Privacy Policies & GDPR
This document describes how Cimar UK Ltd treats personal information when you use (or register to use) our products and digital services. In addition, the following describes our privacy practices for our service that help you store and organise your Patients’ or your own personal health information.
Cimar is compliant with GDPR. This document explains how Cimar UK Ltd uses the personal information collected from you for the operation of its Cloud services. It also describes how long that information is kept for and the limited circumstances in which we might disclose it to third parties.
Personal Details We Hold
Cimar UK Ltd holds six types of personal information which allow us to manage your access to our Cloud platform:
- User provided information: User full name, email address, and mobile phone number (optional – if 2 Factor Authentication login is opted for).
- Transaction Information includes [details about services you have purchased from us].
- Technical Information including internet protocol (IP) address, your login history, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our service.
- Usage Information including information about how you use our website, products and services.
- Customer contact records – emails, correspondence and postal interactions directly with us or via our website.
- Cloud audit records – Automatically stored audit details of all access to the cloud, and any activity on it – this is captured for security purposes, and so our clients can monitor their users activity during the normal course of their business use of our cloud services. These are retained for as long as the radiology records they relate to are stored in our Cloud.
The above information is required and integral to the use of our cloud service.
You Are In Control Of Your Information
You control who can access your information or such information in your charge. Under certain circumstances, you have rights under data protection laws in relation to your personal information.
By default, you are the only user who can view and edit your personal information and information we host, that you are responsible for. If you choose to, you can share this personal information with others apart from your login details which you must keep secret. Such sharing is controlled by you and is at your discretion and is your responsibility as an authorized user of Cimar’s service.
To update us with your information-sharing preferences, you may contact us using the contact details set out below, or update this information yourself by login into Cimar.
We will not sell or rent out your information. We will not share your information without your explicit consent, except in the limited situations described in this Policy, for example where it is required to do so by law.
You can completely delete your information at any time manually or via system created purge rules which will automatically remove data after a predefined time period. Deletion will be initiated immediately, and your information will be purged from your account and our systems shortly thereafter. Additional backup copies of deleted information may persist for a short time. Since deleted data will not be restored, you may want to export your information before deleting it.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us. Please see “Request correction of your personal information” below.
How Your Information Is Collected
We collect personal information about you whenever you use our services (whether those services are provided directly by us, other companies or agents acting on our behalf) or when you use our online service. Further details on how we collect your personal information is set out below:
Direct interactions. We collect your personal information when you fill in forms or by corresponding with us by post, phone, email or otherwise. This includes personal information you provide when you create a Cimar Account.
Indirect Interactions: Personal information can be collected via imaging centres, hospitals and other healthcare organisations who are involved in your patient healthcare pathway.
Automated technologies. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal information by using cookies, and other similar technologies.
Third parties or publicly available sources. We may receive personal information about you from various third parties for example analytics and search providers such as Google.
In order to comply with the General Data Protection Regulations, your details will only be kept for the shortest time required. This will vary according to the type of data being held and the retention policies (purge rules) applied by your system administrator (if applicable).
Keeping Your Details Secure
We only store your information in highly secure UK data centres where it is protected by the latest encryption and firewall technology. These systems are regularly audited to ensure your data is safe. Your data will not be sent overseas as part of the normal operation of Cimar. We do not store any credit/debit card numbers or security codes as we do not process online payments directly. These are routed either through your preferred online Merchanting service (e.g. if you opt to use Stripe or PayPal payment mechanism) or via GoCardless with whom we have a contract to process some but not all billing for use of our cloud services. These details will be requested during the setting up of new accounts in the cloud and amended as or when you instruct us to do so.
How Cimar Uses Your Information
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- where we need to perform the contract we are about to enter into, or have entered into, with you;
- where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
- where we have obtained your consent; or
- where we need to comply with a legal or regulatory obligation.
We have set out below a description of the ways we plan to use your personal information, and which are the legal bases we rely on to do so. We have also identified our legitimate interests.
- To store your personal information in on our systems, you will need a Cimar Account. When you create a Cimar Account, we ask for your email address and a password, which is used to protect your account from unauthorised access. The lawful basis for processing this information is to allow you to use our services, in connection of our contractual relationship with you.
- Cimar’s servers automatically record and log information about your use of the system (such as number of sign-ins and the actions you perform). This information is permanently stored in association with your Cimar Account. Aggregated log information will be used to operate and improve the service and will not be correlated with your use of other Cimar services. The lawful basis for processing this information is that it is necessary for auditing purposes when handling sensitive health related data and to maintain network security.
- Certain features of our web service can be used in conjunction with other Cimar products, and those features may share information to provide a better user experience and to improve the quality of our services. The lawful basis for processing this information is that it is necessary for our legitimate interests. For example Single Sign On (SSO) functionality when our service is embedded within another system run by your organisation.
- Cimar UK Ltd and its subsidiaries may also contact you about our related services or system changes connected to the operation of our cloud service, for example, newly release enhancements and features that may benefit you or your account users, or fixes to known bugs that are reported to us.
Sharing Personal Information
We will never share your data with anyone. You are responsible for the sharing of data we host for you, and to whom you share it.
Dependant on your role permissions, if you share your information with others, you can view a list of who has access to your information and you can revoke sharing privileges at any time. When you revoke someone’s ability to read health information you share, that party will no longer be able to read the information, but may have already seen or may retain a copy of the information.
Our services contain links to third-party service providers that are capable of securely sending information to us. These service providers (which may include medical providers with systems such as PACS) may send us information about certain medical conditions or extend the functionality of our service in other ways. By creating a link to these service providers, you give them permission to send your information such as medical records or diagnostic reports to your Cimar Account.
Some of these third-party service providers will be covered by prevailing health privacy laws (such as the Insurance Portability and Accountability Act, or “HIPAA”), and those laws will govern how they may use and share your information. HIPAA requires (as do we) that you must authorise these providers to send information to your Cimar Account. With that authorisation, you also give them permission to send certain especially sensitive types of health information (such as mental health or substance abuse records) that are protected by National laws and require special authorisation. We cannot and do not determine which of your information you do and don’t wish to share. This decision and the responsibility for sharing any patient or other information is entirely yours.
All entities or business associates covered by HIPAA are contractually required to comply with HIPAA's rules related to collection, use, and sharing of your information. All other third-party service providers are contractually required to abide by our Developer Policies, which require that they comply with strict privacy standards for how they collect, use, or share your information.
To support the prevention and detection of crime, Cimar may be required to provide specific information by law, to police forces on formal request.
Personal data may be shared with these organisations when a valid reason to obtain the data under the General Data Protection Regulations and other data protection legislation is provided. Such requests are dealt with on a strictly case-by-case basis.
Cimar UK Ltd And GDPR
Cimar UK Ltd have fully committed to adherence of the General Data Protection Regulations (GDPR) following implementation on the 25 May 2018. In relation to our collection and processing of personal data, please see the below information for clarification.
When you use our service, Cimar UK Ltd will be acting as the data processor, and you or your organisation will be the Data Controller. We each have new and extensive responsibilities to protect your data and data you upload and host on our service. Our responsibilities are managed by our Data Protection Officer whose details are as follows:
Data Protection Officer: Liz McGregor
Tel: +44 (0)20 3904 0330.
The data we hold is used for the purposes of providing and administering our service to you and your organisation. Collected data is stored within secure electronic records management systems that we run. Cimar UK Ltd will store any correspondence from you to us, in a correspondence recording system. Additional systems are used to process and store supporting information such as contractual correspondence, support ticket records, SLA documents agreed between you and Cimar UK Ltd, including email communications.
Processing Of Data And Your Rights
Personal data will be stored for the shortest time necessary in order to manage Cimar UK Ltd Cloud services that you use, including payment information, account management and enquiries. Our retention timescales are as required of us by law.
Under the GDPR you have the following rights to request information from Cimar UK Ltd:
- The right of access to the data (Subject Access Request)
- The right for the rectification of errors
- The right to erasure of personal data (please note, this is not an absolute right)
- The right to restrict processing, or to object to processing
- The right to portability.
Data Processing isn’t based just on receiving your consent; this is implicit in your wish and need to use our systems. However, we must inform you that you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. You have the right to lodge a complaint with a supervisory authority (in the UK that is the Information Commissioners Office).
If we are to process the personal data we hold for a purpose other than that for which it was originally collected, then we will provide the you with information on what that other purpose is prior to further processing taking place. The extra information will include any relevant further information as referred to above including the right to object to that further processing.
How To Access Your Personal Data
If you wish to see full details of the information Cimar holds in connection with you, you will need to make a subject access request in accordance with the General Data Protection Regulations. To initiate a subject access request, email: DPO@cimar.co.uk or call us on +44 (0)20 3904 0330.
If you have additional questions, please contact us any time. Or write to us at Cimar UK Ltd, Kemp House, 152 - 160 City Road, London EC1V 2NX. UK Email: firstname.lastname@example.org - Tel: +44 (0) 800 093 0913 - www.cimar.co.uk