Privacy & Cookies Policy
PRIVACY & COOKIES POLICY
Last updated on 16th October 2018 v2.2
We are Device Access UK Ltd, Albertine House, Michelmersh, Hampshire, England, SO51 OAG. A company registered in England and Wales with company number 07257316.
- we will always use your data within the law
- we will never sell your personal identifiable data
- we will always respect your wishes about how you would like to be contacted
We will post any modifications or changes to the Policy on our Site. We reserve the right to modify the Policy at any time, so we encourage you to review it frequently. The “Last Updated” legend above indicates when this Policy was last changed. If we make any material change(s) to the Policy, we will notify post a notice on our Site prior to such changes(s) taking effect. In the event that such a change could materially affect your privacy, you will be notified without delay by appropriate means.
How to contact us
Device Access UK Ltd,
How we use your information
This privacy notice tells you what to expect when Device Access collects personal information. It applies to information we collect about:
• people who download our brochure
• visitors to our website
• NHS Digital Hospital Episode Statistics (HES) data
Visitors to our websites
When someone visits this site we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way that does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
We use a third-party service, WordPress.com, to publish website. This site is hosted at Vidahost. We use a standard WordPress service to collect anonymous information about users’ activity on the site, for example the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help us improve it. WordPress requires visitors that want to post a comment to enter a name and email address. For more information about how WordPress processes data, please visit
People who email us
We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), you have rights as an individual that you can exercise in relation to the information we hold about you.
Access to personal information
Device Access tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:
• give you a description of it;
• tell you why we are holding it;
• tell you who it could be disclosed to; and
• let you have a copy of the information in an intelligible form.
To make a request to Device Access for any personal information we may hold you need to put the request in writing to the address provided below.
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can ask us to correct any mistakes.
Disclosure of personal information
In most circumstances we will not disclose personal data without consent.
The exceptions to this are;
• circumstances where we can pass on personal data without consent for example, to prevent and detect crime and to produce anonymised statistics;
• our instructions to staff on how to collect, use and delete personal data; and
• how we check that the information we hold is accurate and up to date.
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
You have the right to:
Access the personal data which the Company holds about you. This is called a Subject Access Request (SAR) and can be made by calling us or in writing via email or at the address as provided in the “How to contact us” section.
You may use this process to exercise your right to:
- Have your personal data rectified if it is inaccurate or incomplete.
- Request that we erase information we hold about you.
- Restrict the processing of your personal data, for example ask us not to contact you.
- Object to the processing of your data for specific purposes such as communications or direct marketing.
- Ask for the transfer of your data electronically to be provided to a third party (data portability)
NHS Digital Hospital Episode Statistics (HES) data
DAUK is the Data Controller and a Data Processor of NHS Hospital Episode Statistics (HES) data provided under a formal Data Sharing Agreement with NHS Digital.
Hospital Episode Statistics (HES) is a data warehouse containing details of all admissions, outpatient appointments and A and E attendances at NHS hospitals in England. See NHS Digital and DARS for further details.
Lawful basis for processing
We receive and process this data as a result of the Data Sharing Agreement with NHS Digital and our legitimate interest in conducting scientific and statistical research in order to enable medical device providers to achieve NICE approvals and accreditation and subsequent NHS Adoption, and thus positively impact patients Hospitals and the NHS.
This is covered under GDPR as the most appropriate lawful basis for processing under Article 6 being “Legitimate interest”; coupled with Article 9 condition: – Article 9(2) (j) following a formal assessment to ensure that this meets the purpose, necessity and balancing test criteria
The preparation and delivery of the bespoke anonymised, aggregated dataset to any medical device manufacturer is only processed; following a formal approval process to ensure it meets the Purpose, Necessity and balancing test criteria for each particular recipient.
The NHS HES data we receive is pseudonymised special category “health data” and non-identifiable; which means individuals cannot be identified from the data.
We never give direct access to unprocessed NHS HES data to any third parties. We do aggregate and anonymise the data at appropriate levels level in accordance with the NHS Digital HES Analysis Guide Methodology to provide insight and build analytical models into bespoke data sets. These are provided to medical device manufacturers following formal external approval process to ensure the requirements for purpose and benefit are met.
We have been able to identify where new technologies could replace the current standard of care and show significant benefits to patients, providers of care, and payers of care. This has been the foundation of the success in over 27 NICE evaluations since 2010.
The HES data sets containing the pseudonymised data are retained for four (4) years after which they are securely destroyed. These data sets are downloaded stored and processed securely in conformance with the NHS Digital Toolkit requirements and the Data Sharing Agreement conditions.
Optout from NHS HES data
DAUK only has access to pseudonymised NHS HES data for the past four years and cannot remove individuals from the datasets.
Should you wish to request that your data is removed from future datasets, then please visit NHS Digital Opting Out Choices for more information about how to opt out of your data being shared.
You also have the right to lodge a complaint with the Information Commissioner’s Office:
Address: Information Commissioner’s Office
Telephone: 0303 123 1113 (local rate)