Privacy Statement for MedModus SaaS

Introduction

This privacy and data protection statement relates to MedModus Software-as-a-Service (“SaaS”) products and services.

This statement aims to: a) explain how the personal data belonging to users of MedModus apps is used by MedModus to provide its services; b) provide ‘privacy information’ pursuant to the EU General Data Protection Act (“GDPR”); and c) follow the ‘guidelines for organisations’ outlined by the Irish Data Protection Commission (“DPC”).

Systems Overview

MedModus provides a suite of SaaS applications that are accessed through the MedModus portal over the internet, via standard web browsers. MedModus also provide apps that allow its users to log-in and interact with its systems through their mobile devices.

All communications between user endpoints and MedModus SaaS is done via encryption, and user authentication is required for accessing MedModus products and services. The use of Multi Factor Authentication (“MFA”) is supported and encouraged to help ensure protection of your information, and can be enforced by organisations.

MedModus SaaS products are hosted through reputable cloud service vendors, including Microsoft Azure and/or Amazon AWS. Both Microsoft and Amazon have Tier-4 graded data centres that follow high information security standards with industry-led certifications. More information about their infrastructure security can be found at:

Microsoft Azure:

• Microsoft Docs – Azure Infrastructure Security
• Microsoft – Service Trust Portal

Amazon AWS:

• Amazon AWS – SOC Compliance
• Amazon AWS – ISO Certified

By default, MedModus hosts all of its services using vendor’s datacentres within the European Union / European Economic Area. Non-EU based customers can request for their implementations to be hosted in other regions, provided that they are supported by MedModus choice of vendors. Such requests are done at a contractual level between MedModus and the customer organisation, and cannot be specified by end-users of MedModus products and services. All resources and systems hosted with MedModus partner cloud vendors are backed-up within the cloud vendor themselves, unless agreed otherwise with the customer organisation. All databases have transparent data encryption applied.

Relationship with organisations and individuals

All MedModus SaaS products and services are adopted at an organisation level, contractually between MedModus and the customer organisation (e.g., hospital trusts, groups, or individual hospitals). Some individuals will be users of the MedModus systems. A user is a person who has access to the system (i.e., can log-in and interact with it). Other individuals who are not users of the systems (e.g., clinicians and general staff), can be referenced in the system.

The customer organisation acts as the ‘data controller’ and determines whose information is used in the system. Each customer’s data is contained within its own individual database on our servers.

MedModus acts as the ‘data processor’ to the customer organisation and have a legal requirement to maintain records of the personal data that is held and how it is processed. MedModus staff may also access information to provide training or assistance (including troubleshooting) to the customer’s administrative team.

Administrators and rostered staff members therefore can approach both the organisation, as data controller, or MedModus, as data processor, for further information about their rights, the type and use of personal information or access requests.

Personal data held and processed in MedModus systems

Users of MedModus SaaS products and services are identified by their name, email address and role in the system. Other staff individuals who are not users of the system might be identified by their name and other personal identifiable information (“PII”). This level of detail is customisable for each customer implementation.

Audit information such as log-in attempts, usage tracking and administrative actions are logged against users.

Information stored in the system is retained for the duration of MedModus’ contract with the organisation unless otherwise directed by the organisation. This is to ensure that historical records such as the nature and timing of given events can be retrieved.

Further Use of Data

To fix a specific software fault or issue a customer database may be copied and pseudo-anonymised in a secure environment for investigation. For all other purposes a department database may be copied and used in an environment controlled by MedModus staff only after being fully anonymised to remove all personal details.

Data from the databases may be used to provide aggregate data with no personal attributes for use in analysis reports and to provide data sets for, for example, academic articles. Such use is done with the strict authorisation of the data controller.

Our native Android and iOS apps use Azure Messaging Hub, Firebase Cloud Messaging, Analytics, and Crashlytics. These services collect a unique token identifier, which Cloud Messaging uses to deliver push messages, and which Crashlytics and Analytics use to collect anonymised information on how our apps are used as well as crash reports. All information collected is only used to provide our services and to improve how our apps work.

Privacy and GDPR information for Firebase can be found on their Data Processing and Security Terms.

Personal data is not mixed with information from other sources, and no personal information is provided by MedModus to any other third party.

Personal Data Rights

The GDPR sets out various important rights relating to personal data which are summarised on the Irish DPC’s website. These rights include the right to be informed, right of access, right of rectification and several others.

Individuals whose personal data are stored in MedModus’ systems who wish to exercise one of these rights can contact the organisation (as controller) to do so. While the data controller should contact MedModus with a request, MedModus is available to support individuals as required. We are required to respond to requests in 30 days. Please note that communication regarding your case will be dealt with through the organisation’s Data Protection Officer. Answers to questions concerning personal information may be most effectively answered by the customer administrative team in charge of the rota containing that information.

Individuals can make an access request or contact MedModus regarding their personal data rights by emailing: dpo [at] medmodus [dot] com.