Changes to the Privacy Notice
This Privacy Notice was last updated on 17th October 2024.
Introduction
We at Cristal Health Limited (“Akrivia Health”) take our responsibilities under both the UK GDPR and Data Protection Act 2018 seriously. That might sound trite, a stock phrase for privacy notices, but privacy is at the core of our business.
This Privacy Notice tells you about how we use your personal data for the purpose of providing you with use of our website, our industry platform, and keeping you up to date with new and upcoming activities carried out by us. It also tells you about how we use your personal data if we employ you, or if you take part in our Public and Patient Involvement activities.
Personal data is data that relates to you, and which can be used to identify you, either by itself or by combining it with other data. Akrivia Health uses personal data to communicate with our customers, employ individuals to work for us, market our services, and correspond with researchers. Akrivia also handles personal data on behalf of other organisations, but this is not included in this Privacy Notice. Where we refer to “we”, “our”, or “us”, we are referring to Akrivia Health.
Employees
What data do you collect & use?
We use data about you to fulfil our obligations to you as an employer, including ensuring that you are paid for your work and are protected in the workplace. We collect data directly from you, as well as creating data once you have been successful in a job application.
This includes, but is not limited to:
- Data that identifies you, basic details such as name, gender, date of birth.
- Contact data like your home address, telephone number, and email address.
- Financial data including bank and pension details, and national insurance number.
- Computer records, including email and messaging history relating to your work.
- Qualifications and employment history.
- Proof of identity and right to work documentation
- Data relating to leave, including annual leave, maternity, paternity, adoption, and shared parental leave.
- Medical and health data, including sick leave, allergies or occupational health requirements.
- Images and photographs.
- Data (name & DOB) that identifies your children, dependents, or partner to link them to your health plan coverage.
We may also collect personal data about you from other people and organisations, such as:
- We request confidential references from referees that you have given to us, which contain data about you.
- We receive data from HMRC such as tax codes.
Do you share my data?
We share your personal data under certain circumstances. When we do share data, we use as little as possible, and on a need to know basis.
- If you require emergency medical treatment we will share your personal data with health professionals to ensure you receive appropriate treatment.
- We share your data with HMRC to ensure that you are taxed correctly.
- We share basic identifying data of all beneficiaries of our health plan, including employees and associated beneficiaries like their children and partner.
- We share your name and work email address with Podium Space, our office space provider, to ensure that you can access Akrivia facilities.
How do you use the data you collect?
We use your personal data to fulfil our obligations to you as an employer, to ensure you are paid for your work, and that you are protected in the workplace. This includes:
- Using financial data to make sure you are paid and taxed correctly.
- Using your data to manage your performance in fulfilling your contract with us.
- Verifying your identity and right to work in the UK
- Enrolling you with our pension provider and paying in contributions unless you opt-out.
- Understanding how we can support you if you have a disability or impairment.
- Ensuring that you are employed in a suitable environment.
- Assessing if you may present any risk to other individuals.
- Ensuring that you receive adequate training for your role.
- Investigating incidents.
We also use your personal data to provide you with optional employment benefits and opportunities. These includes:
- Work-related social events.
- Healthcare provision.
How long do you keep my data for?
We keep your personal data during your employment and we retain the data for an appropriate time after you leave Akrivia. Employee data is kept for at least 6 years after you stop working for us. If you apply for a job with us and are unfortunately unsuccessful, we will erase your data within 6 months of the close of the recruitment process.
We keep your data to defend ourselves against any potential legal claims. We may keep anonymised data for longer than 6 years. Anonymised data cannot identify you and helps us better understand the colleagues that we have employed.
How do you comply with the law?
Data protection law requires organisations to have a legal basis for processing personal data.
- You have a signed a contract of employment with us and we use the data to fulfil that contract; If you fail to provide us with the information we request then we may not be able to meet our contractual obligations to you.
- We are legally obliged to process some personal data, such as for tax, record-keeping and health and safety purposes; If you fail to provide us with the information we request then we may not be able to comply with our legal obligations.
- We can share your data with healthcare professionals in emergency situations where your life is at risk. This is known as a ‘vital interest’.
- We can use health data to understand and provide support for you in the workplace in line with health & safety law, and to assess your working capacity.
- We rely on a legitimate interest to collect and use data like confidential references and employee feedback.
- Where you have uploaded a photo as an avatar for applications or profiles, we rely on your consent. You can remove this consent at any time by removing the image.
- As of 19 December 2022, we rely on a legitimate interest to use images, video, and audio of you for marketing purposes. You can find a copy of our legitimate interest assessment (LIA) here. Prior to this date we relied on your consent to use other images of you.
- As of 1 February 2023, we rely on a legitimate interest to process your data (and any associated beneficiaries like children and partners) to administer our private healthcare plan.
- As of 21 May 2024, we rely on a legitimate interest to share your personal data with our office space provider to ensure that you are able to access Akrivia facilities. You can find a copy of our legitimate interest assessment (LIA) here.
Clients & Partners
We process a limited amount of personal data relating to the employees of our clients and partners that is separate from the data that we process as a data processor.
What data do you collect & use?
We use data about you to fulfil our obligations to you, including business communications with you, and the provision of services to users, this includes:
- Data that identifies you, basic details such us name, gender, date of birth.
- Contact data like address, telephone number, and email address.
- Login credentials to our industry platform.
- Security log data from our industry platform.
Do you share my data?
We do not share your name or contact data unless you have provided consent. We never share your login credentials or security log data.
How do you use the data you collect?
We use your data to fulfil our contractual obligations, to ensure that you are able to use the services that Akrivia Health provides, that the industry platform is secure, and also to provide you with the opportunity to access the additional services that may be outside of the scope of our initial contract.
How long do you keep my data for?
We keep your personal data for the duration of the contract to provide services, and 6 years after the end of the contract.
How do you comply with the law?
Data protection law requires organisations to have a legal basis for processing personal data. We rely on a legitimate interest to collect and use data like names and contact details so that we can liaise with you, provide you with services, and fulfil our contractual obligations. We rely on a legitimate interest for collecting security log data so that we can monitor and safeguard against security threats.
Volunteers & Public Patient Involvement (PPI)
What data do you collect & use?
We use data about you to fulfil our obligations to you, including communications with you, arranging meetings, and fulfilling your role with us, this includes:
- Data that identifies you, basic details such us name, gender, date of birth.
- Contact data like address, telephone number, and email address.
- Relevant medical data like allergies and access requirements.
- Bank details if applicable.
Do you share my data?
We do not share your data unless you have provided consent.
How do you use the data you collect?
We use your data to facilitate the PPI meetings and Akrivia’s PPI work. We use your medical data for health and safety and access reasons. We use your bank details to reimburse you for your expenses.
How long do keep my data for?
We keep your data for the duration of your agreement with us, and 3 years after the end of the agreement. We may need to keep some of your data for up to 6 years for legal reasons.
How do you comply with the law?
Data protection law requires organisations to have a legal basis for processing personal data.
- We rely on your consent to collect and use data like names and contact details so that we can liaise with you
- We use some personal data to meet our contractual obligations to you, such as reimbursing your expenses
- We have a legal obligation to process some financial and medical data, such as for tax, record-keeping and health and safety purposes.
- We can share your data with healthcare professionals in emergency situations where your life is at risk. This is known as a ‘vital interest’.
Marketing & Communication
What data do you collect & use?
We use data about you to keep you informed about Akrivia’s products and services. We collect data directly from you and from other sources.
This includes:
- Data that identifies you, basic details such as name and job title.
- Professional contact data, such as your work telephone number and email address.
- The institutions or companies that you may be associated with or work for.
- Photographs for marketing and publicity purposes.
Do you share my data?
We do not share your data with third parties. We do use data processors to publish data, including social media.
How do you use the data you collect?
We use your personal data to determine whether you would be interested to learn about Akrivia, to communicate with you, and to provide you with the opportunity to benefit from our services and the solutions we offer.
We use photographs for marketing and publicity purposes.
How long do you keep my data for?
Akrivia keeps contact information for up to 18 months after our last contact with you.
We retain photographs for 5 years after the date the photograph was taken.
How do you comply with the law?
Akrivia relies on our legitimate interests to use personal data, including photography, for marketing purposes. You can object to this at any time by emailing DPO@akriviahealth.com. If you object, we will keep a skeleton record using the minimum amount of data necessary to ensure that we do not contact you again in future.
Where did the data come from?
We collect data from you directly in the course of introductions, for example when you contact us by phone, email or via our website, or when we meet you in person. We also collect data from publicly available sources like LinkedIn if we think you will be interested in our services and work.
Legal & Regulatory Obligations
We may receive requests for data from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence. When we receive these requests we will inform you as soon as possible. There are circumstances in which we cannot inform you that data is used or shared, because it may prejudice the work of law enforcement agencies and other organisations.
We may be required to use and keep personal data for legal reasons, such as the prevention, detection, or investigation of crime or fraud. We may also use personal data to meet our internal and external audit requirements, and data security purposes.
Sharing your personal data overseas
Akrivia Health is based in the United Kingdom, but under specific circumstances your personal data may be shared with an organisation in another country or territory. We will only do this if one or more of the following applies:
- The receiving organisation is in a country or territory that is considered by the UK Government to adequately protect personal data
- The receiving organisation participates in a framework or arrangement that is considered by the UK Government to adequately protect personal data
- The receiving organisation is bound by standard contractual clauses to adequately protect personal data, and Akrivia has assessed the risk involved in transferring the data to the recipient’s country or territory
- The transfer is necessary to perform or enter into a contract with you, or to perform a contract with a third party where the contract is in your interest
- We have informed you about the transfer and you have provided your consent
- In an emergency, we may transfer your data overseas if the transfer is necessary to protect your vital interests, or the vital interests of another person, and you are unable to provide your consent
- The transfer is necessary for an important reason of public interest that is recognised in UK law
If you want to know more about how we transfer your personal data overseas, please contact us at DPO@akriviahealth.com
Data we process on behalf of NHS Trusts
Akrivia Health is a data processor for several NHS Trusts. This means that we handle data on behalf of those Trusts including patient, employee, and NHS platform user data.
The NHS Trusts are data controllers, which means that they have the legal obligation to inform you about how your data is used. We believe in the importance of privacy and want to make it as easy as possible for you to understand how your data is used, so we have provided links below to the privacy notices of the Trusts we work with:
- Avon and Wiltshire Mental Health Partnership NHS Trust
- Birmingham and Solihull Mental Health NHS Foundation Trust
- Cardiff and Vale University Health Board
- Cornwall Partnership NHS Foundation Trust
- Cumbria, Northumberland, Tyne and Wear NHS Foundation Trust
- Devon Partnership NHS Trust
- Kent and Medway NHS and Social Care Partnership Trust
- Leeds and York Partnership NHS Foundation Trust
- Mersey Care NHS Foundation Trust
- Nottinghamshire Healthcare NHS Foundation Trust
- Oxford Health NHS Foundation Trust
- Rotherham, Doncaster and South Humber NHS Foundation Trust
- South West London and St George’s NHS Foundation Trust
- Southern Health NHS Foundation Trust
- West London NHS Trust
Cookies on this website
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits.
Necessary cookies
Necessary cookies are always enabled as they are essential for the website to function properly. This category only includes cookies that ensure basic functionalities and security features of the website.
| Provider | Name | Purpose | Expires |
| Cloudflare | __cf_bm | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. | 1 hour |
| GDPR Cookie Consent | CookieLawInfoConsent cookielawinfo-checkbox-necessary cookielawinfo-checkbox-functional cookielawinfo-checkbox-analytics cookielawinfo-checkbox-advertisement | Set by the GDPR Cookie Consent plugin, these cookies record the user consent for the cookies. | 1 year |
| Google reCAPTCHA | _GRECAPTCHA | Google Recaptcha service sets this cookie to identify bots to protect the website against malicious spam attacks. | 6 months |
| rc::a rc::f | This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks. | Immediately | |
| rc::b rc::c | This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks. | End of session |
Non-necessary cookies
We also use cookies that provide additional functionality but are not essential for the website to run properly. We will only use these cookies if you provide us with your consent.
| Provider | Name | Purpose | Expires |
| Amazon Web Services | AWSALBTG AWSALBTGCORS | This cookie is set to provide load balancing functionality and improve the website’s page loading speed. | 7 days |
| _ga_* | Google Analytics sets this cookie to store and count page views. | 1 year 1 month 4 days | |
| _ga | Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site’s analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors. | 1 year 1 month 4 days | |
| _gid | Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website’s performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously. | 1 day | |
| _gat_gtag_UA_* | Google Analytics sets this cookie to store a unique user ID. | 1 minute | |
| _gcl_au | Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services. | 3 months | |
| test_cookie | This cookie is set to determine if the user’s browser supports cookies. | 15 minutes | |
| Microsoft | SRM_B | Used by Microsoft Advertising as a unique ID for visitors. | 1 year 24 days |
| CLID | Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited. | 1 year | |
| _clck | Microsoft Clarity sets this cookie to retain the browser’s Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID. | 1 year | |
| _clsk | Microsoft Clarity sets this cookie to store and consolidate a user’s pageviews into a single session recording. | 1 day | |
| SM | Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains. | End of session | |
| MUID | Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations. | 1 year 24 days | |
| ANONCHK | The ANONCHK cookie, set by Bing, is used to store a user’s session ID and verify ads’ clicks on the Bing search engine. The cookie helps in reporting and personalization as well. | 10 minutes | |
| MR | This cookie, set by Bing, is used to collect user information for analytics purposes. | 7 days | |
| li_gc | Linkedin set this cookie for storing visitor’s consent regarding using cookies for non-essential purposes. | 6 months | |
| lidc | LinkedIn sets the lidc cookie to facilitate data center selection. | 1 day | |
| bcookie | LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs. | 1 year | |
| YouTube | YSC | YouTube sets this cookie to track the views of embedded videos on YouTube pages. | End of session |
| VISITOR_INFO1_LIVE | YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface. | 6 months | |
| VISITOR_PRIVACY_METADATA | YouTube sets this cookie to store the user’s cookie consent state for the current domain. | 6 months | |
| yt.innertube* | YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen. | Immediately | |
| ytidb::LAST_RESULT_ENTRY_KEY | The cookie is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future. | Immediately | |
| yt-remote* | These cookies are set by YouTube to store user preferences | End of session |
Changing your cookie preferences
You can check and change your cookie preferences by clicking on the “Manage Cookies” at the bottom of any page of this website.
Most internet browsers allow you to set additional preferences about the types of cookies the browser will accept. Please consult your browser’s help documentation for further information.
Your Rights
Under data protection law, individuals (data subjects) have a number of rights which are detailed below. Some of these only apply in specific circumstances and are qualified in several respects by exemptions in data protection legislation. We will advise you in our response to your request if we are relying on any such exemptions. All requests should be directed to DPO@akriviahealth.com
Access to personal data
You have a right to request a copy of the personal data that we hold about you. You should include adequate data to identify yourself and such other relevant data that will reasonably assist us in fulfilling your request. Your request will be dealt with as soon as possible.
Right to rectification (correction)
You can request us to rectify and correct any personal data that we are processing about you which is incorrect. We provide you with account settings and tools to access the data associated with your account.
Right to withdraw consent
Where we have relied upon your consent to process your personal data, you have the right to withdraw that consent. To opt out of marketing, you can use the unsubscribe link found in the email marketing communication you receive from us. For other marketing preferences you can contact us, providing details of services or marketing that you wish to opt out of.
Right of erasure (right to be forgotten)
You can request us to erase your personal data under certain circumstances, for example if you believe that we no longer need to retain your data. This is not an absolute right, and we need to carefully consider each case on its own merits as there may be good reasons why we are not able to erase your data. If we are not able to honour your request we will explain why.
Right to data portability
This right allows you to obtain your personal data in an electronic format, where you have provided data to us with your consent, or where the data was necessary for us to provide you with our services or employment. You can request that the data be given in a format which enables you to transfer that personal data to another organisation. You may have the right to have your personal data transferred by us directly to the other organisation, if this is technically feasible.
Right to restrict processing
You have the right in certain circumstances to request that we suspend our processing of any or all your personal data. Where we suspend our processing of your personal data we will still be permitted to store your personal data, but any other processing of this data will require your consent, subject to certain exemptions.
Right to object to processing
You have the right to object to our use of your personal data which is used where we feel that we have legitimate interest. However, we may continue to process your personal data, despite your objection, where there are compelling legitimate grounds to do so, or we need to process your personal data in connection with any legal claims. The grounds for continuing to do so will be communicated to you.
Getting in Touch
Should you have any queries about the how your data is used, including a complaint for our data protection officer, then please email DPO@akriviahealth.com, or write to us at:
FAO Information Governance
Akrivia Health
c/o Clarendon House, Cornmarket Street,
Oxford, United Kingdom,
OX1 3HJ
You can also contact the ICO for further information or to make a complaint:
Information Commissioner’s Office
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire
SK9 5AF
Phone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
Contact the ICO for advice or to make a complaint on the ICO website.
