Close Cookie Preference Manager
Cookie Settings
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. More info
Strictly Necessary (Always Active)
Cookies required to enable basic website functionality.
Accept All Cookies
Save Settings
Made by Flinch 77
Oops! Something went wrong while submitting the form.
Close Cookie Popup
Cookie Settings
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. More info
Accept All Cookies
Cookie Settings
Made by Flinch 77
Close up partially opened MacBook

Patient and citizen data privacy policy

Updated: 02 Jan 2023
Version: 2

Privacy policy

Aire Logic Limited (‘we’ ‘us’) is a privately owned company and not part of any other group of companies.

Our privacy policy pertains only to Aire Logic Limited and explains what we do with personal information we process or collect about you when you use one of our products.

We operate a range of products under a range of titles. These include but are not limited to forms4health, AireSuite and AireFrame.

Please email IG@airelogic.com for more information on the solution used to manage your data or the full functionality of our products. There are laws allowing us to collect and keep personal information to:

  • meet our contractual obligations
  • provide products to you
  • protect our systems
  • detect and prevent fraud

The law also gives you certain rights relating to information we collect and use. See the sections on 'your rights' and 'how to exercise your rights' for more information.

We provide products to customers, predominantly in the health and social care sectors. We have customers across primary, secondary and tertiary care services. Our customers will have their own privacy policies in relation to their use of your data, which should be read alongside this policy.

For the purpose of the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 1998 2018 (the Act), our customers are the 'data controller' as they determine the purposes of 'why' and 'how' your personal data should be processed. We are the 'data processor' as your personal data will pass through or be stored in our systems.

As the data processor we adhere to the following principles:

  • Unless the law requires it, the controller’s documented instructions are the only instructions the processor must act on.
  • The processor must ensure that the people processing the data are subject to a duty of confidentiality.
  • Appropriate measures need to be taken to ensure the security of the processing.
  • Under a written contract, the processor must only engage a sub-processor with the controller’s prior approval.
  • Appropriate measures must be taken to help the controller respond to requests from individuals to exercise their rights.
  • The data controller needs the help of the processor in meeting its obligations concerning security of processing, declaration of personal data breaches and data protection impact assessments.
  • At the end of the contract, the processor must return all personal data to the controller. If the law requires it, the processor must also destroy existing personal data unless stated explicitly that data needs to be held in storage.
  • The processor is required to submit audits and inspections. The processor needs to give the controller all the information to ensure they meet their obligations in line with their GDPR Article 28 obligations.

If you have any questions about how Aire Logic uses your information please email IG@airelogic.com.

Why we use your personal information

We process your personal information for the purposes set out in this privacy notice. We have also set out some legal reasons why we may process your personal information (these depend on what category of personal information we are processing).

We normally process standard personal information if this is necessary to provide the services set out in a contract, it is in our or a third party’s legitimate interests or it is required or allowed by any law that applies.

Please see below for more information about this and the reasons why we may need to process special category information. By law, we must have a lawful reason for processing your personal information.

We process standard personal information about you if this is:

  • necessary to provide the services set out in a contract
  • in our or a third party’s legitimate interests, or
  • required or allowed by law.

We process special category information about you because:

  • it is necessary to provide a medical diagnosis, to provide health or social care or treatment, or to manage health-care or social-care systems
  • it is necessary for reasons of public interest in the area of public health, or
  • we have your permission.

How we handle your data

When you use a service that one of our products is integrated with, we process your data in line with our customer’s requirements. The processing is done in a secure manner and in line with our strong governance policies. Our Clinical and Information Governance Accreditations can be seen below:

Reporting year: 2021

Comment

Data Security and Protection Toolkit
Assessed as “Standards Exceeded” and results published.
Organisation Data Service (ODS)
ODS Organisation Code: 8JK09.
Cyber Essentials
Aire Logic hold a Certificate of Assurance to confirm that we comply with the requirements of the Cyber Essentials Scheme Certificate Number: IASME-CEP-006921.
ISO 9001 (Quality Management)
Aire Logic has full ISO Certification for this standard.
ISO 27001 (Information Security Management)
Aire Logic has full ISO Certification for this standard.
AWS GCloud
Amazon is a Government Assured supplier of Services on Digital Marketplace in line with the Government’s 'Cloud First' policy.
Information Commission
We are registered with the Information Commission. Our registration number is: ZA326224.
DCB 0129 and DCB 01601 (Clinical Safety)
We comply with DCB 0129 and DCB 0160 guidelines. We have an in-house clinical safety group which includes clinical safety officers.

DCB0129: Clinical Risk Management: its Application in the Manufacture of Health IT Systems

As an example of how we handle your data, in relation to our products, data is typically processed as follows:

  • All connections in the various transport hops are secured using TLS.
  • The AireSuite/forms4health web application is secured using a server certificate issued by Let’s Encrypt (Sha256RSA).
  • Where NHSMail connections are used for data transfer this is secured using username/password to access the mailbox and TLS to secure the network communication.
  • In instances where Aire Logic only processes data and does not store this, no form data is stored. In instances where a PDF is generated in memory and forwarded to NHSMail we use the Microsoft Exchange API EmailMessage.Send(). This does not save a copy of the email in the forms4health NHS Mail outbox, rather than the one that saves a copy EmailMessage.SendAndSaveCopy().
  • In instances where Aire Logic stores and manages data on behalf of the data controller all data stored at rest is encrypted using AES-256. All data sent to the client (data controller) is secured by HTTPS using SHA-256.

Protection of information

Aire Logic is committed to ensuring the security of your personal information. We use commercially reasonable technological, physical, and administrative security safeguards, such as firewalls and carefully developed security features — to protect the confidentiality and security of your personal information within our products, services and sites.

When you enter confidential information (such as login credentials or information submitted from within the Service) we encrypt the transmission of that information using secure socket layer technology (SSL).

These technologies, procedures, and other measures are used in an effort to ensure that your data is safe, secure, and only available to you and to those you authorised to access your data.

However, no internet, email, or other electronic transmission is ever fully secure or error-free, so you should take care in deciding what information you send to us in this way.

Aire Logic is not responsible for the functionality or security measures of any third party.

Other websites

Our products may be contained within other systems, apps or websites. This privacy policy only applies to our products alone, so when you link to other systems, apps or websites you should read their own privacy policies.

Aire Logic does not endorse and is not responsible for the practices of third parties or their websites or applications. We do not determine and are not responsible for the privacy practices or the content of websites or applications operated by third parties.

Your browsing and interaction on any third-party website or service, including those that have a link on our website, are subject to that third party’s own rules and policies.

We are not responsible for and we do not control any third parties that you authorise to access your user content. If you are using a third-party website or service and you allow such a third-party access to your user content, you do so at your own risk.

Cookies

Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity.

Aire Logic products which collect patient/citizen data do not use cookies.

Who we share your information with

Your data will be shared with the Data Controller. The Data Controller is the organisation deploying Aire Logic’s products to provide you with a service. This may be your local health or social care provider or a provider of other services (e.g. education).

If Aire Logic (or substantially all of its assets) is sold to another organisation, information we hold about our users and customers will become one of the transferred assets. We may share your information if we are under a duty to disclose or share your personal data to:

  • comply with a legal obligation
  • apply or enforce our terms and conditions of supply and other agreements
  • protect the rights, property or safety of Aire Logic, our customers or others — this includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction

We will never sell your information to other organisations.

Where we store your information

We use a number of cloud-based products to help us process the information we collect. By submitting your personal information, you agree for it to be transferred to, stored in or processed by these products. All of our data processing takes place within Amazon Web Services (AWS) in the eu-west-2 region (London) in multiple availability zones.

We review what information is being processed and ensure your information is treated securely and in accordance with our privacy policy.

How long we keep your information

We have a Data and Record Management Policy in place which outlines how we manage adult and child personal information and medical information.

We comply with our legal obligations in relation to the retention and deletion of personal information and medical information.

We store personal information and medical information only for as long as is necessary, for the purpose the data was collected or to comply with applicable legal, tax or regulatory requirements.

Please email IG@airelogic.com for a copy of our Data and Record Management Policy

You rights

You have the right to:

  • request a copy of the information that we hold about you
  • correct inaccurate or incomplete data that we have about you
  • ask for information about you to be deleted, in certain circumstances
  • restrict how we use your information, where certain conditions apply
  • ask us to transfer information about you to another organisation
  • object to having your information used in certain ways
  • object to automatic processing, including profiling
  • not be subject to solely automated decisions that affect your legal status or rights

Access to your information and your right to correct your information

You have the right to request a copy of the information that we hold about you. Typically this request should be submitted through your service provider (e.g. your GP Practice).

Alternatively you can request a copy of your information directly from Aire Logic. This can be done by completing our patient/citizen information request form.

Email IG@airelogic.com

Write to:

Clinical and Information Governance Team
Aire Logic Limited
Aireside House
24-26 Aire Street
Leeds
LS1 4HT

We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate. You also have the right to ask us to delete all of the data we hold on you.

We will acknowledge receipt of your request within two working days of receipt of the request. We will provide you with the information you requested within one calendar month of receipt of the request.

In instances where the request is assessed as complex we may take an additional two calendar months (three calendar months total) to process the request in line with ICO guidance. If we assess your request as complex and require an extended timescale we will inform you of this within one calendar month.

How to exercise your rights

To exercise any of these rights, please email IG@airelogic.com. We will forward any requests you make to other organisations that may be involved in processing your information.

We will acknowledge receipt of your request within two working days of receipt of the request. We will provide you with the information you requested within one calendar month of receipt of the request.

In instances where the request is assessed as complex we may take an additional two calendar months (three calendar months total) to process the request in line with ICO guidance. If we assess your request as complex and require an extended timescale we will inform you of this within one calendar month.

How to complain

If you are unhappy about how your information has been handled by Aire Logic or an organisation involved in how we use your information, you can make a complaint to our Data Protection Officer or the Information Commissioner’s Office:

Aire Logic Limited Data Protection Officer

Andrew Martin
Aire Logic Limited
Aireside House
24-26 Aire Street
Leeds
LS1 4HT

Email: IG@airelogic.com

Information Commissioner's Office
Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Web: ico.org.uk/make-a-complaint

Telephone: 0303 123 1113

Changes to our privacy policy

This policy was last updated on the 14 June 2022.

We will post any future changes on this page and, where appropriate, notify you by email. Please check this page frequently for updates.

Contact us

Please contact us if you have any questions, comments or requests in relation to this privacy policy or information we hold about you by emailing IG@airelogic.com or in writing to:

Clinical and Information Governance Team
Aire Logic Limited
Aireside House
24-26 Aire Street
Leeds
LS1 4HT