Privacy Notice & Cookies

Thanks for reading our privacy notice. This document has been created to explain to you the types of personal data we may hold about you and outline how we may use this information for the benefit of your health and wellbeing.

The main purpose for which we hold and process your information is to enable us to provide healthcare services to you.

We are committed to protecting your privacy and will only use information that may identify you (known as personal information) in accordance with the EU General Data Protection Regulation (GDPR), the Data Protection Act 2018 and, where applicable, other laws such as the Health and Social Care Act 2012 and the Health and Social Care (Quality & Safety) Act 2015.

We endeavor to keep accurate records and to hold information for no longer than necessary.

This document tells you how we collect, use and share your personal information, what your rights are and how to exercise them.

There are a couple of technical definitions to get out of the way first.

By “personal information” we mean personal data as defined in UK data protection law. In general, it means any information relating to you, which identifies you or allows you to be identified. That may be your name, an ID number, location, an online identifier or factors specific to you (e.g. physical, physiology (thoughts, feelings), genetic, mental, economic, cultural or social factors).

By "sensitive" personal information we mean what's technically known as "special categories" that is personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual's sex life or sexual orientation.

Our identity and contact details

Sleepstation is a digital healthcare organisation which delivers services to private individuals, services to individuals via their employers and NHS services.

Our NHS services are delivered in partnership with Newcastle upon Tyne Hospitals NHS Foundation Trust (NuTH) and all data processing for NHS services is delivered by NuTH - registered as a data controller with the Information Commissioner’s Office (Z6173332).

Our private services are delivered directly. We are registered independently as a data controller with the Information Commissioner’s Office (ZA472808).

Data protection queries should be directed to:

Sleepstation Data Protection
Studio G26
Toffee Factory
Quayside
Newcastle upon Tyne
NE 2DF
Tel: 0333 800 9404
data.protection@sleepstation.org.uk

Purposes and legal basis for holding and processing your personal information

Under the GDPR, we must always have a legal basis for using your personal information. We hold and process your personal information for the main purpose of providing healthcare services to you and also to comply with various legal obligations, including those relating to health and social care, as explained at the beginning of this document.

For your reference, we’ve outlined key information about the different types of legal basis below.

Legal basis (all personal information)

Consent: your consent to one or more specific purposes

Contract: entering into a contract with you or performing a contract with you

Legal obligation: we're required by law to do this

Vital interests: to protect your own or another individual's vital interests (e.g. life or death situation)

Legitimate interests: we've identified this as a legitimate interest of ours or a third party; we consider that use of your personal information is necessary to achieve that legitimate interest; and we've balanced all that against your interests, rights and freedoms

Legal basis (all sensitive personal information)

Where we're dealing with sensitive personal information we need not one legal basis but two, from a different list (and the list is a lot longer). The main ones are:

Explicit consent: your explicit consent to one or more specific purposes

Health or social care: provision of healthcare or management of healthcare systems

Legal claims: to establish, exercise or defend a legal claim

Vital interests: that's the same as above except it has to be where the individual is incapable (physically or legally) of giving consent.

Archiving, research and statistics: this must be in the public interest; data must be minimised, and anonymised or at least pseudonymised; the activity mustn't cause substantial distress or damage to individuals and mustn't relate to a particular individual except for approved research.

You can find more details on the ICO website at https://ico.org.uk

Our main uses of your personal information

Our legal obligations are specific to the way in which you access Sleepstation and the extent to which you engage in the services we offer.

Access type: You may, for example, hold a private account with us or you may have been referred by your GP or been provided access by your employer.

Extent of engagement: You may, for example undertake an assessment with us and then decide not to proceed with the therapy or you may complete a full course of therapy with us.

What we hold about you, and why we hold it will be depend your access type and extent of engagement.

A summary of the main uses of personal information for specific access types is provided below.

Private individuals

NHS patients

Employees

A website visitor or interested person

Unless you fill in a form or contact us in some other way, we probably can't identify you. Where we can, we use this information in the following ways.

Please note if you are simply browsing our website, and not specifically using our services, the information provided at the bottom of this notice in the “website privacy” section may be more relevant to you.

The personal data we collect

Private individuals

We collect this personal information in order to provide healthcare services to you. We collect the following data about private individuals:

NHS patients

We collect this personal information in order to provide treatment services to you (including communicating with you, your GP, your NHS referrer, other medical advisors as appropriate). We collect the following data about NHS patients:

Employees

We collect this personal information in order to provide services to you and to report on employees access rates and group outcomes to your employer.

We do not and will never share any personal or sensitive information through which you could be identified with your employer. We do share information with your employer for the purpose of reporting on anonymised group data including outcomes and access rates and further information about data which may be shared with your employer is listed below under the heading “Who do we share your information with?”.

The information we collect about employees is as follows:

A website visitor or interested person

Please note if you are simply browsing our website, and not specifically using our services, then it is unlikely that we will be able to identify you.

We only collect information which you submit via a form on our website. We collect this information to answer any queries you may have. The information we collect is as follows:

Information collected via contact forms

Information is collected via contact and enquiry forms on our website in order to allow us to contact you to answer questions and discuss queries you may have.

We collect the following information via these forms:

Your name, email address, postcode (if provided), telephone number (if provided), your question/comments.

Information collected via NHS access forms

Information is collected via this form in order to allow us to determine which NHS services you may be eligible for.

We collect the following information via this form:

Your full name, date of birth, email address, first line of address, postcode, GP practice details, GP details (if provided) NHS number (if provided) and information about your sleep problem.

Who do we share your information with?

We have a data protection policy which means that relevant information is only shared with people involved in your health care where applicable. The obligations which we have with regard to sharing of your personal information are specific to the way in which you access Sleepstation and the extent to which you engage in the services we offer.

Details about how we share data for each access type are provided below.

Private individuals

We will not pass on your personal data to third parties without first obtaining your consent, however, there are times when information, legally, has to be given even without your consent, these would include; child protection, prevention of harm to yourself or others, the investigation or prevention of serious crime including terrorism, or a Court Order.

We only share information with your doctor, family, friends or advocates with your explicit consent.

NHS patients

If you access Sleepstation as an NHS patient, we are required to share your personal information with people involved in your health care. These will include:

Apart from these people, we will not pass on your personal data to third parties without first obtaining your consent, however, there are times when information, legally, has to be given even without your consent, these would include; child protection, prevention of harm to yourself or others, the investigation or prevention of serious crime including terrorism, or a Court Order.

We only share information with your family, friends or advocates with your explicit consent.

Employees

We will not pass on your personal data to third parties, including your employer, without first obtaining your consent, however, there are times when information, legally, has to be given even without your consent, these would include; child protection, prevention of harm to yourself or others, the investigation or prevention of serious crime including terrorism, or a Court Order.

We only share information with your doctor, family, friends or advocates with your explicit consent.

Any information that we report back to your employer in relation to prevalence of certain conditions (such as sleep deprivation, anxiety, depression etc.) among the workforce will be presented in the form of grouped, anonymised or pseudonymised data and will be never include details about your personal results or contain any information by which your results or outcomes of your therapy could be linked directly to you or could identify you.

Transfers outside of the European Economic Area (EU member states, Norway, Iceland and Liechtenstein) (EEA)

We do not transfer any personal information to third countries or international organisations. All personal information is stored in the UK and/or in the European Economic Area.

Storage period

The period for which we will store patient records is based on guidelines provided by our insurers and on the NHS records management code of practice for health and social care.

For NHS patients, records will be retained for the duration specified by national guidance from the Department of Health.

For private individuals and employees, records will be retained for a period of 8 years beginning on the date of the last entry in the patient records.

After which, the record will be reviewed and destroyed if no longer needed. All confidential information is destroyed in line with the NHS Records Management Code of Practice.

Your rights

Your rights in relation to consent

Where you've given us explicit consent to use your sensitive personal information, you may withdraw it at any time.

To withdraw your consent, please contact us.

We will rely on your browser settings to indicate your consent to the use of cookies on our website. To withdraw your consent, please adjust your browser settings. Please see "Cookies and similar technologies" below for instructions.

Your right to object to our use of the "legitimate interests" basis for processing.

You may, at any time, object to our use of your personal information which is based on our legitimate interests, as summarised below.

We consider that our use of your personal information for:

is in our legitimate interests.

You may object to our use on that basis. To exercise your right, please contact us.

Your rights as a data subject

At any point while we are in possession of or processing your personal information, you have rights to make a request to us:

These rights are more complicated than the simple summary above. To find out more about them, please visit the Information Commissioner's website. To exercise your rights, please contact us.

Our contact details are in the "Identity and contact details" section above. Please make it clear which right(s) you want to exercise, for example by putting the name of the right in the subject line of the email. Thank you.

Right to erasure

In certain circumstances you can ask for the personal information that we hold about you to be erased from our records. This right will apply only if the processing has been undertaken on the basis of consent which is withdrawn, the processing of your personal information is determined not to be lawful or the information is no longer required. There are exceptions to the right to erasure and we are legally required to maintain your records in accordance to comply with health and social care laws.

Withdrawal of consent for private individuals.

You have a right to withdraw any explicit consent you give us at any time.

This will not affect the legality of our consent-based use before you withdrew consent.

To withdraw consent to cookies, please adjust your browser settings (please see our cookie policy for further details).

To exercise your right to withdraw in any other case, please contact us. Our contact details are in the "Identity and contact details" section above.

Complaints

You have a right to complain to the Information Commissioner, whose contact details are:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
England
Telephone: 0303 123 1113 (local rate) or 01625 545 745 (national rate).
Website: https://ico.org.uk which sets out email addresses and an email form.

Information collected directly – legal or contract requirement

There are no statutory requirements to provide us with personal information.

For private individuals, it is a contract requirement that you complete the registration forms and any healthcare questionnaires, fully and accurately.

If you are a website visitor who makes an enquiry, we'll normally need your personal details (name and contact details) to answer your query.

Cookies and similar technologies

When you visit our site, third party sites will place a small amount of information on your device, for example, your computer, laptop, tablet or mobile phone. This information consists of small files known as 'cookies'.

Some third party sites will also use pixels (also known as clear gifs, web beacons or web bugs) in conjunction with cookies. Pixels are code used on a web page or in an email notification. They are used to learn whether you’ve interacted with certain web or email content. This helps to measure and improve services and personalise your experience. You cannot delete pixels but you may be able to turn off features using this technology through the third party's site and account settings.

How we use cookies

The Sleepstation website has a variety of useful features and tools, and to make best use of them your computer, tablet or mobile device will need to accept cookies. We can only provide you with certain features by using cookies. If you have chosen to disable cookies you will still be able to browse the website, but some functions may be unavailable.

We also use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We use this information for statistical analysis purposes and then the data is removed from the system.

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you,

Other than the data you choose to share with us. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

If you’ve visited our site by following a link from Facebook, a Facebook pixel will be used to learn whether you have interacted with our site content.

In some browsers, our site will create local storage and session storage as well as cookies. Local storage and session storage are another type of file placed on your device that can hold data. They will often appear when a website has video or audio content.

You can delete local storage and session storage in the same way that you delete cookies.

Most web browsers allow some control of most cookies through the browser settings.

Third party software tools can also be used to block or restrict certain cookies and tracking technologies.

Please be aware that restricting cookies may impact on the functionality of our site, particularly the videos.

To find out more about cookies, including how to see what cookies and other technologies have been set and how to manage and delete them, please visit http://www.allaboutcookies.org/ and http://www.youronlinechoices.com/.

Changes to this privacy notice

We may change this notice from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This notice is effective from 12th November 2018.


Website Privacy

This privacy policy sets out how we use and protect any information that you give us when you use this website. We are committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified (personal information) when using this website, for example to complete an online form, then you can be assured that it will only be used in accordance with this privacy statement. We may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from 12th November 2018.

What we collect

Contact/enquiry forms

Information is collected via contact and enquiry forms on our website in order to allow us to contact you to answer questions and discuss queries you may have. We collect the following information via these forms:

Your name, email address, postcode (if provided), telephone number (if provided), your question/comments.

NHS access forms

Information is collected via this form in order to allow us to determine which NHS services you may be eligible for. We collect the following information via this form:

Your full name, date of birth, email address, first line of address, postcode, GP practice details, GP details (if provided) NHS number (if provided) and information about your sleep problem.

Other forms/surveys

From time to time, information is collected via additional forms. The purpose for the information being collected will be clearly set out on these forms. Information collected may include your name, your contact information, your demographic information such as postcode, your preferences and interests or other information relevant to customer surveys and/or offers.

What we do with the information we gather

We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:

If you have subscribed to any of our mailing lists, we may periodically send emails containing information about sleep science, new services and products we offer, special offers or other information which we think you may find interesting using the email address which you have subscribed with. You can unsubscribe from these mailing lists at any time.

If you are a registered Sleepstation account holder, we may also, from time to time, use your information to contact you for market research purposes. We may contact you by email, phone, or text. We may use the information you provide to customise the website according to your interests.

If you have registered for a Sleepstation account we may contact you to discuss your needs to allow us to onboard you into the relevant service. If you do not intend to use our services, and you are not an NHS referred patient, you may terminate your account and request that your information is erased.

Security

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Controlling your personal information

You may choose to restrict the collection or use of your personal information:if you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by writing to or emailing us at marketing@sleepstation.org.uk

We do not store credit card details.

We will not sell or lease your personal information to third parties. We may disclose your personal information to third parties if we are under a duty to disclose or share your data in order to comply with any legal obligation.

We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen by opting in to receive such information.

At any point while we are in possession of or processing your personal information, you have the right to make a request to us for access to your personal information.

You also have a number of other rights. To find out more about them, please visit the Information Commissioner's website.

To exercise your rights, please contact us. Our contact details are in the "Identity and contact details" section above. Please make it clear which right(s) you want to exercise, for example by putting the name of the right in the subject line of the email. Thank you.