Privacy Policy
INTRODUCTION
MEG (“Medical eGuides Ltd”, “we”, “us”, “our”) designs and develops services and applications (“apps”) to enable healthcare workers to complete tasks within their busy roles using technology. This Privacy Policy relates to the collection and use of information (also referred to as “data”) by us in connection to our services and apps.
WHEN DOES THIS PRIVACY POLICY APPLY
This Privacy Policy and accompanying Terms of Service (“Terms”) apply to their use of our services and apps, which are available through the Apple, Google Play, and any other app stores, in addition to our websites, subdomains, portals and APIs (Application Programming Interfaces).
WHO WE ARE
MEG, T/A Medical eGuides Ltd., with registered office and business address of: The Digital Depot, Thomas Street, Dublin, D08 TCV4, Ireland. The company is incorporated in the Republic of Ireland under company registration number 581747.
OUR VALUES
We believe making data more easily available to healthcare workers will improve healthcare, but we are also aware that data needs to be handled securely and transparently. We believe your organisation should own its own data and should have choice about who has access to your data or who your organisation consents to view the data. MEG respects the right to privacy and are committed to protecting information. This privacy policy explains how we collect, transfer, store, and use your organisation’s data.
NATURE OF BUSINESS:
MEG signs individual contracts with its customers based on unique services provided. Subsequent required Data Protection Agreements are also signed upon commencement of engagement. The data collected/processed through our systems (web, iOS, Android) varies from one customer to another. Any changes that affect the nature of data processing will be communicated to MEG’s customers.
This includes, but is not limited to:
INFORMATION WE COLLECT
Examples of information that is automatically collected include:
Technical information from your smartphone or computer e.g. operating system, device type, features used on our apps, dates and times of interaction with our apps.
Location information from GPS (only if you decide to opt in and enable certain features/functionality e.g. air quality index)
During the course of using our services or apps, you may have the option to link other third-party services with your account. If you choose to do this, you are authorising MEG to collect, store, and use information that you agreed these sites may share with us through their API.
Consent for collection of data is done at data controller (our customers) level with relevant data protection controls and commitments signed by MEG (data processor) with the data controller (customer).
Data owners can opt out of PII data collection by indicating this to the data controller (our customer), who in turn will stop collecting data pertaining to the individual and upon receipt of a formal request, MEG can delete/destroy the data pertaining to the same individual also (see: data retention). Opt out will halt all processing activities related to the individual.
Processing: Data processing by MEG is limited to fulfilling minimal contractual obligations to each of its customers. MEG is governed by a least privilege access and minimum necessary processing policies, conformance for which is monitored and certified by ISO 27001.
Data Retention: Under GDPR, our clients (healthcare organisations) are the data controllers and MEG is the data processor. The clients will be given access to manage data. MEG retains data with all-encompassing and comprehensive audit trails including and not limited to:
● Date update applied
● Time update applied
● Unique ID and name of user
● Item updated
● Old value of item
● New value of item
until indicated by the client/data controller to archive/delete and destroy it. MEG has a procedure for deletion and validation: full data is destroyed. Typically, we do not delete ‘backups’, but this will be overwritten within 14 days after deletion. MEG performs a check that all copies of data have been destroyed.
BUSINESS TRANSFERS AND LEGAL REQUIREMENTS
As we develop as a business, there is a possibility that we may buy or sell businesses or assets. In the event of a corporate sale, merger, reorganisation, sale of assets, dissolution or other business-related event, your information may be part of the transferred assets.
If we receive a legal request for access to your information (e.g. from a court order, law enforcement authority, regulatory agency, etc.) we may disclose your information to the extent permitted by law. We may also share your information with legal advisors, consultants, or courts in order to protect and defend our rights and users of our services and apps.
THIRD-PARTY ANALYTICS
We use third party analytics services to help us evaluate how users interact and use our services and apps. These analytics providers use cookies and other technology to track how users use our services and apps. Our main aim in using these analytics providers is to help us understand how to optimise and improve our services and apps for our users.
Third party analytics providers that we work with are as follows:
Google Analytics – https://www.google.com/analytics/terms/gb.html
———————————————————————————————————————————————
Cookies
When you interact with our website (www.megit.com) we try to make that experience simple and meaningful. When you visit the website, our web server sends a cookie to the hard disk of your computer. Cookies are small text files which are issued to your computer when you visit a website and which store and sometimes track information about your use of the site. For example, cookies are used to personalise web search engines and to store shopping lists of items a user has selected while browsing through a virtual shopping mall. A number of cookies we use last only for the duration of your web session and expire when you close your browser. Other cookies are used to remember you when you return to the site and will last for longer.
We use cookies to:
Remember that you have visited us before; this means we can identify the number of unique visitors we receive. This allows us to make sure we have enough capacity for the number of users that we get.
Collect statistical information about how you use the site (including how long you spend there) and where you have come to the site from. We collect this data so that we can improve the website and learn which parts are most popular with visitors.
Improve speed site navigation and recognise your access rights on the site.
EXTERNAL LINKS
The site may, from time to time, contain links to external sites. We are not responsible for the privacy policies or the content of such sites.
———————————————————————————————————————————————
HOW WE PROTECT YOUR INFORMATION
We place great importance on the security of all PII associated with our users. We have security measures in place to attempt to protect against the loss, misuse and alteration of personal information under our control.
MEG is designed with stringent security protocols. It uses state-of-the art electronic surveillance and multi-factor access control systems. All data transport between your app and our servers is encrypted.
We use a risk management process based on a HIPAA template. It allows us to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by MEG, and also implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with HIPAA standards.
However, with any electronic transmission and storage of data comes risks and we cannot guarantee that our databases, or those of our third-party affiliates, will be 100% secure. There is also a risk of data being intercepted while being transferred over the internet. If there is a personal data breach, our data protection officer will report it to the competent Supervisory Authority without undue delay (not less than 72 hours after becoming aware of it). If a personal data breach is likely to result in a high risk to your rights and freedom, our Data Protection Officer will communicate the breach to you without delay.
MEG takes security very seriously and is governed by its industry-standard Information Security Management System (ISMS) policies, which encompass all aspects of security from secure software development to device encryption across the entire organisation. MEG:
is a UK Digital Marketplace approved supplier (G-Cloud: https://www.applytosupply.digitalmarketplace.service.gov.uk/g-cloud/services/743933839022401)
exceeds the standards of NHS Data Security Protection Toolkit (DSPT: https://www.dsptoolkit.nhs.uk/OrganisationSearch/B2T5Q)
is ISO/IEC 27001:2013 certified (Search for “391422022" here: https://www.qmsuk.com/verification)
is Cyber Essentials certified (Search for “Medical Eguides Limited” here:https://iasme.co.uk/cyber-essentials/ncsc-certificate-search/).
———————————————————————————————————————————————
YOUR RIGHTS
You have a number of legal rights under the EU’s General Data Protection Regulation (GDPR). The following section explains your rights:
Your organisation has a right to request a copy of data
Your organisation has a right to erasure (delete), rectify, restrict, and object to the processing of data
We are obligated under the GDPR to provide any requested information within one month of receiving a request. However, if a large number of requests are received or requests are complex, the time limit may be extended by a maximum of two further months.
Your organisation has a legal right to access, rectify, erasure and object to the use of data free of charge. However, a reasonable fee may be charged for “repetitive requests”, ‘manifestly unfounded or excessive requests” or “further copies”.
Your organisation has a right to the rectification of inaccurate data.
Your organisation has a right to receive a copy of data in a structured, commonly used, machine readable format that supports re-use. Your organisation also has a right to transfer data from one controller to another without hindrance, and to store data for further personal use on a private device.
If your organisations data was shared with a third party, then you have a right to request information about the identities of those third parties.
Your organisation has a right to object to the processing of data for the process of direct marketing, including profiling.
Your organisation has a legal right to not be subject to a decision based solely on automated processing which may significantly affect you, unless it is authorised by law or you explicitly consent and the appropriate safeguards are in place.
Your organisation has a right to complain to the EU’s Data Protection Authority (DPA) if you think your rights have been infringed upon
CHILDREN
We do not knowingly collect Information from children under the age of 14 through our apps. Our apps are intended for use by persons 18 years of age and older. If you discover that your child has been using our apps without your consent, or someone has been using the apps on behalf of your child without your consent, please contact us using the information below in the “Contacting Us” section and we will take steps to delete the information from our databases.
CHANGES TO THIS PRIVACY POLICY
This Privacy Policy is effective as of the date listed previously at the start of this document. This Privacy Policy may be changed or updated at any time in the future without notice to you. This Privacy Policy is available for you to review at all times on our apps and it is recommended that you regularly review it. By using our apps after we have updated our Privacy Policy, you are deemed to have accepted any changes.
CONTACTING US
Please submit any questions, concerns or comments you have about this policy or any requests concerning your personal data to info@megit.com or write to our Data Protection Officer at:
MEG
The Digital Depot,
Thomas Street,
Dublin,
D08 TCV4,
Ireland