Close menu
Proudly providing NHS services
Privacy policy

Your Patient Choice Limited (trading as Paloma Health, and referred to as ‘Paloma Health’ from now on) privacy notice for our NHS children and young people’s autism assessment services.

This privacy notice tells you what to expect us to do with your personal information when you contact us or use our services.

Applicable law

Data processing by Paloma Health is subject to English law and as applicable, European law i.e. GDPR. Pursuant to applicable data protection regulations (UK GDPR, UK DPA 2018, etc.), we work to ensure our users have appropriate protection of their privacy and personal data.

Our contact details

Name: Your Patient Choice Limited, trading as Paloma Health
Address: 140 Borough High Street, Work.Life Borough, London, SE1 1LB, UK
General inquiries email address: support@paloma.health

We are the controller for your information. A controller decides on why and how information is used and shared.

Data protection officer contact details

Our Data Protection Officer is Jordan Spain and is responsible for monitoring our compliance with data protection requirements. You can contact them with queries or concerns relating to the use of your personal data at DPO@paloma.health.

How do we get information and why do we have it?

The personal information we collect is provided directly from you for one of the following reasons:  

  • You have provided information to seek NHS care – this is used directly for your care, and also to manage the services we provide, to clinically audit our services, investigate complaints, or to be used as evidence as part of an investigation into care
  • You have signed up to our newsletter or patient participation group
  • You have made a complaint

We also receive personal information about you indirectly from others, in the following scenarios:

  • From other NHS health and care organisations involved in your care so that we can provide you with care, for example your GP practice
  • From family members or carers to support your care
  • From your child’s school to support your care
  • From Local Authority Safeguarding Teams
What information do we collect?

Personal information

We currently collect and use the following personal information:

  • Personal identifiers and contacts (for example, name and contact details, date of birth, NHS number)
  • Cookie Data: our technology uses cookies to distinguish you from other users of our services. This helps us to provide you with a good experience when you navigate our technology and also allows us to improve our technology and services. For detailed information on the cookies we use and the purposes for which we use them see our Cookie Policy. Cookie data collected is based on your consent and, you may opt in and out of this (prompted to you as pop-up on our website and/or accessible to you by opening your cookies in your browser). The Cookie Policy outlines use of cookies, tags, trackers, and/or analytic tools used which you may opt in and out of as indicated. This gives you further control over how your data will be processed via our website.
  • Technical information: the type of mobile browser you use (Device Information), Internet Protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from Our Site(s), (including date and time); product you viewed or search for; page response times, download errors, length of visits to certain pages, page interaction information, and methods used to browse away from the page and any phone number used to call Our customer service number (Other Information).
  • Location Information: We may also use GPS technology to determine your current location.
  • Usage & Activity Data: detailing your use of our technology and/or your visits to any of platforms and the resources that you access (Log Information);

More sensitive information

We process the following more sensitive data (including special category data):

  • Data concerning physical or mental health (for example, details about your appointments or diagnosis)
  • Data on racial or ethnic origin
  • Data concerning a person’s sex life
  • Data concerning a person’s sexual orientation
  • Data revealing religious or philosophical beliefs
  • Recordings of calls with our Care Coordination Team, and calls and video calls with our Clinical Team for the purposes of delivering the services, ensuring a high level of quality, training our staff, and fact verification.

Pseudonymised and Codified Personal Data

Pseudonymised and Codified Personal Data which contains personal data and more sensitive data, which is subject to de-coding may be shared with NHS commissioning bodies and contractually relevant parties for the purposes of NHS Service administration (including national and regional NHS invoicing), evaluating our Services and/or for research. Such data may also be used by Paloma Health and authorised affiliates (i.e. NHS) for research and publication purposes and can be analysed and used to improve our Service (optimisation, further development and research).

Uses made of the information

We use your personal information to:

  • Carry out our obligations arising from any contracts entered into with you and to provide you with the information, products and services that you have requested;
  • Provide you with NHS-funded services and additional services or offers that we feel may be of interest to you, which are relevant to your circumstances. You can opt out of receiving any communication you receive at any time;
  • Contact you by electronic means (e-mail or SMS) with information about services we feel may be of benefit to you and with links to evaluation questionnaires. If you are a new customer, we will contact you by electronic means only if you have consented to this;
  • Evaluate questionnaires;
  • Notify you about changes to our Service;
  • Ensure that content on our technology is presented in the most effective manner for you and for your computer.
  • Administer our technology and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
  • Improve our technology to ensure that content is presented in the most effective manner for you and for your device/computer;
  • To allow you to participate in interactive features of Our service, when you choose to do so;
  • As part of our efforts to keep our technology and systems safe and secure;
  • Anonymise personal data or the purposes of validation and quality management (improvement and further development of our services and offers) even after the end of the service relationship; we also analyse your anonymised data and use it to compile statistics on various patient groups and the use of functions and the results achieved in order to better understand our patient structure and thus also improve and further develop ourselves; these statistics may also be used or published for research purposes in collaboration with institutes; at no time can conclusions be drawn about individual persons from the statistics used in this way.
Who do we share information with?

We may share information with the following types of organisations:

  • Your NHS GP practice, your local NHS hospital for medical conditions, and your local NHS mental health service for mental health conditions
  • Business partners, suppliers, sub-contractors and third party services providers to deliver the contracts and services you have requested.
  • Planners of health and care services (such as Integrated Care Boards)
  • Others including Local Authorities

In some circumstances we are legally obliged to share information. This includes:

  • When required by NHS England
  • When reporting some infectious diseases
  • When a court orders us to do so
  • Where a public inquiry requires the information

We will also share information if the public good outweighs your right to confidentiality. This could include:

  • Where a serious crime has been committed
  • Where there are serious risks to the public or staff
  • To protect children or vulnerable adults

We may also process your information in order to de-identify it, so that it can be used for purposes beyond your individual care whilst maintaining your confidentiality.  These purposes will include to comply with the law and for public interest reasons.

Is information transferred outside the UK?

Our data is hosted in the UK and USA but is only available to our staff and technical support staff in the UK.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our technology, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

The transmission of information via the internet is not completely secure, however we will do our best to protect your personal data. We cannot guarantee the security of your data transmitted to our technology and any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

What is our lawful basis for using information?

Personal information

Under the UK General Data Protection Regulation (UK GDPR) we must have a legal basis to process each bit of your personal data. The type of basis will vary based on the type of data, parties involved, etc. The legal bases relied upon in processing of your personal data are:

(a) We have your consent (Art. 6 (1) a) UK GDPR)- this must be freely given, specific, informed and unambiguous. For example, for the use of our website cookies.

(b) We have a legal obligation (Art. 6 (1) c) UK GDPR) - the law requires us to do this, for example where NHS England or the courts use their powers to require the data. See this list for the most likely laws that apply when using and sharing information in health and care.

(c) We need it to perform a public task (Art. 6 (1) e) UK GDPR) - a public body, such as an NHS organisation or an independent care organisation providing NHS services, is required to undertake particular activities by law. See this list for the most likely laws that apply when using and sharing information in health and care.

(f) We have a legitimate interest (Art. 6 (1) f) UK GDPR). For example, making relevant individuals aware of our healthcare services.

More sensitive data

Under UK GDPR, the lawful basis we rely on for using information that is more sensitive (special category):

(h) To provide and manage health or social care (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

(j) For Archiving, research and statistics (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

To support your understanding, we have provided further information below

Consent

In order to deliver your services, we may ask for your agreement to process certain data for specific purposes. You have the right to withdraw your consent at any time, however the refusal may not erase all historical personal data processed if there are other legal grounds for the processing. We may ask for additional consents to provide you with extra services which may require your sharing of additional data (not already consented to or covered by a legal basis of processing already).

Legitimate interest

We may process your information for our legitimate interests and those of third parties while applying appropriate safeguards that protect your privacy. This means that we may process your information for things such as:

  • Providing, maintaining and improving our services to meet the needs of our users
  • Developing new products and features that are useful for our users
  • Understanding how people use our services to ensure and improve the performance of our services
  • Customising our services to provide you with a better user experience
  • Marketing to inform users about our services
  • Providing advertising
  • Detecting, preventing or otherwise addressing fraud, abuse, security or technical issues with our services
  • Protecting against harm to the rights, property or safety of Paloma Health, our users or the public as required or permitted by law i.e. disclosing information to government authorities
  • Performing research that improves our services for our users and benefits the public – Fulfilling obligations to our partners like developers and rights holders
  • Enforcing legal claims, including investigation of potential violations of applicable Terms.
Measures for Data Security, Mechanism for Data Transfer & Storage

We protect your personal data appropriately with firewalls and other technical means (according to industry standards and applicable law). Only employees and agents of Paloma Health (which are obligated to maintain confidentiality) can access applicable data and only as reasonably necessary to perform their role. Other third parties do not have access to your data without your explicit consent or as explicitly noted herein (where the legal basis for some is not consent).

Paloma’s applications

We use Amazon Web Services (AWS) to host and store our applications and data. All information is stored within the UK and is not transferred to any other nation or region. For further information, you can view AWS’ Data Protection and Privacy notices (https://aws.amazon.com/compliance/data-protection/).

Paloma’s providers

Paloma utilises external providers to enhance our service offering.

Healthie

Healthie is an all-in-one practice management platform and EHR designed specifically for health and wellness providers and their clients. All data within the Healthie platform is stored, transferred, processed only in the US via AWS—no data is hosted or transferred offshore. Healthie meets the following privacy and security standards:

  • HIPAA
  • SOC 2 Type-2
  • HITRUST R2 Certification
  • ONC Certification
  • PIPEDA/PHIPA
  • FERPA
  • PCI Compliance (via our third-party payment processor, Stripe)
  • AUS Privacy Act
  • CCPA
  • GDPR
  • WCAG 2.1 A
  • WCAG 2.1 AA

You can find more information about Healthie in their Security and Privacy policies (https://help.gethealthie.com/article/69-healthie-security-and-privacy).

Awell

Awell is a platform that allows us to build and administer clinical care pathways. All data within the Awell platform is stored, transferred and processed within the UK. You can find more information about Awell in their Trust Centre (https://app.vanta.com/awell/trust/qolmmglj8in6dh09ty08t).

Please note, data is stored within the Paloma Patient Portal website, and the encryption depends on your device. If your device is lost or stolen, there is a risk your data can be accessed. The person using the device is encouraged to password-protect their device and use a device that includes encryption. The individual user of Paloma Health bears all risks for data loss from lost or stolen devices.

Common law duty of confidentiality

In our use of health and care information, we satisfy the common law duty of confidentiality because:

  • You have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses)
  • We have a legal requirement to collect, share and use the data
  • For specific individual cases, we have assessed that the public interest to share the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime). This will always be considered on a case by case basis, with careful assessment of whether it is appropriate to share the particular information, balanced against the public interest in maintaining a confidential health service
How do we store your personal information?

Your information is securely stored for the time periods specified in the Records Management Code of Practice. We will then dispose of the information as recommended by the Records Management Code for example we will:

  • securely dispose of your information by shredding paper records, or wiping hard drives to legal standards of destruction.
What are your data protection rights?

Under data protection law, you have rights including:

Your right of access - You have the right to ask us for copies of your personal information (known as a subject access request).

Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.

Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

You can make a Subject Rights Request to request access or change or deletion of the personal data we hold at any time. To do this, send a request along with a copy of your passport or other approved identification by physical mail to our address listed above or email to DPO@paloma.health. We will oblige your request except for any data which might be required for us to keep on file for a specified timeframe for compliance with applicable law(s) and NHS standards/regulations.

National data opt-out

We are applying the national data opt-out because we are using confidential patient information for planning or research purposes to support NHS disclosure requirements.

The information collected about you when you use health and care services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear lawful basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential health and care information is only used like this when allowed by law.

Whenever possible data used for research and planning is anonymised, so that you cannot be identified and your confidential information is not accessed.

You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

How do I complain?

If you have any concerns about our use of your personal information, you can make a complaint to us at DPO@paloma.health

Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO. The ICO’s address is:

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

Date of last review

09/10/2024

Autism Assessment
How it works
What to expectAssessment FAQs
NHS referrerCreate a new NHS referralPaloma Health and the NHSHow our service worksHow our service worksNHS Referrer FAQs
About usOur commitment to careOur valuesWhat sets us apartSenior team
Join our team
Main office location
Paloma Health is the trading name of Your Patient Choice Limited, a company registered in England and Wales, registration number 15287188.