Verbo Privacy Notice
This Privacy Notice (“Notice”) applies to all the information that we collect about you and/or an organisation’s personnel (hereinafter both shall be known as the Client) data, including Patient Data, as provided by the Client (hereinafter to be known as Client Patient Data), where applicable, when the Client uses our website and or signs up to our app. This Notice will refer to how we collect, use and share information about the Client and Client Patient Data, if applicable.
Our contact details:
Verbo is operated by Homerton Healthcare Foundation NHS Trust, of Homerton Hospital, Homerton Row, London, E9 6SR. references in this Notice to “we” and “us” are references to Homerton Healthcare Foundation NHS Trust.
Data Protection Officer: David Waters
E-mail: huh-tr.ig@nhs.net
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Our role and when the information in this Privacy Notice applies.
We are the data controller in relation to information collected when you use our website [or sign up to our app as a client with us]
When a Client engages us to provide the Verbo web app either through a free trial or purchasing a subscription to the platform, we (Verbo) are the controller of the Client registration data, but the Client accessing the platform is the controller and we are the data processor of the Client’s patient data that the Client provides through the platform. The Client is responsible for any information that is inputted and collected on the platform. Where we act as the processor for a Client, our processing will be carried out in accordance with our instructions from the Client (as controller). Client Patients wishing to know how their personal data is processed and what their rights are under data protection law should refer to the privacy notice of the organisation with whom they are registered as patients (eg their School).
The type of personal information we collect.
From our website we currently collect and process the following information:
Personal identifiers, contacts and characteristics:
- Name
- Job role
- Place of work
- Invoicing address
- Email address
When the Client opts to access a free trial or purchase Verbo, we process the following information on the platform, as provided by the Client (who is the controller of this data):
- Adult name*
- Adult job role*
- Adult email address*
- Name of setting/place of work
- Child name*
- Child DoB*
- Key Stage*
- Class
- Year Group
- SEN Support Level
- Postcode
- Name of teacher
- Name of Support Staff
- Free School Meals
- Parent/carer name
- Parent/carer email
(*Mandatory Data)
Within the platform the client has the ability to:
- Screen a child’s communication needs.
- Allocate individual targets.
- Access resources to work towards targets.
- Track progress towards targets
How we get the personal information and why we have it
Most of the personal information we process is provided to us directly by the client for one of the following reasons:
- Because the client has completed a contact form on our website
- Because the client has completed a contact form to request a quote for Verbo
- Because the client has purchased or requested a free trial of Verbo
- Because the client accessing Verbo have entered the data
We use the information that the Client has given us in order to:
- Contact the client e.g. with special offers, a quote
- Keep in regular contact when the contact has purchased Verbo
- Provide help and technical support
- Set up log in access for Verbo
- Populate and agree contracts
- Send invoices
To process a payment we will:
- Request invoicing details (name, address, email)
- Request Purchasing Order Number
- Provide the client with a contract at the point of purchasing Verbo
- Send an invoice on a termly or annual basis
How we share Client and Client Patient personal data
Other than the parties listed below, we will not share data with any 3rd party without Client consent.
We share client contact information with Blum Health Ltd as our processor to support functionality of the Verbo Platform. (Blum Health are also the tech co-founders of Verbo).
We will share client contact information with Consilium Communications (a processor who manage Verbo’s communications), where Clients have consented to be contacted, this could be because a Client is an active user and need to be kept up to date about the platform e.g. new features etc. We will also share contact details of consenting individuals who have opted to be kept up to date with product development and offers
- We only share Client Patient Data via the Verbo Platform with Clients and relevant clinicians, some clinicians may have technical access to patient data that they do not require, this is normal within the healthcare environment, but access is strictly confined to that which is necessary and can be audited.
Lawful basis for Verbo processing Client and Client Patient information as follows:
Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:
- Processing of your information as a trial user: Article 6(1)(a) ‘CONSENT’, You are able to remove your consent at any time – you can do this by contacting – hello@verbo-v3.local
- However, if Client Patient Data is added to the platform during a trial, this would be processed under Article 6(1)E ‘PUBLIC TASK’ and Article 9(2)(h) ‘Provision of healthcare and management of healthcare systems’.
- Processing your information as a Client (as licensee): Article 6(1)(b) ‘CONTRACT’.
- Sharing your information with Blum Health – Article 6(1)(b) CONTRACT
- Sharing your information with Consilium Marketing – Article 6(1)(a) ‘CONSENT’
- Processing Client Patient Health Information – Articles 6(1)(b) ‘CONTRACT’, 6(1)(e) ‘PUBLIC TASK’, Article 9(2)(h) – provision of healthcare and management of healthcare systems
It should be noted that the Client as licensee, or trial user, is controller and is responsible for deciding what lawful basis they will use to process patient data for the Verbo Service.
How we store your personal information
Your information is securely stored either on:
- On a Verbo managed cloud environment held within the UK
- Within a passworded Google Workspace
- A secure NHS drive e.g., invoicing information
- On a London, UK based cloud server
- Via MailChimp. Further information can be read about MailChimp’s privacy notice and GDPR.
We keep all Client data for Six years after you finish accessing the Verbo platform. We will then dispose of your information by wiping the cloud server and permanently deleting.
The minimum period we retain Client patient health data aligns to the NHS Records Management Code of Practice, for Minors, this is at least until their 25th birthday.
Your data protection rights.
Under data protection law, you as the client have rights including:
- Your right of access – You have the right to ask us for copies of your personal information.
- Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
- Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances.
- Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from the Client to help us confirm their identity and ensure their right to access their personal data (or to exercise any of their other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact the Client to ask them for further information in relation to their request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you as the Client and keep you updated.
Please contact us at huh-tr.ig@nhs.net if you wish to make a request.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at huh-tr.ig@nhs.net.
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk