Privacy Policy – Patient Surveys

Effective from: 10 June 2024

Your privacy is very important to us.

This Survey Privacy Policy (the “Policy”) describes how Cemplicity manages personal data collected when You take part in or complete a Survey.

In this Policy, when we say ‘You’ or ‘Your’ we mean You, or the person that you are completing the Survey on behalf of.

GENERAL INFORMATION

About Us
The Cemplicity group of companies operate in EEA, Ireland, The United Kingdom, South Africa, the United Arab Emirates (UAE), Switzerland, Australia and New Zealand. Cemplicity Limited is the owner of Cemplicity Ireland and Cemplicity UK. Cemplicity Australia is a branch of Cemplicity NZ.

In this Policy, when we refer to “Cemplicity”, “we”, “us”, “our” we are referring to all of these companies unless we state otherwise.
“Personal Data” also refers to personal information or personally identifiable information. This takes on the legal definition set out in the legislature of each of the regions that we operate in and will be collecting your information from.
What we do
Cemplicity is a Software-as-a-Service company that works with hospitals, clinics, government departments or agencies and other leaders in the health and social sectors to capture, measure and report on patient and customer feedback. When we use the word Cemplicity Client or Client we mean the organisation who has commissioned us to gather feedback from You.
Processor
Cemplicity UK and Cemplicity Ireland, for the purposes of this Policy, are what are known under the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) and (the “UK GDPR”) as the “processor” of the personal data You provide to us. Our Clients in these regions are known as the “controller”.
Contact Us
If You have any queries relating to this Policy or our privacy practices, please contact us at hello@cemplicity.com. If you have any queries relating to the use of your data, please contact the Cemplicity Client.

PATIENT, STAFF AND CUSTOMER SURVEYS

Our Surveys
We work closely with hospitals, clinics, government departments or agencies and other leaders in the health and social sectors to capture, measure and report patient, staff and customer feedback. For this document, when we say Patient we also mean customers, staff and any other survey respondent. This information is captured by way of a survey, written or online (each, a “Survey”), through which an eligible participating patient provides feedback in relation to his or her experience as a patient and/or the outcomes of that experience.  These patient experiences and patient-reported outcomes are captured on behalf of the Cemplicity Client using Cemplicity technology and adhering to instructions given by the Cemplicity Client to us.
How we Collect and Process Your Data
When a Cemplicity Client commissions Cemplicity to invite you to participate in a Survey, they provide us a data file that contains your name, contact details and background information on the service you received. This may include health data about you and your treatment. Cemplicity Clients use different legal bases for processing your personal data. If you wish to withdraw your permission you can either contact the Cemplicity Client or click on ‘unsubscribe’ in the invitation message. The Survey invitation may also provide additional ways for you to remove permission for future Surveys. The invitations to take part in these surveys are sent by third-party providers via SMS, email or WhatsApp. These providers are Twilio or Message Media for SMS, Sendgrid for email and Meta for Whatsapp, via Twilio API. These providers have strict data protection obligations and will only retain personal data as long as necessary to send out survey invitations. The processing of this data by these providers may occur in Australia or the USA.
Disclosure and Deletion of Personal Data
How personal data is treated in our system depends on the type of program we have. We run two main types of survey programs. Surveys of your experience with the Cemplicity Client and surveys of the outcomes of your care.For Experience Surveys

These are generally one-off surveys that follow a single episode of care. Once a survey invitation has been issued to You and you either respond or the Survey expires, your name and contact details are permanently deleted from the Cemplicity system unless explicitly stated within your Survey or by the Client. All results are then anonymous unless:

You chose to identify yourself by comments you made in the Survey e.g. mentioning your own name);
You requested contact from the Cemplicity Client and provided your name and contact details in the Survey;
You gave explicit permission in the Survey for your individual Survey response to be shared with your doctor or service provider.

For Outcome Surveys

These are often multi-round surveys where your progress is tracked over time following your treatment, or as part of your ongoing treatment. The length of time that your personal data will be held will be dependent on the type of program; for some that are used for general population health research and benchmarking, this will be for the shortest period. Where the data will be used as part of your treatment this may form part of your medical record and be held for a longer period. If you wish to find out more about the duration of processing, please contact the Client with whom your treatment occurred. Your personal data will not be shared with any parties outside of those mentioned in this Policy.

Purpose of Processing
Such processing activities are intended to enable organisations to implement the necessary changes or improvements to achieve greater efficiencies and/or improve the quality of the health or social system. Your privacy is important to Cemplicity and our Clients. All of your Personal Data will be removed from our system as soon as possible. This will be done through a process of anonymisation. Where all data points that could potentially link you to a response or any other data is removed. This includes removing your name, contact details and anything else that could be used to link you to the data or identify you. This anonymised data is used for statistical or research purposes.
Location of Survey Data
The data of eligible participating patients is processed and stored on servers located in the country or region where the patient received his or her health or social service. For clarity, data is stored by Amazon Web Services (AWS), in Ireland, in the UAE, South Africa, Switzerland, Australia and the United Kingdom for all patients being surveyed in these countries. For patients based in New Zealand, this will be in Australia. For patients in the European Union or EEA this will be in Ireland. Cemplicity offices are based in London, the United Kingdom and Auckland, New Zealand. Cemplicity staff may access your data from either of these locations only according to the instructions of the Cemplicity Client.
Processing under the authority of the Cemplicity Client.
In conducting a Survey, Cemplicity will process the personal data only on documented instructions from the Cemplicity Client, including transfers of personal data to a third country or an international organisation. The only exception to this is if we are required to do anything by a law to which we are subject. Cemplicity’s obligations in relation to the processing of such personal data are set out in the contracts that we enter into with each Cemplicity Client and the terms of these contracts are consistent with the information provided here.

SECURITY OF YOUR INFORMATION

Acknowledgement and Disclaimer
We take our security responsibilities seriously, using the most appropriate physical and technical measures and require our hosting partner to use the same standard of care. Including ensuring that both Cemplicity and any third-party providers that process your personal data on our behalf maintain ISO27001 certification as a minimum standard. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect Your personal data, we cannot guarantee the security of Your data transmitted to our system and any transmission is at Your own risk. Once we have received Your information, we will use strict procedures and security features to try to prevent unauthorised access.
Restricted access
Access to our servers is restricted to authorised Cemplicity personnel and our technical support or development team on a “need to access” basis. Cemplicity operates strict security and password management protocols for our own staff and contractors. It is the responsibility of Clients to manage their own staff and contractor access to the Survey results.

YOUR PERSONAL DATA AND YOUR RIGHTS

Access to Your Information
If you have opted in to provide your contact details or personally identifiable information in a Survey and you wish to be provided with a copy, you should contact the Cemplicity Client in writing. The contact email for the Cemplicity Client’s privacy officer will be shown in the Survey and on their website. They will then contact us to obtain this information, which we will provide free of cost and in a timely manner.
Right of Restriction – Cemplicity Client
You have the right to restrict the Cemplicity Client from providing us your personal data for processing where one of the following applies:
- You have contested the accuracy of the personal data they hold on record in relation to You or for a period of time to enable them to verify the accuracy of the personal data;
- the processing of Your personal data is unlawful and You request the restriction of use of Your personal data instead of its erasure;
- The Cemplicity Client no longer requires Your personal data for the purpose of processing but You require this data for the establishment, exercise or defence of legal claims; or
- where You have contested the processing pursuant to Article 21(1) of the GDPR pending the verification of whether the Cemplicity Client’s legitimate grounds override those of Yours.

Right of Restriction – Cemplicity
Where you have chosen to identify yourself in a Survey, you have the right to restrict the processing of this personal data in future where one of the following applies:
- You have contested the accuracy of the personal data that we hold on record in relation to You or for a period of time to enable us to verify the accuracy of the personal data;
- The processing of Your personal data is unlawful and You request the restriction of use of Your personal data instead of its erasure;
- We no longer require Your personal data for the purpose of processing but You require this data for the establishment, exercise or defence of legal claims; or
- Where You have contested the processing pursuant to Article 21(1) of the GDPR pending the verification of whether Cemplicity’s legitimate grounds override those of Yours.

Corrections or Erasure (Right to Rectification and Right to Be Forgotten):
If we hold personal data concerning You which are no longer necessary for the purposes for which they were collected or if You withdraw consent for us to process personal data, You can also request the deletion of this personal data. This right will not apply where we are required to process personal data in order to comply with a legal obligation or where the processing of such information is carried out for reasons of public interest in the area of public health. You can also request to have Your personal data corrected if it is inaccurate. Any request should be made in writing and sent to the Cemplicity Client.
Right to Object
Where we process personal data on the basis of a legitimate instruction from a Cemplicity Client, You may object to our processing. Should this occur, we will no longer process Your personal data unless doing so is justified by a compelling legitimate ground. You may object to the processing of Your personal data at any time by contacting the Cemplicity Client.
Data Portability
Where we process personal data by automated means (i.e. not on paper) You have the right to receive Your personal data (as applicable) in a structured, commonly used machine-readable format and have us transfer that personal data to another controller.
Profiling
You have the right not to be exposed to a decision based only on automated processing, including profiling, which produces legal effects concerning You or similarly significantly affects You.
Survey Participants
For patients who participate in a Survey and wish to exercise their rights under the GDPR in relation to the processing of their personal data, we will assist the Cemplicity Client in ensuring compliance with its obligations (as controller) to You under the GDPR, as applicable.

CLIENT DATA ALTERATION REQUESTS

It is important to Cemplicity that we have a clear policy with all Cemplicity Client’s that ensure your information is treated on a standardised basis for the betterment of the healthcare system. On occasion Clients may ask Cemplicity to change the information in your survey response where they think an error has occurred. This request will not be accepted unless the error in the information was the result of an error or system failure on Cemplicity’s part, or there is a clear data import error, and the reversion can be done with confidence that the information you entered will not be duly distorted.

CHANGES TO THIS POLICY

Any changes made to this Policy from time to time will be published on our website. If any change to this Policy might result in personal data being used in a way which is different from that made known to You at the time it was collected, we will notify You to determine whether or not we may use Your personal data in this new way.

QUESTIONS AND COMPLAINTS

Contact Us
If you have any questions or complaints about this Policy, please contact us at hello@cemplicity.com
Supervisory Authority
We are committed to complying with the terms of the GDPR and other local data protection and privacy legislation, and to the processing of personal data in a fair, lawful and transparent manner. If, however, You believe that we have not complied with our obligations under law, You have the right to lodge a complaint with the relevant Supervisory Authority in your region.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Privacy Policy – Patient Surveys

Resources

Support

Company