DIT3 & Dictate Swift - Privacy Policy
Last updated 23-Jul-2020
This is the Privacy Policy of Dictate IT as it relates to the DIT 3 and Swift mobile applications and their associated web applications and services. We are not responsible for the content or privacy practices of other websites. Any external links to other websites are clearly identified as such.
Dictate IT is committed to maintaining the trust and confidence of our customers and committed to protecting your privacy in accordance with Data Protection legislation at all times. All personal data collected in association with the provision of the “Apps” is carried out in accordance with Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
This privacy policy (“Privacy Policy”) applies to the use of the Dictate IT ‘DIT3’ and ‘Dictate Swift’ mobile app (the “Apps”) which are used as a companion apps to the DIT3 and Dictate Swift web application and services for transcription of medical letters and notes (the “Services”). References to Services include use of the Apps and Services unless otherwise stated. This Privacy Policy sets out how we use your personal information and personal information uploaded via your use of the Services and your rights in respect of our processing of such personal information.
The Apps and Services can only be used by users whose organisation (for example an NHS Trust or GP Practice) has entered into a service agreement with Dictate IT Limited. The service agreement will define the data sharing and information governance policies that apply to the Services. The Privacy Policy described here applies only to the use of the Apps, and is subservient to the overall service agreement an organisation has with Dictate IT Limited.
The Services are operated by Dictate IT Limited, (“Dictate IT”, “we”). We are the UK’s largest provider of dictation, transcription and medical communication workflow solutions to NHS secondary care. Our registered office is at 96A Clifton Hill, London, NW8 0JT and our registered company number is 04930122.
Dictate IT is registered with the UK Information Commissioner’s Office as a data controller with registration number: Z8578963 in respect of some of its uses of personal data.
In this Privacy Policy the following terms have the following meanings:
“Account Data” means the personal data that we collect and process about you as a user of the Services, the IP addresses of the devices you use to access the Services and analytics data relating to your use of the Services, such as a log of when error messages are shown and a log of the Apps’ connection attempts;
“Appointment Data” means the appointment and patient identifier metadata that some versions of the Apps and Services can pull from Patient Administration Systems (PAS) and Electronic Patient Records (EPR) like EMIS. This data may include items such as: appointment date and time, clinic code, patient name, patient date of birth, patient NHS number, etc.
“Data Protection Legislation” means the Data Protection Act 2018 and the General Data Protection Regulation (GDPR) together with all other applicable laws and regulations relating to the processing of personal data and privacy, including any binding guidance and codes of practice issued from time to time by any relevant supervisory authority;
“Dictated Data” means and all personal data that exists within the audio data dictated on your Device using our Services, which may include patient names, dates of birth, contact details, symptoms, diagnoses, treatments and such other personal data as you may include in your dictation via the Services;
"GDPR" means the General Data Protection Regulation (EU) 2016/679;
References to “controller”, “processor”, “processing”, “data subject” and “personal data” shall have the same meaning as defined in GDPR.
From a data protection perspective, we shall act as a “processor” in respect of Dictated Data and we shall act as a “controller” in respect of the Account Data.
Dictate IT agrees to comply with its obligations under Data Protection Legislation in respect of its provision of the Services.
We receive and store information you provide directly to us. For example, when setting up new users, we collect Personal Information, such as name and e-mail address, to provide them with the Services. The types of information we may collect directly from our customers and their users include: names, usernames, email addresses, postal addresses, phone numbers, job titles, transactional information (including Services purchased) as outlined below:
We use your Personal Information in this context based on the contract that we have in place with you or our legitimate interest for security purposes (e.g. the prevention and investigation of fraudulent activities).
Account Data, Appointment Data & Dictated Data: Fulfilment of Services to you.
We use the Account Data, Appointment Data and Dictated Data to fulfil our obligations in the agreed terms & conditions for the provision of the Services to you. Personal Information will be deleted based on the terms of the contract.
Who do we share personal information with for this purpose?
In order to perform the Services, we share:
Dictated Data: Improvement of speech recognition accuracy
We use the Dictated Data to improve the speech recognition accuracy of the Services. To improve the accuracy of our “Speech” recognition technology we develop models to work with the information processing techniques that we use. These models are retained for as long as it is necessary to fulfil this purpose, however the models do not contain information which could identify an individual either directly or indirectly.
Account Data: Analytics
We analyse Account Data from your interactions with the Services (such as the functions of the Services which you use, error messages you receive, and the times of day at which you use the Services). This information is used to gain understanding of our customers’ use of the Services and allows us to improve the Services.
Who do we share personal information with for this purpose?
We share the Account Data with Firebase (Google Inc) https://firebase.google.com/ an analytics service provider in order to assist us with such analysis.
Account Data: Business administration and compliance.
We may also use the Account Data:
Who do we share personal information with for these purposes?
We may share your Account Data with professional advisers, potential purchasers of our business or assets and/or governmental or regulatory authorities.
Our Services may contain links to third party websites and services. Please remember that when you use a link to go from our Services to a third party website or you request a service from a third party, this Privacy Policy no longer applies. Your browsing and interaction on any third party website, or your dealings with any other third party service provider, is subject to that website’s or third party service provider’s own rules and policies.
We do not monitor, control, or endorse the privacy practices of any third parties. We encourage you to become familiar with the privacy practices of every website you visit or third party service provider that you deal with and to contact them if you have any questions about their respective privacy policies and practices.
This Privacy Policy applies solely to personal information collected by us through our Services and does not apply to third party websites and third party service providers.
Data retention
We retain Account Data during the period which your organisation uses the Services.
Appointment Data and Dictated data is retained for a period defined in the service agreement between your organisation and Dictate IT.
When assessing what retention period is appropriate for your personal data, the following have been taken into consideration:
All identifiable personal data obtained via the Apps is stored within the UK, and we use Redcentric data centres located in Reading, UK, and Amazon Web Services data centres located in London.
Some organisations may use the Apps to send audio data to Dictate IT’s manual transcription service, as opposed to just using our Automated Speech Recognition service. In this case these manual transcription Services are governed by their own Service Terms and privacy policies. If your organization uses these manual transcription services, please refer to these separate policies and agreements.
Dictate IT are certified to ISO 27001 and are committed to keeping the personal information you provide to us secure and we will take reasonable precautions to protect such information from loss, misuse or alteration. Obligations in maintaining confidentiality are outlined in the service agreement.
All of our employees and data processors (i.e. those who process personal information on our behalf, for the purposes listed above), who have access to, and are associated with the processing of personal information, are obliged to respect the confidentiality of the personal information of all users of the Services and we only store personal information in highly secure NHS Information Governance compliant data centres. Personal information is protected by a variety of technical controls and safeguards to ensure security and privacy including AES 256 encryption at rest and in transit.
A comprehensive suite of Technical and Organisational Measures have been implemented, for more information please read our Security Measures overview for Dictate Swift.
Users can only use the Apps and Services with a valid login. Once a user logs into either the Apps or web clients, we use analytics tools to monitor user behavior in the Apps & Services and then associate this with a specific account. This is as described for ‘Account Data’ above:
We analyse Account Data from your interactions with the Services (such as the functions of the Services which you use, error messages you receive, and the times of day at which you use the Services). This information is used to gain understanding of our customers’ use of the Services and allows us to improve the Services. We share the Account Data with Firebase (Google Inc) https://firebase.google.com/ an analytics service provider in order to assist us with such analysis.
We do not use Cookies, and do not track users who are not logged into our Services.
Under Data Protection Legislation data subjects have various rights in respect of their personal information which data controllers must comply with such as the right to rectification and erasure. Please note if you exercise your data subject rights in respect of Account Data this may impact our ability to provide the Service. In respect of the Dictated Data we shall, on written request, provide reasonable assistance to you in respect of any request you receive from a data subject in respect of the Dictated Data provided that we shall be entitled to recover all costs incurred by us in providing such assistance.
Please note that we may still use any aggregated and de-identified Personal Information that does not identify any individual, and may also retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
If you would like to access, review, update, rectify, and delete any Personal Information we hold about you, or exercise any other data subject right available to you under the EU General Data Protection Regulation (GDPR) contact our data protection representative via swift@dictate.it
Your Privacy Rights
What choices do I have?
You can always opt not to disclose information to us, but keep in mind some information may be needed to register with us or to take advantage of some of our features.
We may make changes to this Privacy Policy from time to time.
To ensure that you are always aware of how we use the Account Data and Dictated Data we will update this Privacy Policy from time to time to reflect any changes to our use of personal information. We may also make changes as required to comply with changes in applicable law or regulatory requirements. We will notify you or your organisation by e-mail of any significant changes. However, we encourage you to review this Privacy Policy periodically to be informed of how we use personal information.
If you have any questions about this Privacy Policy please contact us by email via swift@dictate.it
You also have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, at any time. The ICO’s contact details are as follows:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone – 0303 123 1113 (local rate) or 01625 545 745
Website – https://ico.org.uk/concerns