Terms, Privacy & Cookies

Changes to the Privacy Notice

This Privacy Notice was last updated on 10th November 2023.

Introduction  

We at Cristal Health Limited (“Akrivia Health”) take our responsibilities under both the UK GDPR and Data Protection Act 2018 seriously. That might sound trite, a stock phrase for privacy notices, but privacy is at the core of our business.  

This Privacy Notice covers the use of your personal data for the purpose of providing you with use of our website, our industry platform, and keeping you up to date with new and upcoming activities carried out by us.    

Personal data is data that relates to you, and which can be used to identify you, either by itself or by combining it with other data. Akrivia Health uses personal data to communicate with our customers, employ individuals to work for us, market our services, and correspond with researchers. Akrivia processes personal data on behalf of other organisations which is not included in this Privacy Notice. Where we refer to “we”, “our”, or “us”, we are referring to Akrivia Health.  

What data do you collect & use? 

We use data about you to fulfil our obligations to you as an employer, including ensuring that you are paid for your work and are protected in the workplace. We do this because you have entered into a contract of employment with us. 

We collect data from you, as well as creating data once you have been successful in a job application, this includes: 

  • Data that identifies you, basic details such us name, gender, date of birth. 
  • Contact data like address, telephone number, and email address. 
  • Financial data including bank and pension details, and national insurance number. 
  • Computer records, including email and messaging history relating to your work. 
  • Qualifications and employment history. 
  • Data relating to leave, including annual leave, maternity, paternity, adoption, and shared parental leave. 
  • Medical and health data, including sick leave, allergies or occupational health requirements. 
  • Images and photographs. 
  • Data (name & DOB) that identifies your children, dependents, or partner to link them to your health plan coverage. 

We may also collect personal data about you from other people and organisations, such as: 

  • We request confidential references from referees that you have given to us, which contain data about you. 
  • We receive data from HMRC such as tax codes. 
Do you share my data? 

We share your personal data under certain circumstances. When we do share data, we use as little as possible, and on a need to know basis. 

  • If you require emergency medical treatment we will share your personal data with health professionals to ensure you receive appropriate treatment. 
  • We share your data with HMRC to ensure that you are taxed correctly. 
  • Akrivia shares data with companies who process the data on our behalf, including Microsoft who store data, and CharlieHR, our HR platform.  
  • We share basic identifying data of all beneficiaries of our health plan, including employees and associated beneficiaries like their children and partner. 
How do you use the data you collect? 

We use your personal data so to fulfil our obligations to you as an employer, to ensure you are paid for your work, and that you are protected in the workplace. This includes: 

  • Using financial data to make sure you are paid and taxed correctly. 
  • Using your data to manage your performance in fulfilling your contract with us. 
  • Understanding how we can support you if you have a disability or impairment. 
  • Ensuring that you are employed in a suitable environment. 
  • Assessing if you may present any risk to other individuals. 
  • Ensuring that you receive adequate training for your role. 
  • Investigating incidents. 
  • Healthcare provision.
How long do you keep my data for? 

We keep your personal data during your employment and we also retain the data when you leave Akrivia for an appropriate time. Employee data is kept for at least 6 years after you stop working for us. If you apply for a job with us and are unfortunately unsuccessful, we will erase your data within 6 months of the close of the recruitment process. 

We keep your data to defend ourselves against any potential legal claims. We may keep anonymised data for longer than 6 years. Anonymised data cannot identify you and helps us better understand the colleagues that we have employed. 

How do you comply with the law? 

Data protection law requires organisations to have a legal basis for processing personal data. 

  • You have a signed a contract of employment with us and we use the data to fulfil that contract. 
  • We are legally obliged to process some personal data, such as for tax, record-keeping and health and safety purposes. 
  • We can share your data with healthcare professionals in emergency situations where your life is at risk. This is known as a ‘vital interest’.  
  • We can use health data to understand and provide support for you in the workplace in line with health & safety law, and to assess your working capacity. 
  • We rely on a legitimate interest to collect and use data like confidential references and employee feedback. 
  • Where you have uploaded a photo as an avatar for applications or profiles, we rely on your consent. You can remove this consent at any time by removing the image. 
  • As of 19 December 2022 we rely on a legitimate interest to use images, video, and audio of you for marketing purposes. You can find a copy of our legitimate interest assessment (LIA) here. 
  • Prior to this date we relied on your consent to use other images of you.  
  • As of 1 February 2023, we rely on a legitimate interest to process your data (and any associated beneficiaries like children and partners) to administer our private healthcare plan. 

We process a limited amount of personal data relating to the employees of our clients and partners that is separate from the data that we process as a data processor.  

What data do you collect & use? 

We use data about you to fulfil our obligations to you, including business communications with you, and the provision of services to users, this includes: 

  • Data that identifies you, basic details such us name, gender, date of birth. 
  • Contact data like address, telephone number, and email address. 
  • Login credentials to our industry platform. 
  • Security log data from our industry platform. 
Do you share my data? 

We do not share your name or contact data unless you have provided consent. We never share your login credentials or security log data.  

How do you use the data you collect? 

We use your data to fulfil our contractual obligations, to ensure that you are able to use the services that Akrivia Health provides, that the industry platform is secure, and also to provide you with the opportunity to access the additional services that may be outside of the scope of our initial contract.  

How long do you keep my data for? 

We keep your personal data for the duration of the contract to provide services, and 6 years after the end of the contract. 

How do you comply with the law? 

Data protection law requires organisations to have a legal basis for processing personal data. We rely on a legitimate interest to collect and use data like names and contact details so that we can liaise with you, provide you with services, and fulfil our contractual obligations. We rely on a legitimate interest for collecting security log data so that we can monitor and safeguard against security threats. 

What data do you collect & use? 

We use data about you to fulfil our obligations to you, including communications with you, arranging meetings, and fulfilling your role with us, this includes: 

  • Data that identifies you, basic details such us name, gender, date of birth. 
  • Contact data like address, telephone number, and email address. 
  • Relevant medical data like allergies and access requirements. 
  • Bank details if applicable. 
Do you share my data? 

We do not share your data unless you have provided consent. 

How do you use the data you collect? 

We use your data to facilitate the PPI meetings and Akrivia’s PPI work. 

How long do keep my data for? 

We keep your data for the duration of your agreement with us, and 3 years after the end of the agreement.  

How do you comply with the law? 

Data protection law requires organisations to have a legal basis for processing personal data. We rely on your consent to collect and use data like names and contact details so that we can liaise with you and fulfil our contractual obligations.  

What data do you collect & use? 

We collect data from you, this includes: 

  • Data that identifies you, basic details such as name and job title. 
  • Contact data, like telephone number and email address. 
  • Institutions or companies that you may be associated with. 
Do you share my data? 

We do not share your data with third parties. 

How do you use the data you collect? 

We use your personal data to provide you with the opportunity to benefit from our services and the solutions we offer.   

How long do you keep my data for? 

Akrivia keeps your personal data for up to 18 months after our last contact with you. You can object to processing at any time by emailing DPO@akriviahealth.com.  

Akrivia relies on our legitimate business interest for processing this data.  

Where did the data come from? 

We collect data from you directly in the course of introductions. We also collect data from publicly available sources like LinkedIn where we think you will be interested in our services and work. 

We may receive requests for data from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence. When we receive these requests we will inform you as soon as possible. There are circumstances in which we cannot inform you that data is used or shared, because it may prejudice the work of law enforcement agencies and other organisations. 

We may be required to use and keep personal data for legal reasons, such as the prevention, detection, or investigation of crime or fraud. We may also use personal data to meet our internal and external audit requirements, and data security purposes. 

Akrivia Health is a data processor for several NHS Trusts. This means that we handle data on behalf of those Trusts including patient, employee, and NHS platform user data and that we do not have a legal obligation to inform you about how your data is used. We believe in the importance of privacy and want to make it as easy as possible for you to understand how your data is used, so we have provided links below to the privacy notices of the Trusts we work with to help you understand how your data is used. 

 

Under data protection law, individuals (data subjects) have a number of rights which are detailed below. Some of these only apply in specific circumstances and are qualified in several respects by exemptions in data protection legislation. We will advise you in our response to your request if we are relying on any such exemptions.  All requests should be directed to DPO@akriviahealth.com

Access to personal data 

You have a right to request a copy of the personal data that we hold about you. You should include adequate data to identify yourself and such other relevant data that will reasonably assist us in fulfilling your request. Your request will be dealt with as soon as possible. 

Right to rectification (correction) 

You can request us to rectify and correct any personal data that we are processing about you which is incorrect. We provide you with account settings and tools to access the data associated with your account. 

Right to withdraw consent 

Where we have relied upon your consent to process your personal data, you have the right to withdraw that consent. To opt out of marketing, you can use the unsubscribe link found in the email marketing communication you receive from us. For other marketing preferences you can contact us, providing details of services or marketing that you wish to opt out of. 

Right of erasure (right to be forgotten) 

You can request us to erase your personal data under certain circumstances, it is not a guaranteed or absolute right. 

Right to data portability 

This right allows you to obtain your personal data in an electronic format, where you have provided data to us with your consent, or where the data was necessary for us to provide you with our services or employment. You can request that the data be given in a format which enables you to transfer that personal data to another organisation. You may have the right to have your personal data transferred by us directly to the other organisation, if this is technically feasible. 

Right to restrict processing 

You have the right in certain circumstances to request that we suspend our processing of any or all your personal data. Where we suspend our processing of your personal data we will still be permitted to store your personal data, but any other processing of this data will require your consent, subject to certain exemptions.  

Right to object to processing 

You have the right to object to our use of your personal data which is used where we feel that we have legitimate interest. However, we may continue to process your personal data, despite your objection, where there are compelling legitimate grounds to do so or we need to process your personal data in connection with any legal claims. The grounds for continuing to do so will be communicated to you.

Should you have any queries about the how your data is used, including a complaint for our data protection officer, then please contact email DPO@akriviahealth.com, or write to us at: 

FOA Information Governance 

Akrivia Health 

c/o Clarendon House, Cornmarket Street,  

Oxford, United Kingdom, 

OX1 3HJ 

 

You can also contact the ICO for further information or to make a complaint:  

Information Commissioner’s Office  

Wycliffe House,  

Water Lane,  

Wilmslow, 

Cheshire  

SK9 5AF  

Phone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.  

Email ICO

Report a concern on the ICO website