The General Data Protection Regulation is an EU regulation that will be in force as of May 25th 2018 and will supersede the Data Protection Directive of 1995.
GDPR relates to the collection and use of data which may include but is not limited to names, photos, email addresses, bank details, social media accounts and posts, medical information, genetics, biometric data, computer IP addresses.
If you’re using Rehab Guru to prescribe exercises to your clients and patients then GDPR applies to you, even if you aren’t physically located in the EU.
It’s worth noting that privacy and security policies are live documents and are constantly updated, this page and it’s linked policies will be constantly updated to accurately reflect how we comply with GDPR.
GDPR separate entities into Controllers and Processors. In some cases Rehab Guru Ltd, serves as both. We endeavour to provide you with the documentation, information and policies you require in order to assist you in being compliant yourself.
There have been a number of updates to our policies, terms and practices over the last 6 months, an outline of which can be found below:
- Documentation of our internal processes and in-house policies on how we handle your data.
- Vetting third-party vendors and subcontractors for their compliance with GDPR.
- Appointment of GDPR rep and Data Protection Officer (DRO).
Appointment of Data Protection Officer (DPO)
We’ve appointed a member of our team who resides in the United Kingdom to the role of DPO and EU representative. Our DPO oversees all aspects of our in-house data usage as well as wider privacy and GDPR compliance issues.
Our DPO can be contacted at firstname.lastname@example.org.
Ensuring third-party vendors meet GDPR requirements.
Rehab Guru relies upon a number of industry-standard services and infrastructure in order to operate. As part of our GDPR preparation, we have ensured that they are all GDPR compliant themselves we well as reviewing our agreement with them in the processing of both our data and the data processed on your behalf.
We rely on services such as cloud services and transactional email providers in order to provide our service. You can read more about our third-party vendors further down this page.
REHAB GURU AS A DATA PROCESSOR
Jargon Buster: “We process the data that you are the controller of” — we provide the tools, services and infrastructure to allow you to comply with the 7 pillars of GDPR.
Control over marketing communications - It is Rehab Guru’s policy to not contact patients with marketing related communications. You are the controller of their data, not us therefore, we have no right to contact them directly. That includes the communication of our GDPR compliance, it is your responsibility to inform your clients and patients of where and how their data is held.
Ability to modify personal information — personal information can be modified at the request of the patient. This fulfils the GDPR requirement of Right to Rectification.
Providing patients with a copy of all their personal information — In the situation where a patient requests a copy of all the data you hold on them under their GDPR Right to Access, it must be provided in an easy to transfer / read format as defined under the Right to Portability. We assist you in fulfilling such requests by providing an export service. Simply email your request to email@example.com including any relevant information (such as client name, email etc).
Deletion of all patient information (The Right to Erasure / to be Forgotten)
A patient may request the deletion of all the data you hold on them, including that held on platforms such as EHRs and Rehab Guru.
We give you the tools to perform a full deletion of a client from within all our apps. Please note that this process is irreversible and we cannot restore any information that has been deleted in error. Note: Some enterprise clients may have your authority to delete prescriptions superseded by a higher authority.
REHAB GURU AS A DATA CONTROLLER
Jargon Buster: In addition to us processing the patient data that you control via our services, we are also controller of your data, for example, your name, email address, clinic information etc. As a controller, we have the same responsibility to you as you do to your patients. Below is an outline of how we comply with our data controller responsibilities under GDPR.
Full deletion of your Rehab Guru account.
On your explicit request we are able to delete your entire account and all data that we hold on you and for you (Note: This is irreversible!).
If there is a legal requirement or standing instruction from a higher authority (in the case of our Enterprise users) some data may be retained in an archive.
Control over marketing communication
We offer the option to opt out of all marketing, product updates and special offers from within our Web App account panel. This does not include correspondence which directly relates to your account such as payments, security, or we are forwarding a client request that has been sent to you via us or sent to us by mistake.
REHAB GURU’S COMPLIANCE WITH GDPR’S 7 PILLARS
The below bullet points provide a very brief summary of how we comply with GDPRs 7 pillars. We have much more verbose information on our GDPR preparation and compliance, however, this list provides a quick compliance checklist.
We endeavour to write our Terms of Service and Privacy Policies in plain English and keep jargon to a minimum. We request your consent when signing up and provide numerous tools in order to manage both your own and your patients’ data.
We have gone through an extensive Business Continuity and Risk Management Planning process in order to both identify risks as well as plan our recovery. As part of this plan, we have a communication plan and required infrastructure to inform all users of potential breaches.
Right to Access
All requests for data are handled by our staff. We handle them on a one to one basis in order to ensure that you get the data in a readable, transferable format as stipulated by the right to portability — see below.
Right to Erasure (To be forgotten)
Within your account, you have all the features to delete a client. The option to delete your whole account and all data associated with it can be done by contacting our Data Protection Officer at firstname.lastname@example.org (account deletion is irreversible and explicit consent from the account holder is required as evidence of this request).
We export your data in the format you require (within the bounds of what is technologically possible). Export requests can be performed by submitting a help ticket from our support portal (https://support.rehabguru.com).
Data Protection Officers
Whilst not strictly necessary by the letter of the law, we’ve still appointed a member of our team who resides in the United Kingdom to the role of DPO and EU representative. Our DPO oversees all aspects of our in-house data usage as well as wider privacy and GDPR compliance issues.
Our DPO can be contacted at email@example.com.
Privacy by Design
The Rehab Guru founders all originate from a clinical background. Therefore privacy and principles such as Caldicott, patient confidentiality and clinical governance have all being considered in the design and creation the services provided by Rehab Guru Ltd.
REHAB GURU THIRD-PARTY VENDORS
In order to deliver a global service Rehab Guru Ltd may engage with subprocessors, who may have access to Customer Data through the delivery of their service (i.e. Our email service, Mailchimp would process your name and email in order to send out a welcome email to you). Details of all our subprocessors can be found below, where relevant we have also linked to their own GDPR and Privacy Policies for completeness.
Amazon Web Services
Service: Cloud Service Provider
Location: USA, Ireland
Service: Transactional Email
Service: Database Provider
Service: Analytics (anonymised)
Service: Analytics (anonymised)
Service: Analytics (anonymised unless response to poll where email is optional)
Service: Support Services
Service: Payment Processor