Privacy policy:
Health-related data
Kheiron Medical Technologies
We are Kheiron Medical Technologies (‘Kheiron’), a group of companies with offices in London. Our services help radiologists identify potential cancers.
- This privacy notice supplements our general Privacy Policy and tells you about what health-related data Kheiron may use, how we process it, what are your rights and how you can exercise them.
- We process limited health-related data on behalf of the healthcare professionals and organisations we work with.
- People have rights which they may freely exercise where data that identifies them is processed. We explain what these are and, how and when you can exercise them.
- We use various third-party data processors to provide cloud-based technologies on which we securely process personal data.
- You can contact us for more information about how, what and when we process personal data about you and to request access.
- You can contact your national or state data protection supervisory authority if you do not think we have handled your data correctly.
Introduction
The General Data Protection Regulation (GDPR) is data privacy law that applies to organisations (and sometimes people) that are established in the European Economic Area (the ‘EEA’ are countries of the European Union plus a number of other countries). Kheiron is committed to protecting personal data in compliance with GDPR and the UK legislation based on GDPR.
For people outside of the EEA and UK, Kheiron is committed to complying with local, national and state data protection laws, supplementary to the principles and requirements of GDPR as advised by legal counsel.
The General Data Protection Regulation and relevant Member State laws require us to provide people with information about what personal data we process, what are their rights, how they can exercise those rights, and how to make complaints. This Privacy Notice provides that information in a way we have tried to make clear and transparent.
If you would like more information about what data we process, for what purpose or how long we keep it for, please use the contact options provided at the foot of our general Privacy Policy page to ask us.
How we process health-related data
Kheiron provides the healthcare provider (clinic or hospital) with a Kheiron ‘Gateway’ program to install and run on their IT systems. This program operates continuously and automatically as part of the healthcare provider’s IT systems. It detects when mammography images are taken for a patient and before the data is transferred to Mia’s cloud-based service for analysis the Gateway takes steps to ensure that the data:
- is minimised technical, image and health-related data with all non-essential data removed;
- has no components that identify the individual; all of this is removed by the Gateway and replaced with one randomly-generated, unique ‘Kheiron ID’ reference code.
Kheiron applies the Digital Imaging and Communications in Medicine (DICOM) Supplement 142 standard and complies with the UK Information Commissioner’s Anonymisation Code of Practice to ensure that personal privacy is protected and that no personally-identifiable information leaves the healthcare provider to be processed.
Mia’s cloud-based system analyses the minimised and pseudonymised mammography image and data provided by the Gateway. The outcome of that analysis is passed back to the Gateway in the healthcare provider’s IT system. The Gateway matches the ‘Kheiron ID’ in Mia’s reply to the original patient records and updates them with Mia’s analysis outcome for the healthcare provider’s radiographer to review.
The healthcare provider’s IT team only grants Kheiron very limited access to help install the Gateway program and later at agreed times to maintain that program with security updates and improvements. Kheiron has no access at any other time. Kheiron processes only the minimised and pseudonymised output provided by the Gateway to ensure that patient privacy is maintained.
Personal data processed
Kheiron process the following personal data (as per our legal contract with healthcare providers) for the purposes listed:
Classes of data subject | Purposes of processing | Categories of data | Retention period | Lawful basis |
Individuals in the care of a Partner or Customer healthcare provider | Mia service provision – pseudonymisation (a step to remove personal identifiable data before radiology images are analysed). This process is designed and created by Kheiron but executed using the Gateway program operated by the Partner or Customer healthcare provider. | Minimised health record data directly related to radiological images | To the end of our mandate with each customer or each service contract with a Partner or Customer healthcare provider. | Contract including Article 6(1)(f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’ and Article 9(2)(h) ‘processing is necessary for the purposes of preventive or occupational medicine, for …medical diagnosis, the provision of health …or treatment’ |
Individuals in the care of a Partner or Customer healthcare provider | Mia service provision supporting Customer and Partner healthcare provider’s radiologists – image processing (analysis) | Pseudonymised (unidentifiable) minimised data related to radiological images | To the end of our mandate with each customer or each service contract with a Partner or Customer healthcare provider. | Contract including Article 6(1)(f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’ and Article 9(2)(h) ‘processing is necessary for the purposes of preventive or occupational medicine, for …medical diagnosis, the provision of health …or treatment’ |
Individuals in the care of a Partner or Customer healthcare provider | Training Mia machine learning models improving cancer detection – image processing (analysis); testing Mia in support of medical device regulation requirements ensuring quality, integrity, security and safety. | Pseudonymised (unidentifiable) minimised data related to radiological images | To the end of our mandate with each customer or each service contract with a Partner or Customer healthcare provider. | Contract including Article 6(1)(f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’ and Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as …ensuring high standards of quality and safety of health care and of medicinal products or medical devices’ |
Data protection rights
The General Data Protection Regulation secures various rights for people whose data is being processed.
As previously stated, Kheiron does not process identifiable patient information. And we have no technically possible way of somehow reversing the pseudonymisation process ourselves. We simply don’t know who you are or if we’ve ever processed your health-related data on behalf of your healthcare provider.
If you believe that Kheiron has processed your health-related data and you ask us about how we’ve done that we can only refer you to this page that you’re reading now. You can contact us with any additional questions that you have and we’ll try to answer them as completely as possible, but in some cases we may simply be unable to provide an answer if it’s impossible or involves a disproportionate effort as described by GDPR Article 14(5)(b).
We would advise that you contact your healthcare provider first to answer any questions you have about how your information has been used.
Listed below are your rights and an indication of when they apply:
Right | Meaning | Engagement by lawful basis |
Consent Withdrawal GDPR Article 7 | You have the right to withdraw your consent for the controller to process your data at any time. | This right is more complex to apply, but that doesn’t mean it would not be respected. |
Access GDPR Article 15 | You may request a copy of the data held by a controller about you. | This is a fairly universal right with minor exemptions for staff disciplinary records and legal opinions. |
Rectification GDPR Article 16 | If you think data held by a controller about you is wrong, you may request that it is corrected. | This is a fairly universal right with minor exemptions. |
Erasure GDPR Article 17 | You can request that your data is deleted by a controller. | This is a fairly universal right with minor exemptions. |
Restriction GDPR Article 18 | There are circumstances in which a data subject may ask a controller to stop processing their data but in which the controller must otherwise retain the data, for example where required by law. | This right is more complex to apply, but that doesn’t mean it would not be respected. |
Portability GDPR Article 20 | You can ask for a copy of your data in a format that can be readily transferred to an alternative controller. | This right is only engaged where your data is transferable to another controller. |
Objection GDPR Article 21 | You can object to the processing of your personal data when the controller is relying on a legal obligation or public duty for their legal basis, or they are claiming that it is in their legitimate interest, especially direct marketing. | Engaged where the lawful basis for processing is GDPR article 6(1)(e) or 6(1)(f). |
Automated decisions GDPR Article 22 | Where a computer makes a decision about you without human intervention, for example if an online loan application, you have the right to know how the decision was arrived at. | Where automated decision-making takes place without human intervention. |
Data processors
Below is a list of companies whose services and products we have contracted and who process Pseudonymised (unidentifiable) minimised data on our behalf and under our instruction:
Supplier and service(s) provided | Classes of Data Subject | Purposes for the processing |
Amazon Web Services (AWS) Compliance information can be found here. | Individuals in the care of a Partner or Customer healthcare provider. | Platform and infrastructure services supporting Mia data processing and storage. |
Microsoft Azure Compliance information can be found here. | Individuals in the care of a Partner or Customer healthcare provider. | Platform and infrastructure services supporting Mia data processing and storage. |
Veristat Compliance information can be found here. | Individuals in the care of a Partner or Customer healthcare provider. | Clinical Research Organisation (CRO) providing project management support,medical device regulatory assurance and support researching Mia improvements. |
The Alan Turing Institute Compliance information can be found here. | Individuals in the care of a Partner or Customer healthcare provider. | Statistical analysis and research supporting Mia improvements and medical device regulatory assurance. |
Quantics Biostatistics Compliance information can be found here. | Individuals in the care of a Partner or Customer healthcare provider. | Statistical consultancy, analysis and programming. Research supporting Mia improvements. |
Auxiliis Privacy policy can be found here and further information by contacting Auxiliis. | Individuals in the care of a Partner or Customer healthcare provider. | Clinical Research Organisation (CRO) providing project management support, medical device regulatory assurance and support researching Mia improvements specifically related to data subjects in Hungary. |
Contact details
If you have any queries regarding data protection matters you can find contact details at the foot of our general Privacy Policy page.