1. WHO ARE WE AND WHAT IS MEDALL?
1.1. We are Medicinall Limited, a company registered in Northern Ireland, with registered address at 99 Ballyclogh Road, Bushmills, BT57 8XA, and company no. NI648511 (“we”, “us”, “our”).
1.2. We are a technology company which provides a platform called “Medall”. Medall is a web application to enable healthcare professionals and students to connect in a professional network, to store, organise and display their professional achievements and to facilitate collaboration between, and professional matching of, users of the application based on their development needs and existing skills. Medall also enables healthcare organisations (“Organisational Users”) to promote their organisational aims, to communicate with members, to offer training, content, poster halls, certificates and events to members and to participate in discussions and development involving matters of healthcare.
2. WHAT IS THIS POLICY?
2.1. This policy sets out how we may use Personal Data which you upload onto or publish via Medall.
- WHY ARE WE PROCESSING PERSONAL DATA ABOUT YOU?
3.1. In order to use Medall, you will be required to set up a User Account and where applicable, an Organisational Account. To set up the account, you will need to give us Personal Data relating to you (or in the case of an Organisational Account, your Organisational Users) (such as details about who you are and where you work). This information is required in order to enable us to make Medall work.
3.2. We will process the data you upload or publish as a ‘Controller’. This means that we have certain responsibilities to you under EU and UK data protection law, including to make sure that we respect your right as a Data Subject, in respect of that data. If you’d like to know more about those rights, please have a look at paragraph 13 below.
3.3. If you have any questions about how we process Personal Data relating to you, you can contact our Data Protection Officer by email: dpo@Medall.org or by writing to us at the address in paragraph 1.1 above.
- WHAT DO THE DEFINED TERMS IN THIS POLICY MEAN?
4.1. We’ve used some defined terms in this policy (which we capitalise each time we use). For ease, we’ve set these out below, along with their definition:
“Adding” “Added” “Add”, means you agree to add a User and/or Organisational User to your network, so that they can see any posts you publish via Medall;
“Controller” means the entity (person or company) which (or who) decides what Personal Data to collect, how the data should be collected and what uses to make of it;
“Data Protection Officer” is the individual who has been designated in our company to respond to any queries or requests relating to Personal Data and to make sure our company is doing everything it can to meet its data protection obligations;
“Organisational Account” **means any account on Medall set up by or on behalf of a healthcare organisation;**
**““Organisational Users” **means any user of an Organisational Account on Medall;
“Personal Data” means data which can be used to identify an individual;
“Public Profile” means any information which you have uploaded on your User Account or published via Medall, unless you specifically made it ‘private’;
“User” means anyone using Medall which may include individual Users and Organisational Users;
“User Account” means an account set up by a User on Medall which may include an Organisational Account.
5. WHAT PERSONAL DATA RELATING TO ME IS COLLECTED AND STORED ON MEDALL?
5.1 Personal Data relating to you may be uploaded to Medall and stored on our servers, in the following situations:
(i) Information which you upload when you set up a User Account, an Organisational Account or use Medall. This might include:
● your name, contact information (including an email) and a photograph;
● your financial transaction and payment details (if you want to avail of any premium features);
● your account preferences and settings;
● information about your previous and current jobs and experience;
● information about your qualifications and achievements;
● where you currently work;
● any information in your posts, posters, comments and blogs;
● messages you send using Medall;
● training information in any assessments, feedback or logbook entry you enter on Medall
● feedback on Organisational User events you have attended; and
● requests and feedback for collaboration projects you would like to be or have been involved in.
(ii) Information which other Users upload on to Medall about you. This might include:
● feedback on a collaboration project;
● feedback or ratings on your training assessments, logbook entries or feedback forms that you have sent for approval to other people using Medall
● your responses to feedback forms for Organisational User’s events;
● certificates of your attendance/completion of an Organisational User’s events;
● poster and abstract information that Organisational Users or other users may upload; and
● messages or communications you receive using Medall.
(iii) We may also collect information about:
● how you use and interact with Medall (including your user preferences and interests – some of this information (e.g. your IP address and login data is automatically collected by us when you interact with Medall );
● any in-app purchases you make via Medall;
● details about the device you use to access Medall;
● which Users you have Added to your network; and
● any information you give us when you contact us.
Some of this data may be collected through the cookies we use or other technology. If you would like to know more about our cookies policy, please click here.
- WHO HAS ACCESS TO MY USER ACCOUNT?
6.2 Other Users (which may include Organisational Users) are permitted to see your Public Profile, posters you upload and any posts you publish, your communications with them and any content or information that you send or share with them. They are not given any access to your User Account. Organisational users can access the content and results of any assessment, certificate or anonymised feedback form you complete as part of that organisation, and any certificates awarded by that organisation
6.3 If you choose not to keep your poster private the general public can view your posters and abstracts.
7. HOW DO WE USE THE PERSONAL DATA WE HOLD AND WHAT IS OUR LAWFUL BASIS FOR DOING SO?
7.1 We may use any Personal Data which we collect about you for the following purposes:
(i) OUR SERVICES: to provide you with Medall which enables you to conduct assessments, view content, store achievements, receive certificates, display posters, connect and communicate with other Users (this may include support and maintenance of your account on Medall or facilitating payment if you have opted to use a paid-for function on Medall, as well as administration and dispute resolution). As part of our services, we may suggest Users to each other who have similar interests or experience to you, we may also suggest ways to improve your Public Profile or use of Medall, as well as potential collaboration partners. Any such use would be to the extent necessary for the performance of our contract with you.
(iii) ANALYSIS: Medall allows us to record certain demographics, which we might use to decide which adverts to publish on your newsfeed or (if you’ve consented to it) to send to you. This would be done by using key words which you put into your Public Profile or publish on Medall, and would not involve us transferring Personal Data relating to you to third parties. Generally we will rely on the fact that this is necessary to protect our legitimate interests of running our business, however where required by law we will obtain your consent.
(iv) DIRECT MARKETING: if you’ve agreed to receive the same, we may send out promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided. We will always include the right to opt out in any such correspondence. Generally we will rely on the fact that this is necessary to protect our legitimate interests of running our business, however where required by law we will obtain your consent.
(v) FOR ADMINISTRATION AND DISPUTE RESOLUTION PURPOSES. This may include processing Personal Data to meet our internal administration requirements and for matters such as dispute resolution. This is necessary to protect our legitimate interests of running our business.
(vii) MARKET RESEARCH: We may also use aggregate (non-personal) data for market research purposes.
8. WILL WE DISCLOSE ANY PERSONAL DATA WHICH WE HOLD ABOUT YOU TO ANYONE ELSE?
8.1 The purpose of Medall is to enable Users to learn, train and connect with other Users and to share information with and Add other Users to their network. Have a look at paragraph 9 below which sets out what aspects of your information is accessible to other Users.
8.2 We may notify other Users if your Public Profile includes details which meet their collaboration or membership criteria, in which case we may send them your Public Profile and email address. You may opt out of this function at any point. If you’re not sure how – send us an email to dpo@Medall.org and we’ll let you know.
8.3 We may disclose Personal Data relating to you to third parties, for the following purposes:
- WHO ARE THE OTHER USERS ON MEDALL AND WHAT CAN THEY SEE?
9.1. Medall is only intended for use by healthcare organisations, professionals and healthcare students. All Users must set up a User Account (and where applicable an Organisational Account) on the platform and provide certain details (such as their name and where they work) which are displayed in their Public Profile. We also require Users to provide their General Medical Council number as a step to help verify who they are. However, we don’t vet our Users and so can’t guarantee that Users are who they claim to be.
9.2. If you set up a User Account with Medall, all other Users of Medall, may be able to see your Public Profile and (unless you opt out) may receive notifications from us about you if you meet their collaboration criteria. You may also receive an invite from an Organisational User to join that organisation from your User Account, as a member or administrator, or to upload a shareable poster to an event if you are participating as a poster presenter/author or other participant at their events or you may request that an Organisational User Add you to their account (for example if their events are of interest to you).
9.3. Other users and in some circumstances, for example in virtual poster halls, non-users will have access to any posts or comments you publish via Medall.
10. WHAT SECURITY PROCEDURES DO WE HAVE IN PLACE?
We are committed to ensuring that any Personal Data which we hold is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
We make sure that any ‘processors’ (such as Mailgun, Intercom, Mailchimp and Amazon Web Services) we use have a strong reputation for data security and are contractually obliged to implement adequate security measures to safeguard the data held.
There are some steps you can take to help make sure that your data is protected. You should keep any passwords associated with your User Account secure and you should ensure that you understand who can access the data you upload on to your User Account or contribute to another User’s Account before you upload any information which might be shared with others. For more information on this, please have a look at section 9 above.
11. WHERE DO WE STORE THE PERSONAL DATA WE COLLECT?
11.1 Our servers are currently based in the UK, which means that any data uploaded on to Medall will be held on a cloud server in the UK. Unless you request us to, or it is strictly required in order to provide our services to you, we will not transfer any such data outside the UK.
11.2 If you are based outside the UK and would like further information about where we hold your data, please contact us at by email: dpo@Medall.org.
12. FOR HOW LONG DO WE STORE YOUR DATA?
CONTENT IN YOUR USER ACCOUNT
12.1 We may retain any content which you store or upload on to your User Account (“Your Content”) for as long as you keep your User Account open. Your Content is likely to include Personal Data relating to you.
12.2 Save as set out in paragraphs 12.4 and 12.5 below, we will securely delete Your Content within 6 months of you closing your User Account. Note that other Users will continue to have access to communications between you and any content or information which you share with them whilst you were a Medall User. Organisational Users will also retain certain information about you such as any certificates, assessments and feedback forms they issued to you as record of your attendance or completion of their events or training programmes. See section 12.5 below for more information on content you share with other Users.
12.3 If your User Account has been inactive for a period of 36 months, we may send you a notice asking if you would like us to close your User Account. If we receive no response or confirmation from you to close your User Account, we may do so and ensure that the Personal Data we hold about you is deleted within 6 months thereafter.
12.4 Notwithstanding the above, we may retain Personal Data which is relevant to:
● your financial transactions carried out on or in connection with Medall for up to 7 years. Any such information will be archived and only accessed or used if required for our internal tax or accounting purposes.
● any research evidence which may be or could be used in respect of any collaborative or clinical decisions taken;
● any dispute or potential dispute involving your use of Medall for up to 6 years. Any such information will be archived and only accessed or used if required in connection with any claim arising from such dispute or potential dispute.
TRANSFERRED AND OTHER USER CONTENT
12.5 If you send information (which may contain Personal Data relating to you) to other Users via Medall (“Transferred Content”) or if other Users upload information about you (by way of example they may accredit you as a co-author in a collaboration project or issue you with a certificate of your attendance/completion of one of their events), the retention period for such Transferred Content will be based on the recipient’s User Account (which will be subject to the same provisions set out above).
12.6 Nothing in this paragraph 12 is intended to limit, restrict or exclude any rights you have as a Data Subject. A list of those rights can be seen at paragraph 13 below.
13. WHAT RIGHTS DO YOU HAVE IN RESPECT OF ANY PERSONAL DATA WE HOLD WHICH RELATES TO YOU?
13.1 As a Data Subject, you have certain rights in respect of the Personal Data which we hold about you, including:
● Right of access: you have the right to request a copy of the Personal Data which we hold about you; as well as confirmation of:
● The purposes of the processing
● The categories of personal data concerned
● The recipients to whom the personal data has/will be disclosed
● For how long we intend to store your personal data
● If we did not collect the data directly from you, information about the source
● Right of rectification:** you have the right to require us to correct any Personal Data which we hold about you which is inaccurate or incomplete.
● Right to be forgotten: **in certain circumstances you can ask for the Personal Data we hold about you to be erased from our records. For example, you can ask us to erase any Personal Data which we are processing on the basis that you have consented to that processing, provided that we don’t have a separately legitimate right to retain the data. An example of this might be if we are in a dispute with you and need to retain the data to defend our case.
● Right to restriction of processing: you have the right to ask us to restrict the processing we carry out in respect of Personal Data relating to you. You might want to do this, for instance, if you think the data we hold is inaccurate and you would like us to restrict our processing until we have investigated this concern and updated if necessary.
● Right of portability: you have the right to have the Personal Data we hold about you transferred to another organisation, to the extent that you provided us with that Personal Data in a structured, commonly used and machine-readable format. Owing to our process of gathering and processing Personal Data, we don’t anticipate that this will apply to much (if any) of the Personal Data we hold.
● Right to object to direct marketing: you have the right to object to certain types of processing by us, including direct marketing.
● Right to object to automated processing, including profiling.
13.2 If you want to avail of any of these rights, you should contact us immediately at dpo@Medall.org. If you do contact us with a request, we will need evidence that you are who you say you are to ensure compliance with data protection legislation.
14. WHAT HAPPENS IF YOU NO LONGER WANT US TO PROCESS PERSONAL DATA ABOUT YOU?
14.1 You may notify us at any time that you no longer want us to process Personal Data about you for particular purposes or for any purposes whatsoever. This may have an impact on the services you receive from us. For example, if you ask us to stop processing Personal Data about you, you will no longer be able to access your User Account since we will not be able to identify you.
14.2 A request to stop receiving direct marketing will not impact on your access to your User Account.
15. WHO DO YOU COMPLAIN TO IF YOU’RE NOT HAPPY WITH HOW WE PROCESS YOUR PERSONAL DATA?
15.1 If you have any questions or concerns about how we are using Personal Data about you, please contact our Data Protection Officer immediately at our registered address (see paragraph 1.1 above) or by email to dpo@Medall.org
15.2 If you wish to make a complaint about how we have handled Personal Data about you, you may lodge a complaint with the Information Commissioner’s Office by following this link: https://ico.org.uk/concerns.
Last updated: 12-02-2021.