About Aire Logic Ltd (“Aire Logic”)

Aire Logic is committed to protecting the privacy and security of personal information. This document describes how data is collected, handled and used in accordance with the General Data Protection Regulation (GDPR) in relation to the Portal.

Introduction

Local School Healthcare Provider Organisations are guided by Government Policy and supported by their professional skills to lead and deliver public health for children and young people aged 0-19, the key document being The Healthy Child Programme (2009); the aim of which is to bring health, education and other main partners to deliver a universal programme for prevention and support. Aire Logic have been contracted by local NHS Trust/Healthcare Provider Organisation to supply The Lancaster Model Portal: a validated, systemic approach to assess the health and wellbeing needs of both individuals and populations and deliver on the requirements of The Healthy Child Programme. For more information on The Lancaster Model you can look at our website.
The Portals are used by numerous organisations to process data and all regulatory and legal processes are put in place as a conscientious supplier of software solutions and data processors to its customers.
Information Governance and since May 25th, 2018, General Data Protection Regulation (GDPR) sets out the rules and standards for the use and handling (processing) of information (personal data) about living identifiable individuals (data subjects) by organisations (Data controllers).

DATA PROTECTION PRINCIPLES
We comply with data protection law. This says that the personal information we hold about you must be:
1.Processed lawfully, fairly and in a transparent way.
2.Collected only for valid purposes that have clearly explained to you and not used in any way that isincompatible with those purposes defined by the local Healthcare Provider Organisation.
3.Relevant to the purposes you have been informed about and limited only to those purposes.
4.Accurate and kept up to date.
5.Kept only as long as necessary for the purposes the Healthcare Provider Organisation, which you will havebeen informed about.
6.Kept securely.
7.Effective governance measures are in place to ensure we continue to meet our obligations

Aire Logic are Data Processors and the Healthcare Provider Organisations are the Data Controllers.

Caldicott Guardian

Aire Logic have an appointed Caldicott Guardian – Andrew Martin

THE KIND OF INFORMATION WE HOLD ABOUT YOU
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are “special categories” of more sensitive personal data which require a higher level of protection such as health information, or information about racial or ethnic origin which is afforded a higher level of privacy protection.

WHAT SPECIAL CATEGORIES OF DATA ARE COLLECTED?
We will only process the following “special categories” of more sensitive personal information where they are collected through the Questionnaires.

● Information about your child’s health and wellbeing.
● Name and age, and address if provided.

HOW IS YOUR PERSONAL INFORMATION COLLECTED?
Aire Logic will gather information in the following way;

● Directly (where the information is provided by you or your child /young person) through the health needs assessment/Questionnaire.

HOW WE WILL USE INFORMATION ABOUT YOU
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

1. Where we need to comply with a legal obligation.
2. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use personal information in the following situations, which are likely to be rare:
1. Where we need to protect your interests (or someone else’s interests).
2. Where it is needed in the public interest (or for official purposes).

HOW WE USE PARTICULARLY SENSITIVE PERSONAL INFORMATION
“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collection and storage for this type of personal information. We process special categories of personal information in line with our contract with the healthcare provider organisation and in the following circumstances:
1. Where we need to carry out our legal obligations and in line with our Policy.
2. Where it is needed in the public interest.

DATA SHARING
Aire Logic do not use any identifiable personal data, nor do we share this with any parties outside of our contract with your local Health Provider Organisation. We will ensure that any agreed third parties respect the security of your data and treat it in accordance with the law.
Where permitted by law, we may transfer your personal information outside the EU. If we do, you can expect the same degree of protection in respect of your personal information.

Why might you share my personal information with third parties?
We will share your personal information with third parties where required by law, or where we have another legitimate interest in doing so.

“Third parties” includes third-party service providers (including contractors and designated agents) and other entities within our group. The following third-party service providers process personal information about your child or young person for the following purposes:

The Lancaster Model Portal : Hosted CRM software

How secure is my information with third-party service providers and other entities in our group?
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions and that of the Healthcare Provider Organisation who have the SaaS Contract with Aire Logic .

DATA SECURITY
We have put in place measures to protect the security of your information. Details of these measures are available upon request. All data is stored securely in the Cloud in the UK(Amazon web Services) . Each Healthcare Provider Organisation’ Portal is monitored to ensure data security and is regularly updated.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

DATA RETENTION
How long will you use my information for?
The Healthcare Provider Organisation controls the deletion of the data so will only retain your personal information for as long as necessary to fulfil the purposes it was collected for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION
Your duty to inform the Healthcare Provider Organisation of changes
Under certain circumstances, by law you have the right to:

Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information that is held about you and to check that we are lawfully processing it.
Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information held about you corrected.
Request erasure of your personal information. This enables you to ask the Healthcare Organisation to delete or remove personal information where there is no good reason for continuing to process it. You also have the right to ask to delete or remove your personal information where you have exercised your right to object to processing (see below).
Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground.
Request the restriction of processing of your personal information. This enables you to ask to suspend the processing of personal information about you, for example if you want to establish its accuracy or the reason for processing it.
Request the transfer of your personal information in a portable format to another party. This allows you to take your information from our IT environment to another organisation’s IT environment. The format will be chosen based on the information provided, this is likely to be a generic file format such as CSV.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact your local School Health team who sent you the request or information initially.
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you
For your Healthcare Provider Organisation (or in some circumstances Aire Logic) to carry out your request they may need to request specific information from you to help confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

RIGHT TO WITHDRAW CONSENT
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Healthcare Provider Organisation. Once they have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Guidance and Training
Aire Logic Directors, employees and associates all have responsibility to ensure compliance with Information Governance and GDPR and to ensure that they comply with them in day to day business. They all undertake IG training on an annual basis.

Change of purpose
We review this notice at least annually or after any significant change to our processes, systems or because of government regulations. Any changes we may make to our privacy notice in the future will be communicated to your Healthcare Provider Organisation and teams as we hold no personal details for contact for any recipients of the questionnaires. We reserve the right to update this privacy policy at any time, and we will provide you with a new privacy policy when we make any substantial changes.

Data Protection and Brexit

Like all areas of law derived in part from the European Union, data protection legislation will be subject to changes following the UK’s departure from the EU.
During the transition period (i.e. 1 February – 31 December 2020, unless extended), there will be no changes at all. The GDPR (as supplemented by the DPA 2018 and various other laws) will continue to apply in full while long-term data protection arrangements are negotiated.

After the transition period (i.e. from 1 January 2021, unless the transition period is extended), the UK Government has made it clear that all the substantive provisions of the GDPR (as supplemented by the DPA 2018 and various other laws) about principles, rights and accountability obligations will continue to apply in the UK regardless of the outcome of the negotiations.
However, if the negotiations do not lead to a long-term arrangement that covers data protection matters, it is possible that a ‘no deal’ scenario will re-emerge. If this scenario looks to become a reality this policy will be updated to reflect this.

If you have any further questions, please contact us at:

Aire Logic Ltd, 24-26 Aire Street, Leeds, LS1 4HT UK

Attention: Privacy Officer