This Privacy Notice applies to the processing of personal data collected via our website (www.simplifyhealth.co.uk) (Website); our service directories (for Birmingham: https://birmingham.simplifyhealth.co.uk/en and Surrey: https://surrey.simplifyhealth.co.uk/en) (Service Directories) and any correspondence with us (by phone, email or otherwise) in relation to our Website and Service Directories.
For information about how we process your personal data in connection with providing you with healthcare services, please see our Portal Privacy Notice’s here:
1. Important Information and who we are
Simplify Health (Simplify Health, we and us) is a trading name under Centene UK Ltd. which is a limited company registered in England and Wales (registered number 10014577).
Simplify Health is a data controller under the GDPR. We work closely with other healthcare providers who may also be data controllers of your personal data.
We respect your privacy and are committed to operating the highest standards when it comes to protecting your personal data.
We will process your personal data “fairly”, “lawfully” and “transparently”. This means (i) we will be open and transparent about how personal data is used (ii) we will handle data in line with how we say we are going to handle data and (iii) we will only use or process personal data in accordance with the law. To fulfil these requirements, we set out in this Privacy Notice how Simplify Health collects, uses, retains and discloses personal data.
It is important that you read this Privacy Notice so that you understand how and why we are collecting and/or processing personal data about you. If you have any questions, please contact us at the address provided below.
Data Protection Officer
Simplify Health has appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact the DPO at:
Email address: firstname.lastname@example.org
Postal address: 11-13 Cavendish Square, London, W1G 0AN
Telephone number: 020 7307 2850
2. How is Personal Data Collected?
Personal data is any information that can identify a person. We collect your personal data in a number of ways. These include:
- Direct interactions.
You may give us your identity and contact data by filling in forms or by corresponding with us by post, phone, online or otherwise.
- Cookies and Automated technologies (only when using the Service Directories)
As you interact with our Service Directories, we may automatically collect information using cookies. Please see Section 6 of this Privacy Notice for more information about the cookies used on our Service Directories.
- Third parties (for service providers only)
If you are a service provider, we may collect information publicly available on the internet or our NHS partners may provide us with your information to add onto our Service Directories. Please refer to Section 11 of this Privacy Notice for information on how to change or delete the information on our Service Directories.
3. The Data we collect about you
We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows:
This includes your name and, in some cases, your age.
- Contact Details
This includes your address, e-mail address and phone number(s), and if you are a healthcare professional, the organisation you work for.
- Technical Data
This includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the Service Directories.
- Usage Data
This includes information gathered from cookies about how you use and interact with the Service Directories.
4. Use and legal basis for processing personal data
We have set out below, in a table format, a description of the types of personal data we collect, what we use it for and our legal basis for doing so.
We will process the categories of personal data listed below for one or more of the following legal basis:
When you give us your consent to process your personal data for one or more purposes listed below;
- Legitimate Interests
Processing of personal data is necessary for our legitimate interests of managing our relationship with you and administering our Website and the Service Directories; and
- Legal Obligations
Processing of personal data is necessary for us to comply with laws and regulations that apply to us.
|Use||Type of Data||Legal Basis|
To answer your queries and comments in relation to the Website and Service Directories
To respond to you and take action when you report a problem with our Website or Service Directories
To provide and improve the Service Directories
To include you on our list of service providers on the Service Directories
To respond to your request to exercise your data protection rights
We may also process your personal data for the establishment exercise or defence of legal claims.
We may process your personal data on more than one lawful ground depending on the specific purpose for which we are using your data. Please contact the DPO if you need details about the specific legal ground we are relying on to process your personal data.
We do not process your personal data for any marketing purposes. Should this change we will notify you in accordance with applicable laws.
Automated decision making and profiling
Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. We do not carry out any automated decision making including profiling. Should this change we will notify you in accordance with applicable laws.
5. Change of Purpose
We will only use your personal data for the purposes described in this Privacy Notice. If we need to use your personal data for an unrelated purpose, we will update this Privacy Notice and notify you in accordance with the applicable laws.
Cookies are small text files that are placed on your computer, smartphone or other device when you visit our Service Directories. A cookie file is stored on your device and allows us, or our third party service providers (see below) to recognise you and make your visit easier and more useful to you when you revisit our Service Directories.
The following lists the cookies used on our Service Directories:
- XSRF-TOKEN: a token (a string) that is generated by the application platform (Laravel) for each active user session, that is used to verify that the authenticated user is the one actually making the requests to the application and makes it easier to protect the application from Cross-site request forgery (CSRF);
- _ga, _gat, _gid: Google Analytics generated cookies are used to gather information allowing us to understand your interactions with our sites and improve your experience. For more information about the use of Google Analytics and how it collects and processes data, please see “How Google uses information from sites or apps that use our services” (www.google.com/policies/privacy/partners/).
- Font-preference: used to store your preference of font-size;
- Cookie-accepted: cookie that checks whether you accept the cookie notice;
- Laravel session: cookie generated by the application to identify a session instance for a user; and
- Subdomain: cookie that stores value of which Service Directory is browsed, either Birmingham or Surrey, that will allow the application to return the correct information for each directory.
These cookies help us understand if you have visited our Service Directories before, the time you visited the site and the pages you looked at. If you choose to block cookies you will not be able to use all the features on our Service Directories. Certain cookies are required in order for the Service Directories to work properly. These are XSRF-TOKEN, Laravel session and Subdomain.
For more information about cookies, including how to view the cookie that have been set and how to manage or delete them, please visit www.allaboutcookies.org.
The Website and the Service Directories are not intended for children and we do not knowingly collect data relating to children.
8. Disclosure of Personal Data
Third party recipients
We may have to share your personal data for the purposes set out in in section 4 above with:
- our IT service providers;
- any member of our group in the European Economic Area (“EEA”);
- our parent company, Centene US; and
- our legal and other processional consultants and advisors.
We require all third parties who process data on our behalf to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may share your personal data with more parties than the ones listed above. Should this be the case, we will inform you of the change in accordance with applicable laws and regulations
Transfers of personal data outside the EEA
Your personal data may be transferred outside the UK and the EEA for the purposes set out above.
For example, our Website is hosted in the US by our parent company Centene US and your personal data may be transferred to the US as part of the operation of the Website.
We take steps to ensure that, when we transfer your personal data outside the EEA, we have adequate safeguards in place in line with applicable data protection laws. For more information about this protection, please contact us at email@example.com.
Our Service Directories are hosted in the UK and no data gathered via the Service Directories is transferred outside the EEA.
9. Data Security
At Simplify Health we take our duty to protect personal data and our confidentiality obligations seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.
We have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents.
Simplify Health has also appointed a Data Protection Officer (DPO) who has professional experience and knowledge of data protection law, specifically in relation to the type of processing that Simplify Health carries out.
Everyone who works for us is required to undertake annual information governance training and is provided with information governance policies that they are required to read, understand and agree to follow.
We have put in place appropriate security measures, including encryption and using anonymization tools where necessary, to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties on a “need to know” basis. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach in accordance with applicable laws and regulations.
Data Protection Impact Assessment (DPIA)
We carry out DPIAs on processing that is likely to result in high risk to individuals to help identify and minimise data protection risks.
If you would like a copy of a DPIA that we have carried out, please contact our DPO.
10. Data Retention
We will only keep your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We do not keep your personal data for longer than necessary and up to 7 years after your last interaction with us. We may keep your personal data for longer than 7 years if we cannot delete for legal or technical reasons.
Details of retention periods for different aspects of your personal data are available in our retention policy which you can request by contacting our DPO.
11. Your Legal Rights
You have the following rights in relation to your personal data.
Request access to your personal data. You can ask us to see what personal data we hold about you.
We will confirm whether we are processing your personal data and we will provide you with additional information including what type of data we have, where we collected it from, whether we send it to others, including any transfers outside the EEA, subject to the limitations set out in applicable laws and regulations. We will provide you free of charge with a copy of your personal data, but we may charge you a fee to cover our administrative costs if you request additional copies of the same information.
Request correction of your personal data. You can ask us to correct any incomplete or inaccurate data we hold about you, although we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. You can ask us to delete or remove personal data where there is no good reason for us continuing to process it. However, that we may not always be able to comply with your request of erasure for legal reasons, and we will let you know if this is the case, at the time of your request.
Object to processing of your personal data. You can object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. However, that we may not always be able to comply with your request for legal reasons, and we will let you know if this is the case, at the time of your request.
Request restriction of processing your personal data. You can ask us to restrict the processing of your personal data in certain cases.
Request transfer of your personal data. You can ask us to transfer your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Please note this this right only applies in certain cases.
Right to withdraw consent. You can withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to or for you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above, please contact the DPO. Contact details are above. We may ask you to provide additional information e.g. your full name, address, date of birth, etc. so that your identity can be verified.
No fee usually required
You will not have to pay a fee to exercise any of your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
In so far as it is practicable, we will notify the third parties we shared your personal data with of any correction, deletion, and/or limitation on processing of your personal data.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you of the reasons for the delay and keep you updated.
If you have any questions about our Privacy Notice, information we hold about you or complaints about how we process your personal information please contact the DPO (contact details above). Complaints can also be made to the Information Commissioner’s Office, the UK supervisory authority for data protection issues (www.ico.org.uk).
13. Changes to our Privacy Notice
This privacy notice may be updated to reflect changes to our personal data processing policy and legal obligations. In the event there is a material change to this Privacy Notice, we will inform you via the Website or the Service Directories. This notice was last updated on 7th August 2018.