Big Picture Privacy Policy

Introduction

Our mission at Big Picture Medical Limited (“Big Picture”) is to provide you with better options to access healthcare. We are committed to protecting and respecting your privacy.  This Privacy Policy explains what personal data we collect and how we use it.

For the purpose of the General Data Protection Regulation (“GDPR”) and Data Protection Act 2018 (“data protection law”), the data processor is Big Picture Medical Limited of 15th Floor, 6 Bevis Marks, London, UK, EC23A 7BA ( “Big Picture”).

What personal data do we hold?

In order to provide you with a high standard of healthcare, we need to hold and process your personal data. This includes:

  • your past and current medical conditions; personal details such as your age, national insurance number/NHS number, address, telephone number, mobile phone number, email address; and the details of your general or medical practitioner(s)

  • racial and ethnic origin

  • family details, for example next of kin details

  • lifestyle and social circumstances

  • responses to surveys, where individuals have responded to surveys about healthcare issues - radiographs, clinical photographs and study models

  • information about the treatment that has been provided - notes of conversations/incidents that might occur for which a record needs to be kept - records of consent to treatment

  • any correspondence relating to you with other healthcare professionals, for example in the hospital or community services.

Website

As part of our service, you may be provided with a Patient Report. This report will be made available to you through our website (https://www.bigpicturemedical.com/) and may require an SMS code to securely view it. When you visit our website, we may collect certain information such as browser type, operating system, device type, etc.

Our site may from time to time have links to other websites not owned or controlled by us. These links are meant for your convenience only. Links to third party websites do not constitute sponsorship or endorsement or approval of these websites. Please be aware that Big Picture is not responsible for the privacy practises of other such websites. We encourage our users to be aware, when they leave our website, to read the privacy statements of each and every website that collects personal data.

Why do we hold your personal data?

We need to keep comprehensive and accurate personal data about patients in order to assist your healthcare providers and practitioners to provide you with safe and appropriate healthcare. Big Picture may also use this information to improve its products and services and better understand your needs.

If you provide consent, anonymised clinical data including medical images may also be accessed and viewed by Medical Practitioners (e.g. Ophthalmologists and Ophthalmology trainees), Allied Health Staff (e.g. Optometrists) and Clinical Researchers for the purpose of:

  • Education: teaching, mentoring or studying particular medical conditions in the United Kingdom or overseas.

  • Research: inclusion in presentations, publications and research papers for the purpose of education, assessment and/or research.

However, if you do not consent, this will NOT compromise the clinician-patient relationship or the care that is provided to you by the clinicians.

Legal grounds on which we will process your personal data

We will only process your personal data when the law allows us to do so, i.e. where we have a lawful basis for doing so. This will include in the following circumstances:

  • On the basis of your consent.

  • Where we need to perform the contract we are about to enter into or have entered into with you, or take any steps you ask us to before entering into a contract with you.

  • Where it is necessary to do so in order to comply with any legal obligations we have.

  • Where the processing is necessary for our legitimate interests in providing or promoting our services.

We may process special category personal data with your explicit consent or where permitted by data protection law, such as where it is necessary to protect your vital interests (for example in the event of an emergency), where it is in the substantial public interest or where the data has been manifestly made public by you.

Consent

By submitting your personal data to our applications, you agree to Big Picture processing your personal data for the purpose of providing our services to you. You may withdraw your consent at any time by contacting us on the details set out below. Please note that in the absence of such consent we may no longer be able to provide you with our service.

By agreeing to this policy, you consent to:

  • The sharing of your personal data for the purposes described herein and release Big Picture from any and all liability arising from your participation subject to the limitations pursuant to your rights as outlined in the Privacy Policy; and

  • Big Picture contacting you by a variety of measures including, but not limited to telephone, email, SMS or mail.

Retaining your personal data

We will only retain your personal data for as long as necessary. Records will be maintained in line with the NHS England retention schedule which determines the length of time records should be kept.

However, if you provide consent, anonymised clinical data including medical images may be stored electronically for an indefinite period of time for the purposes of education and research (as outlined above).

Security of your personal data

Big Picture is committed to ensuring that the personal data you provide to us is secure. All of your personal data will be stored and processed securely in the United Kingdom or in other locations where appropriate safeguards are in place.

In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure your personal data and protect it from misuse, interference, loss and unauthorised access, modification and disclosure. For instance, Big Picture adopts ISO27001 vulnerability management principles and performs annual penetration testing on its service.

NHS login

Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS login’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.

Disclosure of your personal data

Disclosure will take place on a ‘need to know’ basis, so that only those individuals / organisations who need to know in order to provide care to you and for the proper administration of Government will be given the information.

In order to provide proper and safe healthcare, we may need to disclose your personal data to:

  • your general medical practitioner, optometrist or other medical specialist(s) (eg ophthalmologist, endocrinologist etc)

  • the hospital or community healthcare services

  • other health professionals caring for you

We may also disclose your personal data to any private health schemes of which you are a member.

We may also disclose your personal data to the following bodies in order to comply with our legal obligations

  • NHS payment authorities

  • HMRC

  • the Department for Work and Pensions, where you are claiming exemption or remission from NHS charges

We may also share your information with Third parties who supply services to us or process information on our behalf, such as our website developer and other IT service providers. If you would like further information about the identities of our service providers please contact us directly on the details set out below.

In very limited circumstances or when required by law or a court order, personal data may have to be disclosed to a third party not connected with your healthcare. In all other situations, disclosure that is not covered by this privacy notice will only occur when we have your explicit consent. We will make all reasonable efforts to inform you of these requests for disclosure.

Transferring personal data outside the United Kingdom

We will only transfer your personal data outside the United Kingdom and European Economic Area ("EEA") where adequate protection measures are in place in compliance with the data protection law.

Your rights

At any point while we are in possession of or processing your personal data you have the following rights:

  • Right to be informed – you have the right to be informed about the collection and the use of their personal data

  • Right of access – you have the right to request a copy of the personal data that we hold about you.

  • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.

  • Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.

  • Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.

  • Right of portability – you have the right to have the data we hold about you transferred to another organisation.

  • Right to object – you have the right to object to certain types of processing such as direct marketing.

  • Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.

Changes to our Privacy Policy

We may change this Privacy Policy at any time in our sole discretion. Any changes will be notified to you the next time you present to our applications and provide your consent. The current policy will then apply.

How to contact us

Questions, comments and requests regarding this policy are welcome and should be addressed to: Data Protection Officer, Big Picture Medical Limited, 15 th Floor, 6 Bevis Marks, London, UK, EC3A 7BA, or dpo@bigpicturemedical.com

Complaints

In the event that you wish to make a complaint about how your personal data is being processed you have the right to lodge a complaint directly to the Information Commissioner as follows: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. Email: casework@ico.org.uk.  Tel: +44 303 123 1113.

By agreeing to this policy you are accepting and consenting to the practices described herein.