Privacy Policy
Policy Group | Policy name | Prepared by | Last review date | Revision | Next revision due |
Information Governance | Privacy Policy | IG Lead | 12/02/2021 | 2 | 12/02/2023 |
We work hard to protect information you put into our system.
Compliance and cooperation with regulatory authorities
Thomson Screening is registered with the Information Commissioner’s Office in the United Kingdom. Our Registration ID is Z3489680
We are also registered with NHS DSP Toolkit. Our registration ID is 8HW22
As you use our services, we want you to be clear how we’re using information and the ways in which you can protect your privacy.
Our Privacy Policy explains:
We’ve tried to keep it as simple as possible, but if you’re not familiar with terms, please do take the time to get to know our practices – and if you have any questions, contact us.
This policy covers all aspects of privacy protection in our company, Thomson Screening Solutions Ltd.
It has two parts:
When you use our services, you trust us with your information. This Privacy Policy is meant to help you understand what data we collect, why we collect it and what we do with it. This is important; we hope you will take time to read it carefully.
When you sign up, we expect you to sign up as a representative of an organisation, Schoolscreener and Schoolscreener EZ are not available to individuals (e.g. parents).
When you or your organisation signs up for our services, they can follow two routes: For Schoolscreener clients, there will be a contract in place prior to starting the service. For Schoolscreener EZ clients or other self-service clients, all new organisations must accept the End User License Agreement which forms the contractual agreement between the Organisation and Thomson Screening.
In both these cases, your organisation is the Data Owner and Thomson Screening is the Data Processor. (as defined by GDPR).
As Data Owner, it is your responsibility to ensure that only persons specifically authorised by you can access the software and to ensure that the data added to the software is managed in accordance with GDPR requirements. We give you the tools to do this.
We collect or store different types of personal information and each type has its own protection, access and deletion framework. These types are:
Patient identifiable information that is part of the Schoolscreener and Schoolscreener EZ operation
Personal information necessary for conducting our business, for example user names and contact details. People in this category are linked to Thomson Screening by some form of contract, or SLA either directly or through their role in their organisation.
Patient/Screening information that you create when you use the Schoolscreener. This information is created by you, either via uploading, adding or amending records and carrying out test.
When you use the system, you will also populate it with your data: details of schools and children you screen, their results and any letters sent out to parents.
This information is highly protected and is entirely under organisation’s control. You and your colleagues are responsible for obtaining the necessary permissions from patients or their legal representatives prior to adding their data to our system. For the purposes of GDPR (General Data Protection Regulation): you are and remain the Data Owner, Schoolscreener/Thomson Screening is the Data Processor.
We provide you with tools to create, maintain and delete this information directly in the system.
Once information is added to our system we have an extensive range of security measures and process in place to protect it from harm and ensure it is available to you. Details of these security measures and our Data Protection framework are available as a separate document.
Business contact information:
We do not actively collect information about users (You), we only collect the minimum necessary for us to provide your service. We record your login details and activities within the system for audit purposes.
When you do, we’ll ask for personal information, like your name, email address, telephone number and the organisation you belong to. This is necessary for us to provide the service and we have your organisation’s permission to record this.
You are able to update this information directly or through the Administrators of your organisation. Once you leave your organisation, the Administrator must inform us so that your access can be removed and your details deleted.
We do not keep user information after a user account is closed.
We automatically collect some system information in the following ways and will not share with anybody:
When you use our services we automatically collect and store certain information in server logs. This includes:
Call Records
Thomson Screening provides telephone service support to all business clients. That service is delivered through a dedicated, secure third party’s online platform.
All calls are monitored or recorded for quality and training purposes, in accordance with the GDPR act 2018. Prior each conversation:
· We obtain consent for the call to be recorded
· Provide advice on the safest way of the conversation to continue.
· Inform the other party how the recording will be used
· Store the information in a secure location
Despite all our efforts confidential identifiable information may be disclosed and recorded. In such circumstances we strictly follow the company’s secure and confidential disposal process. We do not store or distribute call recordings containing confidential information.
Marketing information
We collect information from publicly available sources (e.g. websites, public directories and publications). We may occasionally purchase databases of contact information from reputable providers. We will only do this from companies that are GDPR compliant and where information has been obtained in line with GDPR requirements.
Anybody can check with us whether we hold any information about them, ask for amendments and removal by filling in this form: What do you know about me
Meta information:
In addition we also use a number of methods that are automated and come under the GDPR regulations:
We may collect and store information (including personal information) locally on your device using mechanisms such as browser web storage (including HTML 5) and application data caches.
We use various technologies to collect and store information when you visit the Schoolscreener service, and this may include using cookies or similar technologies to identify your browser or device. We also use these technologies to collect and store information when you interact with services we offer.
There are only a few exceptions, all for legal reasons
We will share personal information with companies, organisations or individuals outside Thomson Screening if we have a belief in good faith that access, use, preservation or disclosure of the information is reasonably necessary to:
Information we learn while providing your service:
While we provide the service, we learn about the patterns of screening, activities and outcomes in different geographical regions, age ranges, or other parameters. This information is not specific to an organisation or user and is stored in a format that cannot be used to identify individuals.
We use this information primarily to improve the services we provide. We may also use it to compare best practices, recommend service improvements and in other ways we feel it would benefit our user base. We will not sell this information to Third Parties.
We do not sell personal information.
How we use the information that we collect
We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones and to protect Thomson Screening and our users.
We will ask for your consent before using the information for a purpose other than those set out in this Privacy Policy.
Thomson Screening processes personal information on our servers primarily in the UK and other countries of the European Union or countries and conditions permitted by GDPR. We may process your personal information on a server located outside the country where you live.
You may also set your browser to block all cookies, including cookies associated with our services or to indicate when a cookie is being set by us. However, it’s important to remember that many of our services may not function properly if your cookies are disabled.
We aim to maintain our services in a manner that protects information from accidental or malicious destruction. Because of this, after you delete information from our services, we may not immediately delete residual copies from our active servers and may not remove information from our backup systems. For example, if you request your data to be removed, details of the request itself will remain in our records.
Information security
We work hard to protect Schoolscreener and our users from unauthorised access to or unauthorised alteration, disclosure or destruction of information that we hold. In particular:
Details of these and additional security measures and our Data Protection framework are available in our Information Governance Policy.
Compliance and cooperation with regulatory authorities
Thomson Screening is registered with the Information Commissioner’s Office in the United Kingdom. Our Registration ID is Z3489680
We are also registered with NHS DSP Toolkit. Our registration ID is 8HW22
We are Cyber Essentials Certified. Our certificate ID is: IASME-CE-009057
We regularly review our compliance with our Privacy Policy. When we receive formal written complaints, we will contact the person who made the complaint to follow up. We work with the appropriate regulatory authorities, including data protection authorities, to resolve any complaints regarding the transfer of personal data that we cannot resolve with our users directly.
Part 2: Privacy protection of other company activities
Marketing information:
These are personal details of people Thomson Screening would like to market services to. These persons may not be aware that we keep information about them. Thomson Screening will only obtain this kind of information from the public domain and we have clear processes for removing these kind of information when requested.
Changes
Our Privacy Policy and our EULA may change from time to time. We will not reduce your rights under this Privacy Policy without your explicit consent. We will post any Privacy Policy or EULA changes on this page and, if the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of Privacy Policy changes). We will also keep prior versions of this Privacy Policy in an archive for your review. (view archived versions)
Part 3: Data retention
Where the company is the Data Owner, it will only retain information beyond its use where the company is required to do so by regulation (e.g. finance or personnel records) or by exception, where the company has defined an alternative retention schedule. Such exceptions will be indicated in the Information Asset Register against each item.
Part 4: Permanent removal of data
Data subjects can request removal of their records from the Data Owner. When Thomson Screening is the data owner, removal will be completed directly from Thomson Screening’s CRM systems.
Where Thomson Screening is the Data Processors, appropriate processes are available for complete and permanent removal of data by the client. The overview of these is shown below.
Type of record | Schoolscreener/Workscreener | Logs and statistics |
Active | Full data | Anonymised |
Deleted | Soft deleted (can be restored by user) | Not imported |
Removed | Removed from the system | Anonymised |
Deleted then removed | Removed from the system | Not imported |
For further information on specific processes please contact us.