1. Who we are
When we use the term “personal data” we mean any information permitting a person to be identified, directly or indirectly. For example, this may be by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, biometric, mental, economic, cultural or social identity of that person. The term “process” means anything that we do with personal data, including when we collect, record, organise, structure, store, adapt, alter, retrieve, consult, use, share, combine, restrict, erase or destroy it.
VHP is accountable for demonstrating compliance with the six basic principles of processing personal data. These provide that personal data we deal with must be:
- processed fairly, lawfully and in a transparent manner;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary;
- accurate and, where necessary, kept up to date;
- not kept for longer than necessary; and
- processed securely, maintaining integrity and confidentiality.
Our appointed Data Protection Officer, or “DPO”, is VST Enterprises Ltd, Crowe UK LLP, The Lexicon, 10-12 Mount Street, Manchester M2 5NT.
2. Information we may collect
We may collect and process the following data from you:
- You may give us information about you by filling in forms when you register to download or use the V-Health Passport and/or the APP and/or use the Services or by corresponding with us (for example, by e-mail). The information you give us may include your name, address, e-mail address and phone number; date of birth; username, password and other registration information; nationality; demographic information; personal description; photograph; if you are a medical professional your registration details and other details evidencing your eligibility to practise. Please let us know if there are any changes to your personal details while you are registered with us.
- You may upload copies of passports, driving licences and other means of identification.
- Each time you visit the V-Health Passport or use the APP we may automatically collect the following information about you and your device:
- technical device information, including the type of mobile device you use (“Device”); a unique device identifier (for example, your Device’s IMEI number, the MAC address of the Device’s wireless network interface, or the mobile phone number used by the Device); mobile network information; your mobile operating system; the type of mobile browser you use; time zone setting;
- content information stored on your Device, such as contact information; login information; photos, videos or other digital content; checkins;
- log information such as details of your use of any of the APP or your visits to the V-Health Passport including, but not limited to, traffic data, location data, weblogs and other communication data; resources that you access, including the nature of the content that is viewed, related transfer rates and length of viewing.
- Unique application numbers: When you install or uninstall a Service containing a unique application number or when such a Service searches for automatic updates, that number and information about your installation, for example, the type of operating system, may be sent to us.
We may also collect and process the following data about you, which we obtain from other sources:
- Where anyone under 16/18 has a V-Health Passport OR is included on the V-Health Passport of a parent or guardian, we collect personal data from their parent or guardian.
- We assign each user an identification number, which is used to identify users for the purposes of data minimisation but which can be linked back to an individual’s identity.
- We work closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.
3. Uses made of your information
We will only use personal data when the law allows us to do so and relying on a relevant basis for lawful processing in each instance. We will use your personal data in the following circumstances, relying on the basis of processing indicated:
Basis of processing: Where we need to perform a contract we are about to enter into or have entered into with you.
- To provide you with information or services that you request from us (contact details, medical information, any photograph you upload and identification documents needed for medical professionals to verify your identity).
- To provide you with specific approvals arising from the Services, such as contact tracing, “Fit To Fly” certification or other evidence of your test status (contact details, your V-Health Passport identification number, medical information, location data).
- To carry out our obligations arising from any contract entered into between you and us, which will include: (i) sharing your data with medical professionals and covid-19 test centres and contacting you with status updates if you are an individual user; and (ii) verifying your professional status if you are a medical professional user (contact details, payment information, your V-Health Passport identification number and any information relating to personalisation status; details relating to eligibility for medical professionals to practise).
Basis of processing: Where it is necessary for our legitimate interests (or those of a third party, such as our other users who opt in to contact tracing services) and we have undertaken an assessment to determine that processing for those interests does not outweigh your interests and fundamental rights (considering the nature and impact of the processing and any relevant safeguards we can put in place).
- To ensure that content from our website or APP is presented in the most effective manner for you and for your device (online identifiers, location data and other technical information).
- To provide you with contact tracing services or other information or services that we feel may interest you (where you have consented to be contacted for such purposes to the extent consent is required by law) (contact details, location data, medical information, your V-Health Passport identification number and any information relating to personalisation preferences).
- To co-operate with regulators, like Public Health England, and other official bodies in order to deal appropriately with any risk to public health (contact details, location data, medical information).
- To allow you to participate in interactive features of our Services, when you choose to do so (online identifiers, location data and other technical information).
- To notify you about changes to our Services (contact details).
- To maintain a basic amount of information about you and your transaction history, in order to provide you with a service tailored to your preferences (contact details, payment history and any information relating to personalisation status).
Basis of processing: Where we need to comply with a legal or regulatory obligation.
- To retain basic transaction details for the purpose of tax reporting (contact details and transaction history).
- We may share information with individuals or organisations if we are legally required to do so, for example if this is specified in a warrant or court order or we are required to cooperate in any medical regulatory investigation.
Basis of processing: Where you have consented to the processing.
- To use non-essential cookies on the V-Health Passport or APP (see “Cookies” section below for further information) (online identifiers, your V-Health Passport identification number, location data and other technical information). You have the right to withdraw consent to such use at any time by contacting us but please note that some or all parts of our Services may no longer be accessible to you.
- To send you direct marketing communications via email, text message, post or telephone call (contact details). You have the right to withdraw consent to any such use at any time by contacting us.
Other issues about how we use personal data:
- Please note that we may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data. Please contact our DPO if you need details about the specific legal basis we are relying on to process your personal data – contact details are below.
- We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. Please contact us if you would like further details of any additional purposes of processing. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis that allows us to do so.
- Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with Services). If this happens, we may have to cancel, or be unable to provide, any Services you have requested.
- Please note that we may process your personal data without your knowledge or consent where required or permitted by law.
- If you provide us with any personal data relating to relatives, partners or other individuals it is your duty to make such persons aware that their personal data may be shared with us and to provide them with appropriate information about how their personal data may be processed by us.
In this policy, where we have referred to needing your consent for any processing, we will make sure that the consent:
- is specific consent for one or more specified purposes; and
- is given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of your agreement to the relevant processing of personal data.
In the case of users under the age of [16/18], to the extent we need consent we will gain that consent from their parent or guardian.
5. How we use sensitive personal data
Processing of sensitive personal data requires higher levels of protection. This sensitive personal data is any information about someone’s:
- health or medical conditions
- sex life
- sexual orientation
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
It also includes genetic data and biometric data, such as fingerprints, if that information is used to identify an individual.
We may process sensitive personal data about an individual in the following circumstances:
- We will process information about a user’s ethnicity when sharing this data with a medical professional for the purposes of identification in connection with covid-19 tests or vaccinations. This is on the basis of GDPR Article 9(2)(h) – healthcare and social care purposes – and Paragraph 2, Schedule 1, Data Protection Act 2018.
- We will process information about a user’s physical health when recording information relating to covid-19 test results or any vaccination status, as part of your records on the app and in any “Fit To Fly” or other certification we agree to issue. This is on the basis of GDPR Article 9(2)(h) – healthcare and social care purposes – and Paragraph 2, Schedule 1, Data Protection Act 2018.
- We will process information about a user’s (i) ethnicity; and (ii) physical health when sharing information relating to covid-19 test results when cooperating with regulatory bodies. This may be on the basis of GDPR Article 9(2)(h), as above, or GDPR Article 9(2)(i) – public health – and Paragraph 3, Schedule 1, Data Protection Act 2018 where the processing is overseen by a medical professional.
6. Disclosure of your information
We may disclose your personal data to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the Companies Act 2006.
We may share your information with selected third parties including:
- business partners, suppliers and sub-contractors who provide Services on our behalf;
- if you are an individual user, we will permit access to your details by: (i) any medical professional you authorise as custodian of your account from time to time (until you end that authorisation or appoint a new medical professional as custodian); (ii) representatives of test centres with whom we work and who provide or record your covid-19 test results; and (iii) Public Health England and other governmental or regulatory bodies who may require such information for assessing the level of public health risk and/or monitoring progress in combatting covid-19;
- if you are a medical professional user, we will permit access to your basic details by: (i) test centre representatives; and (ii) Public Health England or other governmental or regulatory bodies, to the extent they need to verify a user’s medical records or identification checks;
- if you are a user representing a test centre, we will permit access to your basic details by: (i) medical professionals; and (ii) Public Health England or other governmental or regulatory bodies, to the extent they need to verify a user’s covid-19 test history; and
We may also disclose your personal data to third parties:
- in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
- if VHP or substantially all of its assets are acquired by a third party, in which case personal data held by it about its users will be one of the transferred assets;
- if we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation or request; or
- in order to: (i) enforce or apply the App Terms and Conditions and other agreements or to investigate potential breaches; or (ii) protect the rights, property or safety of VHP, our customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
7. Protection of minors
If you are under the ages of 16 and 18 (or classed as a minor) your registration must be with the permission of your parent or guardian. If you do not have such permission please do not register. In the event that we find out that you are between the age of 16 to 18 and you do not have such permission your account will be deleted. The above relates to direct registration with VHP or through any third party website.
NOTE TO PARENTS AND GUARDIANS. If you become aware that your child has provided us with personal data without your consent, please contact us at firstname.lastname@example.org. VHP does not knowingly collect personal data from children under 16 without parental or guardian consent. If we become aware that a child under 16 has provided us with personal data without consent, we will take all reasonable steps to remove such information and terminate the child’s account.
8. Cookies and log information
VHP servers automatically record information that your browser sends whenever you access the V-Health Passport, the APP or the Services. These server logs may include information such as your web request, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser.
We use the following cookies:
- Strictly necessary cookies. These are cookies that are required for the operation of the V-Health Passport or the APP. They include, for example, cookies that enable you to log into secure areas.
- Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around the V-Health Passport or the APP. This helps us to improve the way our Services work, for example, by ensuring that users are finding what they are looking for easily.
- Functionality cookies. These are used to recognise you when you return to the V-Health Passport or the APP. This enables us to personalise our content for you and remember your preferences (for example, your choice of language or region).
- Targeting cookies. These cookies record your visit to the V-Health Passport or the APP, the pages you have visited and the links you have followed. We will use this information to make our Services and any advertising displayed more relevant to your interests. We may also share this information with third parties for this purpose.
You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you block cookies you may not be able to access all or parts of the V-Health Passport or the APP.
9. Marketing communications
VHP may use your username and email address to provide you with email newsletters, announcements, VHP news about products and/or services. If you did “opt in” at registration and no longer wish to receive these kinds of marketing communications, you may “opt out” by unchecking the email newsletters and announcements within your user profile.
10. Linking to third party websites
The V-Health Passport and/or the APP may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates (including, but not limited to, websites on which the APP or the Services are advertised). If you follow a link to any of these websites, please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services. Please check these policies before you submit any personal data to these websites or use these services.
11. Where and how we store your personal data
International data transfers
By law, the transfer of any personal data to countries outside the EEA is only permitted where the receiving country has an adequate level of protection or where the data subject consents to such transfer.
All information you provide to us is stored on our secure servers.
Any payment transactions carried out by our chosen third-party provider of payment processing services will be encrypted using Secured Sockets Layer technology. Where we have given you (or where you have chosen) a password that enables you to access certain parts of the APP or certain Services, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to or via the any websites, the V-Health Passport and/or the APP; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. We have put in place internal procedures to deal with any suspected data security breach and will notify you (and any applicable regulator) of a suspected breach where we are legally required to do so.
12. Data retention
We will not keep personal data in a form that permits identification of individuals for longer than is necessary for the purpose or purposes for which it was collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which we process information and whether we can achieve those purposes through other means and the applicable legal requirements.
We will only keep personal data for as long as is necessary for the purpose or purposes for which that personal data is processed; and we will let anyone about whom we process data know how long that is or the criteria that go into deciding how long that is.
We may sometimes anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
13. Your rights under applicable data protection laws
- The right to be informed about the processing of your personal data
- The right to have your personal data corrected or completed if it is inaccurate or incomplete
- The right to object to the processing of your personal data
- The right to restrict the processing of your personal data
- The right to have your personal data erased
- The right to request access to your personal data and information about how it is processed
- The right to move, copy and/or transfer your personal data
- The right to object to automated decision-making including profiling
Some of these rights may not be available to you depending on the circumstances, for example where we have a legal right to continue processing your data.
We will seek to deal with any request or complaint with regard to our dealings with your personal data within one month of formal notification from you. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests, in which case we will notify you and keep you updated.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive – alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights); this is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request to speed up our response.
You have the right at any time to complain to the Information Commissioner’s Office at ico.org.uk but we would prefer you contact us in the first instance to see if we can resolve your problem.