About this policy:

As you use our services, we want you to be clear how we’re using information and the ways in which you can protect your privacy.

Our Privacy Policy explains:

• What information we collect and why we collect it.
• How we use that information.
• The choices we offer, including how to access and update information.
• How information can be removed and permanently deleted

We’ve tried to keep it as simple as possible, but if you’re not familiar with terms, please do take the time to get to know our practices – and if you have any questions, contact us.

This  policy covers all aspects of privacy protection in our company, Thomson Screening Solutions Ltd.

It has two parts:

1. Privacy and data protection relating to our products: Schoolscreener and Schoolscreener EZ,  Thomson Test Manager, SchoolScreener Parent Portal, Workscreener
2. Privacy and data protection for other company activities

When you use our services, you trust us with your information. This Privacy Policy is meant to help you understand what data we collect, why we collect it and what we do with it. This is important; we hope you will take time to read it carefully.

Part 1: Privacy Policy for Schoolscreener and SchoolScreener EZ

When you sign up, we expect you to sign up as a representative of an organisation, Schoolscreener and Schoolscreener EZ are not available to individuals (e.g. parents).

When you or your organisation signs up for our services, they can follow two routes: For Schoolscreener clients, there will be a contract in place prior to starting the service. For Schoolscreener EZ clients or other self-service clients, all new organisations must accept the End User License Agreement which forms the contractual agreement between the Organisation and Thomson Screening.

In both these cases, your organisation is the Data Owner and Thomson Screening is the Data Processor. (as defined by GDPR).

As Data Owner, it is your responsibility to ensure that only persons specifically authorised by you can access the software and to ensure that the data added to the software is managed in accordance with GDPR requirements. We give you the tools to do this.

Information that we collect

We collect or store different types of personal information and each type has its own protection, access and deletion framework. These types are:

1. Patient /Screening information:

Patient identifiable information that is part of the Schoolscreener and Schoolscreener EZ operation

2. Business contact information:

Personal information necessary for conducting our business, for example user names and contact details. People in this category are linked to Thomson Screening by some form of contract, or SLA either directly or through their role in their organisation.

Here is how we manage and protect each category:

Patient/Screening information that you create when you use the Schoolscreener. This information is created by you, either via uploading, adding or amending records and carrying out test.

When you use the system, you will also populate it with your data: details of schools and children you screen, their results and any letters sent out to parents.

This information is highly protected and is entirely under organisation’s control. You and your colleagues are responsible for obtaining the necessary permissions from patients or their legal representatives prior to adding their data to our system. For the purposes of GDPR (General Data Protection Regulation): you are and remain the Data Owner, Schoolscreener/Thomson Screening is the Data Processor.

We provide you with tools to create, maintain and delete this information directly in the system.

Once information is added to our system we have an extensive range of security measures and process in place to protect it from harm and ensure it is available to you. Details of these security measures and our Data Protection framework are available as a separate document.

Business contact information:
We do not actively collect information about users (You), we only collect the minimum necessary for us to provide your service. We record your login details and activities within the system for audit purposes.

When you do, we’ll ask for personal information, like your name, email address, telephone number and the organisation you belong to. This is necessary for us to provide the service and we have your organisation’s permission to record this.

You are able to update this information directly or through the Administrators of your organisation. Once you leave your organisation, the Administrator must inform us so that your access can be removed and your details deleted.

We do not keep user information after a user account is closed.

We automatically collect some system information in the following ways and will not share with anybody:

• Log information

When you use our services we automatically collect and store certain information in server logs. This includes:

• Internet protocol address.
• device event information such as crashes, system activity, hardware settings, browser type, browser language, the date and time of your request and referral URL.
• cookies that may uniquely identify your browser or your UserAccount.

Call Records

Thomson Screening provides telephone service support to all business clients. That service is delivered through a dedicated, secure third party’s online platform.

All calls are monitored or recorded for quality and training purposes, in accordance with the GDPR act 2018. Prior each conversation:

·         We obtain consent  for the call to be recorded

·         Provide advice on the safest way of the conversation to continue.  

·         Inform the other party how the recording will be used

·         Store the  information in a secure location

Despite all our efforts confidential identifiable information may be disclosed and recorded. In such circumstances we strictly follow the company’s secure and confidential disposal process. We do not store or distribute call recordings containing confidential information.

Marketing information

We collect information from publicly available sources (e.g. websites, public directories and publications). We may occasionally purchase databases of contact information from reputable providers. We will only do this from companies that are GDPR compliant and where information has been obtained in line with GDPR requirements.

Anybody can check with us whether we hold any information about them, ask for amendments and removal by filling in  this form: What do you know about me

Meta information:

In addition we also use a number of methods that are automated and come under the GDPR regulations:

• Local storage

We may collect and store information (including personal information) locally on your device using mechanisms such as browser web storage (including HTML 5) and application data caches.

• Cookies and similar technologies

We use various technologies to collect and store information when you visit the Schoolscreener service, and this may include using cookies or similar technologies to identify your browser or device. We also use these technologies to collect and store information when you interact with services we offer.

There are only a few exceptions, all for legal reasons

We will share personal information with companies, organisations or individuals outside Thomson Screening if we have a belief in good faith that access, use, preservation or disclosure of the information is reasonably necessary to:

• meet any applicable law, regulation, legal process or enforceable governmental request.
• enforce applicable Terms of Service, including investigation of potential violations.
• detect, prevent or otherwise address fraud, security or technical issues.
• protect against harm to the rights, property or safety of Thomson Screening, our users or the public as required or permitted by law.

Information we learn while providing your service:

While we provide the service, we learn about the patterns of screening, activities and outcomes in different geographical regions, age ranges, or other parameters. This information is not specific to an organisation or user and is stored in a format that cannot be used to identify individuals.

We use this information primarily to improve the services we provide. We may also use it to compare best practices, recommend service improvements and in other ways we feel it would benefit our user base. We will not sell this information to Third Parties.

We do not sell personal information.

How we use the information that we collect

We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones and to protect Thomson Screening and our users.

We will ask for your consent before using the information for a purpose other than those set out in this Privacy Policy.

Thomson Screening processes personal information on our servers primarily in the UK and other countries of the European Union or countries and conditions permitted by GDPR. We may process your personal information on a server located outside the country where you live.

You may also set your browser to block all cookies, including cookies associated with our services or to indicate when a cookie is being set by us. However, it’s important to remember that many of our services may not function properly if your cookies are disabled.

We aim to maintain our services in a manner that protects information from accidental or malicious destruction. Because of this, after you delete information from our services, we may not immediately delete residual copies from our active servers and may not remove information from our backup systems. For example, if you request your data to be removed, details of the request itself will remain in our records.

Information security

We work hard to protect Schoolscreener and our users from unauthorised access to or unauthorised alteration, disclosure or destruction of information that we hold. In particular:

• We encrypt Schoolscreener services using SSL.
• We review our information collection, storage and processing practices, including physical security measures, to guard against unauthorised access to systems.
• We restrict access to personal information to Thomson Screening employees, contractors and agents who need to know that information in order to process it for us and who are subject to strict contractual confidentiality obligations. They may be disciplined or their contract terminated if they fail to meet these obligations.

Details of these and additional security measures and our Data Protection framework are available in our Information Governance Policy.

Compliance and cooperation with regulatory authorities

Thomson Screening is registered with the Information Commissioner’s Office in the United Kingdom. Our Registration ID is Z3489680

We are also registered with NHS DSP Toolkit. Our registration ID is 8HW22

We are Cyber Essentials Certified. Our certificate ID is: IASME-CE-009057

We regularly review our compliance with our Privacy Policy. When we receive formal written complaints, we will contact the person who made the complaint to follow up. We work with the appropriate regulatory authorities, including data protection authorities, to resolve any complaints regarding the transfer of personal data that we cannot resolve with our users directly.

Part 2: Privacy protection of other company activities

Marketing information:

These are personal details of people Thomson Screening would like to market services to. These persons may not be aware that we keep information about them. Thomson Screening will only obtain this kind of information from the public domain and we have clear processes for removing these kind of information when requested.

Changes

Our Privacy Policy and our EULA may change from time to time. We will not reduce your rights under this Privacy Policy without your explicit consent. We will post any Privacy Policy or EULA changes on this page and, if the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of Privacy Policy changes). We will also keep prior versions of this Privacy Policy in an archive for your review. (view archived versions) 

Part 3: Data retention

Where the company is the Data Owner, it will only retain information beyond its use where the company  is required to do so by regulation (e.g. finance or personnel records) or by exception, where the company has defined an alternative retention schedule. Such exceptions will be indicated in the Information Asset Register against each item.