Data Security & Privacy

OVERVIEW

In this section we outline the data processes that happen as part of Compass and explain what data will be collected and what happens to that data.

Handling your information securely and confidentially is extremely important to us.

As well as the data security processes we outline below, Compass will log you out automatically after 20 minutes of inactivity.

We also recommend:

• logging out whenever you have finished working on Compass
• keeping your Compass username and password in a secure place
• not sharing any unnecessary personal information or contact details with your guide via your journal or online messages (this is explained in more detail below).

Device security

Your security and privacy on Compass depend on the device you use to access the program. You can use Compass on a computer, tablet or smartphone, as long as you are connected to the internet.

To ensure maximum security, we recommend you keep your software up to date, choose strong passwords which are not easy to guess, use security protection software and avoid unsecured public internet connections.

Cookies

The Compass program does not use marketing cookies. This means that your browsing information is not used for advertising or commercial purposes.

The Compass program does use one type of cookie – this is an essential cookie which is used to make sure you get a consistent user experience. It is required for the program to maintain where you are up to in the program. It also means it can show you personalised information when you are signed in.

Who developed Compass?

Compass was developed by a team of researchers at King’s College London University. Click on ‘Meet the Compass team’ on the logged out page to find out more.

Compass works in partnership with several organisations including:

1. The NHS – a healthcare professional may have referred you to Compass.
2. SPIKA – a software development company who programmed Compass. SPIKA host and maintain the program. SPIKA meets NHS Digital standards for privacy, confidentiality and security.
3. Mayden – an electronic patient record system used by your local Improving Access to Psychological Therapy Service. Mayden meets NHS Digital standards for privacy, confidentiality and security.
4. Charities – you may access Compass via a specific long-term health condition charity.

MY PERSONAL DATA

When we collect or use your data, Compass is the “data controller”. This means we decide how and why your data is processed. More information on how we do this is shown below.

What personal data/information will Compass ask me for?

Compass is an online program, accessed via a website. So that you can use Compass, we need you to register with an email address. Compass is a healthcare program, often used in the NHS. This means that we also collect the following personal information:

1. Your name
2. Your date of birth
3. Your NHS number (if available)
4. Your address
5. Your telephone number
6. Your gender
7. Your ethnicity
8. Your long-term physical health condition(s)

So that you and your guide can keep track of your progress we will also ask you to complete self-report questionnaires about your mood at regular points during the program.

Why does Compass need to collect this personal information?

Because Compass provides a program to your healthcare service, often in the NHS, your healthcare team needs accurate and up to date information. Collecting this data means that your healthcare team can provide their healthcare services to you, and also contact you to provide extra support if needed, either by email, the Compass in-site messaging service, over the telephone or by arranging a face-to-face appointment.

Where is my data kept?

The Compass program is hosted by SPIKA. This means that the data collected by Compass is held on a database managed by SPIKA. This database is located in a securely protected and approved provider cloud solution. When you register for Compass you are assigned an anonymous Compass ID which is stored with your data. Additionally, because your data is confidential, the data that Compass collects is held in an encrypted state.

Please note, if you upload photos or documents to your Tasks these will not be saved in an encrypted state, so please do not include any personal or identifying information.

Who can access my personal information?

So that Compass can be used in the NHS we have to follow strict privacy, confidentiality and online security procedures.

Your personal information will only ever be accessed by your healthcare team and a trained Compass supervisor. The Compass supervisor ensures you get the support you need. Compass will never share your information with other parties without your written consent. For example, if access is needed to your Compass account due to a technical error we will ask for your written consent for a member of the technical team to do this.

To provide registration or technical support to you (if required), and to assist your guide and healthcare service, designated members of the Compass team are able to respond to requests for support raised by the healthcare service and can access data in accordance with GDPR regulations. This will only ever be someone who has a contract in place with your healthcare service and/or the necessary clearances, and who has undergone good clinical practice training.

Does Compass collect other information about me?

To help the team at King’s College London improve the program, Compass collects information about:

1. Length of time users spend logged in to Compass
2. Number of sessions completed
3. Type of sessions completed
4. Number of messages sent between you and your guide (please note, the content of these messages will not be seen by King's College London, unless you provide your formal written consent so that researchers at King's College London can explore ways of improving the care and support you and future patients receive)
5. The number and durations of appointments you attend with your guide and the type of support they provide you with (e.g. telephone or in-site message)
6. Your feedback on the program
7. Your self-report questionnaire responses

This information will never include data that can identify you as an individual.

What is this data used for?

The data collected by the Compass platform will be used under the legal basis of public interest and legitimate interest. This is so we can support your healthcare provider in improving the care they give to you by evaluating how people interact with Compass (e.g. number of logins, how often people complete questionnaires and whether mood improves). Please note, members of the Compass team will not see data that identifies you as an individual. The only people to see this information are members of the NHS and/or your healthcare team.

In order to improve Compass and also enable more patients to be able to use the program in the future, King’s College London may decide to develop Compass as a commercial product for use in the management of long-term conditions and low mood/anxiety. Data collected in Compass, in fully anonymised format only, will be used to inform improvements to the program and allow the creation of a commercial product, so that other NHS services and healthcare organisations can use Compass.

“Fully anonymised” means that you cannot be identified by the information in any way. Any information that could identify you will never be shared or seen by anyone outside your healthcare provider without your consent. On rare occasions, we may be required or permitted to share personal information by law (e.g for law enforcement purposes).

Does Compass share my information with anyone else?

If you have been referred to Compass through your local Improving Access to Psychological Therapy service who use a patient management system called IAPTus, the Compass program works in partnership with Mayden. Mayden processes data for your healthcare team. This means that when you complete self-report questionnaires about your LTC and mood, the data is transferred from Compass to your electronic medical record at your local Improving Access to Psychological Therapy service. This makes sure that your healthcare record is kept up to date.

Data is only transferred using the highest levels of data security and encryption which meets NHS Digital requirements. This process happens automatically and does not involve people who work for Mayden accessing your personal information.

If you have a technical problem or question, then King’s College London will receive the following information if you submit a question/concern via the “Contact Us” form:

1. Your name
2. Your email address
3. Information you type in your message

In order to solve a technical problem, support from the SPIKA software team who programmed Compass may be needed. We will never share your personal information with SPIKA or ask them to solve an issue which may require them to see personal data without gaining your informed consent first.

Compass will never share your personal information with anyone without your consent.

Links

Some sessions may contain links to other websites which are owned, operated or maintained by third parties. If you click on a third-party link, you will be directed to that website in a new tab.

We provide these links as helpful sources of further information, not as an endorsement, authorisation or representation of our affiliation with that third party, nor as an endorsement of their privacy or information security policies or practices.

We do not have control over third party websites and we do not have control over their privacy policies and terms of use.

Who can see what I write in Compass?

When you join Compass you will be linked with a guide. Your guide is a qualified healthcare professional who will provide you with support during your time on the program, either by phone, online messaging or both. Your guide is part of your healthcare team so will be able to see your personal details, including name, date of birth, phone number and email address.

In order to ensure that their support is relevant and specific to you, and to ensure your wellbeing, your guide will be able to see your progress on the program, i.e. which sessions you have completed and your mood scores (including risk answers, if applicable). They will also be able to see your goals and tasks. Additionally, they can see the notes you make in the ‘Reflections’ section, as this can help structure their support. However, if you would like to, you can choose for the content in the reflections to be hidden from your guide.

The Compass Team at King’s College London

Principal Investigator for Compass project: Professor Rona Moss-Morris.

Team leads: Miss Emma Jenkinson & Dr Joanna Hudson.

Contact details: compass-ms@kcl.ac.uk.

Data Protection Officer at King’s College London on behalf of Compass is: Olenka Cogias, Director of Information Governance & Data Protection Officer

Contact details: info-compliance@kcl.ac.uk.

The legal bits

Information collected by Compass will in line with General Data Protection Regulation (2018). Our lawful basis for collecting this information includes:

1. Public interest
2. Legitimate interest

Your rights

Your personal data will be processed in accordance with your rights under data protection legislation.

Your rights are:

1. right to be informed
2. right to gain access to your data
3. right of rectification (e.g. change inaccurate information)
4. right to erasure (e.g. to delete records held about you on the Compass platform)
5. right to restriction (e.g. to stop processing information about you)
6. right to portability (e.g. to move or transfer your data)
7. right to object (e.g. to change your mind)
8. right not to be subject to automatic profiling or decision making (e.g. to know if a decision was made by a computer rather than a person)

However, these rights may be restricted in some circumstances. These include compliance with legal obligations. In such circumstances we may need to keep the information about you that we have already collected.

SUMMARY

Your personal information will be managed and shared in line with the General Data Protection Regulations (2018) and common law duty of confidentiality.

1. Compass will ask for personal information. This information will be stored in line with NHS Digital data privacy and security standards.
2. Compass is developed and owned by King’s College London and is a provider for the NHS. Compass will share essential medical information in partnership with Mayden who process data on behalf of the NHS and follow NHS Digital data privacy and security standards.
3. Compass will collect data about outcomes and usage, such as the length of time spent logged in, number of online sessions completed and number of online messages sent. This information will be used by King’s College London to improve Compass and may be used to commercialise Compass so that other healthcare services can use the program in the future. This data will only be used in anonymised format and individuals will never be identifiable from this information.
4. Filling in the Contact Us form, means your email address and typed message will be seen by the King’s College London team.
5. If you experience a technical problem, the Compass team at King’s College London will respond to your concern and gain your consent for the web-developers of Compass to access your personal information if they need this to solve the problem.

If you have any concerns or further questions, please contact the Compass team using the form which you can find under ‘Contact Us.’

You can find more tips for staying safe online at www.cyberaware.gov.uk.

The following video also provides a useful overview of patient data - vimeo.com/264239790