Here we explain how personal data is collected when you participate in the course, how that data is used, your rights, and how you can control/delete that data.
For your security, we are committed and legally required to maintain the confidentiality and integrity of any information you give us. We understand that the privacy and security of your personal data is an important issue and we are committed to protecting it. We aim to be completely transparent on how we collect, process and store your personal data and to ensure that the data we collect is kept to the minimum required for course participation.
'Personal data', is any data that can be used to directly contact or identify an individual, such as full name or email address, as well as any data that is combined directly with such data.
We will treat your personal information and data in accordance with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 and the US Health Insurance Portability and Accountability Act (HIPAA). When we collect or use your data, Wellmind Health is the "data controller", which means we decide how and why your data is processed.
1. How we obtain your personal data
You provide us information about yourself in various ways when you follow the course. For example, you provide us with data such as your name and email address, or otherwise provide us with various personal information when you interact with the course. We also collect personal information when you communicate directly with us by email or phone.
2. What personal data we collect
- a. Contact data, including your email address.
- b. Technical data such as your IP address or web browser type.
- c. Your responses to self-assessment questionnaires on the course.
- d. The information you enter as part of your online course work.
3. How we use your personal data
Wellmind Health processes your personal data for the following purposes:
- to enhance the learning experience by presenting data in the form of charts and graphs to you as you progress through the course;
- to provide course support requested by you and any related communications;
- to analyse trends and profiles in order to better understand our performance, improve the course and better meet the needs of participants;
- to comply with legal obligations and regulatory compliance;
We reserve the right to anonymise (modify to render anonymous) any data collected from you. Once rendered anonymous this data may be used by us to support research activities, provided that your identity is kept anonymous at all times and cannot be derived from the anonymised data. Also, summaries of anonymous Personal Data (for example average scores of all course participants on questionnaires) will be used to improve the course, and may be used in publications or on the website to indicate the effectiveness of the course. This anonymous data will consist solely of summary information and will not include any personal information that can be used to identify participants of the course. Your participation with the course implies consent for the use of summary data in this way.
The course is marketed and defined as suitable for adults looking to improve their mental health. We do not knowingly collect data relating to minors. If we become aware of a minor registering on the course, they are informed and their account is closed with related data erased.
We use strictly essential secure 'session' cookies to enable the identification of users so that they can login and use the course securely. A session cookie expires when you close your browser. The cookies do not contain any personally identifiable data.
Additionally, we make use of non-essential Google Analytics cookies to analyse user behaviours and so improve the functionality of our web pages.
5. Sharing your personal data
We will not make any personal information about your participation with the course available to any other party, except where you have been given a place on the course by a sponsor. In the case where you have been given access by a sponsor, personal information may be shared with them, with the exception of your course work and entries in your online diary, which are totally confidential.
If you accept our non-essential Google Analytics cookies when you visit our web pages, then your data about visits and navigation of the website is shared with Google.
6. Our legal basis for processing your data
- a) Personal data
The law allows us to collect and use personal data if it is reasonably necessary to achieve our purpose (as long as to do so it is fair, balanced and does not unduly impact on your rights). Our purpose is the running of the web-based course and delivering to you the most effective learning experience.
- b) Sensitive Personal Data
We also collect sensitive personal data known as "special category personal data" as defined in Article 9 of GDPR, in the form of the health information that we collect when you complete the course self-assessment questionnaires. We rely on your consent to legally collect and process this sensitive personal data. We use this data to present charts to you of your self-assessed health information, so you can review your progress on the course. We only collect from you the minimum information necessary for this purpose.
7. How long we keep your information
We only keep your personal information for as long as necessary to fulfil the purposes we hold it for, including satisfying any legal, accounting or regulatory requirements. We keep the necessary personal information for this purpose so you can take long breaks during the course and also to provide you with ongoing access to the post-course online resources.
After a period of 8 years from your last login, we will actively seek your agreement to retain your course related data beyond this period. At any time, you can cancel your participation with the course, and have us delete the personal information that we hold.
8. Communicating with you
We may use your email contact details to provide you with information about the course, which we consider may be of interest to you. You can opt out of receiving these emails from us at any time by clicking the "unsubscribe" link at the bottom of our emails. This does not include the course integrated emails, which the receipt of is necessary for course participation.
We implement strict security measures to protect against the loss, misuse and alteration of your personal information. No other parties have access to or control over our course platform on Amazon Web Services.
The web-based course is protected by HTTPS, meaning that any personal information that you transfer to us is encrypted and stored as securely as possible.
We make sure that your personal information is only accessible by trained staff that need this data in order to carry out their functions.
We maintain processes and procedures for keeping an audit trail of access to your Protected Health Information (PHI). All course participant and administrator access and activity within the web-app and/or administration system is logged. Any change to any object is logged in a centralized table. Full versions of certain objects are retained providing full auditing and rollback capabilities.
We regularly review all internal security and privacy policies to ensure that all personal information within, or passing through the company, is handled in accordance with GDPR and HIPAA regulations.
10. Your rights
We rely on your consent to use your personal information and you can withdraw that consent at any time. You also have the following rights:
- Right of access - You have the right to know if your personal data is being held, what categories of data are held, and to receive a copy of all data about you. We may ask you for additional information to confirm your identity before disclosing personal information to you.
Right of rectification - You have the right to request that we correct inaccurate personal information concerning you. You can ask us to check if you are unsure.
Right of erasure - You may request we delete your personal information.
Right to restrict processing – You may ask for our use of your personal information to be restricted if there is disagreement about its accuracy or legitimate usage.
Right to object - You can ask us not to use your personal information to communicate with you, or where we are using it on the basis of our legitimate interests or for research or statistical purposes. You may opt-out from email communications by clicking the 'unsubscribe' link in our emails or contact us.
Right to data portability – Where we are processing your personal information by 'automated means', you may ask us to provide your personal information to you or another service provider in a machine-readable format.
Rights related to automated decision-making – You have certain rights in relation to decisions made solely on the basis of automated processing of your personal information that has legal or similar effects on you.
- Right to inspect personal data – You have the right to inspect your personal data and personal health information and how it is used and shared. Under certain limited circumstances, we may deny an individual’s request for access to to a portion of the Personal Health Information requested. In this circumstance, you have the right to have the denial reviewed by a licensed healthcare professional who did not participate in the original decision to deny.
Right to opt out of processing activities – You can opt out of the processing of the personal data that you share with us when you participate with the course. If you opt out, it will not be possible to continue with the course as data processing is necessary to deliver our service.
11. Location of Hosting
The personal information that we collect is stored and processed at the Amazon Web Services cloud London region in the UK.
12. Changes to this policy
13. Contact details
- by email. firstname.lastname@example.org
- or by phone. Tel. +44 (0)1273 325136
- or by post. Wellmind Health Ltd. 27 Palmeira Mansions, Church Road, Brighton, BN3 2FA, UK
- 29 Apr 18 GDPR update
- 23 May 19 Policy clarification update
10 Jun 19 Policy clarification update
- 18 Nov 21 Policy clarification update
17 May 22 Policy HIPAA clarification update