tests to be delivered to patients.

Processor 

 Test ID
Delivery data

Enabling patients to report test results via the app.

Processor 

 Test ID
Results data
Technical data

Enabling healthcare professionals to view patient results to aid diagnosis.

Processor

Patient data
Test ID
Results data

Enabling patients to access and use the App.

Controller

Technical data

Legitimate interests: enabling patients to access and use the App and providing the GTT@home Service to our customers.

Ensuring the security and integrity of the App.

Controller

Technical data

Legitimate interests: ensuring that the App is secure and remains available for patients to use, to protect our business, customers and patients.

Providing support to patients in relation to using the Tests and App.

Controller

Support Contact Data

Legitimate interests: helping patients to use the App and identifying and resolving any technical problems with the Tests or App.

Analysing and understanding how the App is used so that we can improve its content and functionality.

Controller

Technical data
(We will only use aggregated data which cannot be used to identify individuals.)

Consent
Legitimate interests: improving the GTT@home Service and App for the benefit of patients and healthcare providers.

Safety, training, regulatory, and compliance purposes, such as sharing data with regulatory bodies like the Medicines and Healthcare Products Regulatory Agency or Care Quality Commission if legally required and auditing the quality of the results provided by the Tests.

Controller / Processor

HCP data / Patient data

Legitimate interests.

Compliance with a legal obligation.

Analysing and demonstrating trends relating to use of the App and GTT@home Service, for example, the number of users of the Platform, Tests or App or trends in a particular location.

Controller

[Test ID]
[Patient data]
(We will only use aggregated data which cannot be used to identify individuals.)

Legitimate interests: understanding and reporting on usage and trends relating to the App and GTT@home testing service.

 In addition to the purposes set out above, we may also process personal data as a controller if and to the extent necessary for the following purposes:

Purpose Legal Basis
Establishing, exercising or defending legal claims.     Our legitimate interests in defending legal claims brought against us, enforcing claims against others and protecting and asserting our legal rights and the legal rights of others.
Obtaining or maintaining insurance cover, managing risks or obtaining professional advice. Our legitimate interests in protecting our business against risks.
Compliance with a legal obligation such as a statutory or regulatory obligation or an order of a court, government body or regulator. Compliance with a legal obligation.

 

4. Who we share personal data with

Different categories of users have access to data stored on the Platform as set out below:

User Type

Data accessed

Healthcare professionals

 [Patient data, Test ID and delivery data relating to their assigned patients]

Staff admin users 

[Patient data, Test ID and delivery data relating to all patients under the care of the relevant healthcare provider]

Digostics support staff

Our support staff, including outsourced support staff, will have access to Patient data, Test ID and delivery in connection with providing support to patients using the App and Tests.

Service providers

We use Microsoft Azure to host the Platform and App, which means that Microsoft Corporation receives all data collected, stored and processed by the Platform and App.

We use Complete Packaging Ltd to print address labels for the Test packages that are sent out to patients.  The Platform automatically sends patients’ names and postal addresses, email and telephone number to Complete Packaging Ltd for this purpose.

Both Microsoft Corporation and Complete Packaging Ltd process personal data as processors in accordance with our instructions to the extent necessary to provide their services, and their processing is governed by contracts with us to ensure they act in accordance with UK data protection laws.

We use Royal Mail Group Limited (“Royal Mail”) to deliver the Test packages to patients.  This means that Royal Mail receives patients’ names, addresses, phone numbers and email addresses to enable it to deliver the packages to patients.  Royal Mail acts as a controller for this processing and is subject to UK data protection laws – see Data Protection at Royal Mail Group | Royal Mail Group Ltd for more information.

Healthcare regulators

If we're legally required to, or asked by a regulator, we may need to share patient data with regulatory bodies like the Medicines and Healthcare Products Regulatory Agency or Care Quality Commission.

 

Health bodies

In a public health emergency, we may share patient data in a way that is appropriate and lawful with organisations such as:

  • NHS Digital
  • NHS England and Improvement
  • NHS Wales
  • NHS Scotland
  • Public Health England
  • Local authorities
  • Health organisations
  • GPs


We will limit the use or sharing of data to the period of the emergency and will only share data to the extent necessary, using anonymised or pseudonymised data where possible.
If we share statistics on certain types of illness, symptoms and conditions derived from patient data with health bodies, these will be in the form of aggregated data that cannot be used to identify individuals and will not therefore comprise personal data.


Third party Electronic Patient Record system users

If your healthcare provider has asked us to integrate the Platform with an Electronic Patient Record system it uses, other users of those systems may have access to the patient data stored in the Platform depending on the access permissions that apply to those systems. In cases where integration with an Electronic Patient Record occurs, there will be a signed data sharing agreement that governs the extent of the data sharing activity.


Other organisations

Additionally, we may disclose personal data to other organisations or individuals where disclosure is necessary for the purposes set out above, for example if we are under a duty to disclose or share personal data in order to comply with any legal obligation, in order to enforce or apply the terms of any agreement to which we are a party or to protect the rights, property, or safety of Digostics, patients, our customers or others.  This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.  In all cases, we will only share personal data with such recipients where and to the extent necessary for the relevant processing purpose and in accordance with applicable data protection law.

5. Transfers of personal data outside the UK

The Platform and the data processed by the Platform is stored and hosted in a Microsoft Azure datacentre in the United Kingdom.  However, our use of Microsoft Azure involves transfers of all data collected, stored and processed by the Platform to Microsoft Corporation and its sub-processors in the United States of America and other countries.  As some of these countries (including the USA) are not deemed to provide adequate protection for personal data by the UK government or European Commission, we use Standard Contractual Clauses as an appropriate safeguard to protect the data transferred in accordance with applicable data protection laws.  The Standard Contractual Clauses that apply between us and Microsoft Corporation are included in the Microsoft Data Protection Addendum which can be viewed here: Licensing Documents (microsoft.com)

6. Transfers of personal data outside the UK

We will retain personal data only for as long as is necessary for the purposes described in this notice.  The applicable retention periods are set out in our Data Retention Policy. 

7. Security of personal data

We use appropriate technical and organisational measures to safeguard and secure the information we obtain in connection with the provision of the Platform, as set out in detail in our Data Security Statement.

8. Cookies used on the app

We do not use any cookies on the App.

9. Your rights in respect of personal data

You have various rights under data protection law in respect of our processing of your personal data when we process your personal data as a controller.  These are:

  • the right to access – you can ask us for copies of any personal data we hold about you, along with information about our processing of that data

  • the right to rectification – you can ask us to correct any inaccurate personal data we hold about you and to complete any incomplete personal data

  • the right to erasure – you can ask us to delete your personal data

  • the right to restrict processing – you can ask us to restrict processing of (not actively use) the personal data we hold about you

  • the right to object to processing – you can object to our processing of your personal data

  • the right to data portability – you can ask that we transfer the personal data we hold about you to another organisation or to you in a structured, commonly-used and machine-readable form

  • the right to withdraw consent – if we process any of your personal data on the basis of your consent, you can withdraw that consent

  • the right to complain to a supervisory authority – you can complain about our processing of your personal data to a data protection authority.  The UK supervisory authority is the Information Commissioner’s Office (“ICO”) – see Data protection complaints | ICO for details of how to complain to the ICO.

These rights are subject to certain limitations and exceptions.  You can learn more about your rights as a data subject by visiting Individual rights | ICO.

Please contact quality@digostics.com if you wish to exercise any of your rights or if you have any requests, questions or concerns relating to our use of your personal data.

10. Changes to this privacy notice

Any changes we make to this privacy notice in the future will be posted on the Platform and, where appropriate, notified to you or patients by e-mail or other suitable method.  

This policy was last reviewed on 29th May 2024.

11. Contact

Questions, comments and requests regarding this privacy notice are welcomed and should be addressed to quality@digostics.com.