Lindus Health Limited (“Company”, ‘we”, “us”, “our”) respects privacy and is committed to protecting personal data. We have adopted this Policy to outline the responsibilities and procedures that are in place to ensure the privacy and confidentiality of the Personal Information we process.
The purpose of the Policy is to:
- Define Personal Information and Sensitive Personal Information.
- Establish principles that govern how we protect Personal Information that has been entrusted to us.
- Define the individual within Lindus Health Limited who is responsible for the protection of Personal Information.
- Clarify privacy rights and how the law protects Personal Information.
This Policy applies to all Lindus Health Limited employees and representatives, including any contractor or third-party provider of services to Lindus Health Limited (Third-Party Provider) who have access to Personal Information (defined in section 4 below) that Lindus Health Limited has responsibility to protect (collectively, Personnel). This Policy applies to all Personal Information collected, maintained, processed, transmitted, stored, or otherwise used by Lindus Health Limited regardless of how that information is presented, processed, stored, or otherwise used and irrespective of who it relates to.
3. Who we are
In most circumstances Lindus Health Limited is a Data Processor, and in some circumstances may be a Data Controller. When we act as a Data Processor, we will protect Personal Data in accordance with instructions laid out by the Data Controller. When we are a Data Controller we will comply with principles and rights laid out in the EU’s General Data Protection Regulation (GDPR), and the UK Data Protection Act 2018 (DPA).
3.2 Data Protection Officer
Lindus Health have appointed a data protection officer who is responsible for implementing and maintaining this Policy. Any questions , including any requests by a Data Subject (defined in section 4 below) to exercise their legal rights, should be directed to the Data Protection Officer using the details set out below:
Full name of legal entity: Lindus Health Limited
Name of Data Protection Officer: Evalian Limited
Contact email: firstname.lastname@example.org
Information Commissioner’s Office (ICO) reference number: ZB038909
Data Subjects have the right to make a complaint at any time to the ICO, the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the opportunity to deal with any concerns in the first instance.
Personal Information means information that relates to an identified or identifiable individual, including, but not limited to:
- Telephone numbers.
- Email addresses.
- Employee identification numbers.
- Biometric, medical, health, or health insurance information.
Data Subject means the identified or identifiable living individual to whom personal information relates.
Sensitive Personal Information means personal data that needs more protection because it is sensitive and if lost, accessed, or improperly disclosed could result in harm, embarrassment, or inconvenience, to an individual and that therefore is subject to additional protection. Examples of Sensitive Personal Information include, but are not limited to:
- Religious beliefs or political opinions.
- Trade union membership.
- Information concerning an individual’s sex life or sexual orientation.
Security Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information transmitted, stored or otherwise processed.
5. Using, handling, and retaining Personal Information
5.1 Notice and collection
It is Lindus Health Limited’s policy that whenever it collects Personal Information for any purpose, it will inform the Data Subject of how it will use, process, disclose, protect, and retain that Personal Information by presenting a privacy notice to the individual at the time the individual provides the Personal Information. Personnel may only collect Personal Information in compliance with applicable Lindus Health Limited policies, notices, and, where appropriate, Data Subject consent, and the Personal Information collected will be limited to that which is reasonably necessary to accomplish Lindus Health Limited's legitimate business purposes or as necessary to comply with law.
5.2 Access, use, and sharing of Personal Information
Personnel may only access Personal Information when the information relates to and is necessary to perform their job duties. Personnel may not use Personal Information in a way that is incompatible with the privacy notice given to the Data Subject at the time the information was collected. If any Personnel are unsure about whether a specific use or disclosure is appropriate, they should consult with the Lindus Health Limited Data Protection Officer (see section 3.2 above). Personal Information may only be shared with a Third-Party Service Provider if it has a need to know the information for the purpose of providing the contracted services and if sharing the Personal Information complies with the privacy notice provided to the Data Subject. In this situation, if Lindus Health Limited is the Data Controller then Lindus Health Limited will provide a Data Processor Agreement to the Third-Party Service Provider which binds them to the provisions of this policy, and applicable laws and regulations.
Personnel must collect, maintain, and use Personal Information that remains accurate, complete, and relevant to the purposes for which it was collected.
Personnel are responsible for protecting Personal Information. Lindus Health Limited has implemented an Information Security Policy [Ref] that sets out safeguards for the protection of Personal Information. Personnel must follow the security procedures set out in the Information Security Policy at all times. Personnel must exercise particular care in protecting Sensitive Personal Information from loss, unauthorized access, and unauthorized disclosure.
5.5 Data Subject's Rights
Individuals have rights with regard to how their Personal Information is handled. These rights vary depending on the applicable jurisdiction, but under GDPR include for example:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Personnel must comply with applicable laws regarding the rights of Data Subjects. If any Personnel are unsure of the applicable legal requirements, or if they receive a request or complaint from a Data Subject regarding the handling of their Personal Information, they should contact the Lindus Health Limited Data Protection Officer (see section 3.2 above).
5.6 Retention and disposal
Personnel should keep Personal Information only for the duration needed to fulfil the legitimate business purpose for which it was collected or to satisfy a legal requirement. Personnel must follow the applicable Lindus Health Limited records retention schedules and policies (Ref) and destroy any media containing Personal Information in accordance with the applicable records disposal policy (Ref).
6. International data transfers
A number of countries, including European Union member states, and the United Kingdom, restrict the transfer of Personal Information across international borders. Before transferring Personal Information across international borders, Personnel must consult the Lindus Health Limited Data Protection Officer (see section 3.2 above) to confirm that applicable data transfer requirements have been addressed.
7. Reporting a security breach
If any Personnel knows or suspects that a Security Breach has occurred, they must immediately contact the Lindus Health Limited Data Protection Officer (see section 3.2 above).
8. Monitoring compliance and enforcement
The Lindus Health Limited Data Protection Officer (see section 3.2 above) is responsible for administering and overseeing implementation of this Policy and, as applicable, developing related operating procedures, processes, policies, notices, and guidelines. If any Personnel are concerned that any provision of this Policy, or any related policy, operating procedure, process, or guideline designed to protect Personal Information, has been or is being violated, they must contact the Lindus Health Limited Data Protection Officer (see section 3.2 above). Lindus Health Limited will conduct periodic reviews and audits to assess compliance with this Policy. Employees who violate this Policy and any related guidelines, operating procedures, or processes designed to protect Personal Information and implement this Policy may be subject to discipline.
9. Third-party links
Lindus Health Limited’s website will include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections will allow third parties to collect or share data about visitors to their websites. We do not control these third-party websites and are not responsible for their privacy statements. When an individual leaves our website, they should read the privacy notice of every website they visit.