We are In Your Element Ltd, t/a ‘Elemental’ a company registered in Northern Ireland, with registered office at 1 Glen Road, Londonderry, BT48 0BX, Northern Ireland, and registered number: NI619268, (we​, us​, our​).

We provide an online platform (Elemental)​ which facilitates the provision of social prescription services by enabling health and social care professionals to set up patient profiles, make instant referrals to support and link workers and onward connections to community providers, and enables the exchange of notes about patients to help assess the social prescription services being provided (our Services​).

In each case, we make Elemental available to designated users because we have been contracted to do so by our Client in connection with a particular Social Prescription Programme
which our Client has decided to run.

2.1 In order to provide our Services, we may need to process Personal Data from time to time (that is information from which an individual can be identified). This Personal Data may be about you or other people. This notice explains how we will use the Personal Data we hold. Elemental enables users to collect and share data. This notice only deals with our use of Personal Data. Recipients (including our Client and Professional Users) are not bound by this privacy notice.
(i) If you decide to take part in a Social Prescription Programme, it is up to you to ask your healthcare professional who might be given access to your data, and what
data will be transferred.
(ii) If you upload Personal Data on to Elemental, it is up to you to make sure the recipient of any Personal Data you’ve sent will use the information as you intend.

2.2 We might need to change this privacy notice from time to time. If we do, we let you know. So please do keep an eye on our notice before sending us any Personal Data or uploading it on to Elemental.

2.3 All of the defined terms in this notice are explained in paragraph 14 below. If you have any questions about this notice, feel free to send us an email to dpo@elementalsoftware.co.

3.1.We hold Personal Data about the following groups of people (Data Subjects):
(i) Client Contact Data: that is Personal Data about our Client (including key contact data);
(ii) Prospective Client Data: that is Personal Data about prospective clients (including key contact data);
(iii) Professional User Data: that is Personal Data about the following groups of Data Subject:
(a) Administrative Users: any individuals who have been designated to use Elementalin order to manage an aspect of our Client’s Social Prescription Programme.

(b) Referral Agents: any individuals who have been designated to provide social prescription referrals as part of our Client’s Social Prescription Programme. This might be a general practitioner or other health or social care professional.
(c) Referral Handlers: any link or support workers who have been designated to use Elemental as part of our Client’s Social Prescription Programme.
(d) Community Providers: any individuals involved in providing programmes, activities,events or services in the community, who have been designated to provide services
to Patients in connection with our Client’s Social Prescription Programme.
(iv) Patient Data: that is Personal Data about any individuals who have been identified to receive social prescription services as part of our Client’s Social Prescription Programme.

4.1 It depends on the data and how it is collected and used.

4.2 We are a Controller in respect of the following data:
(a) Client Contact Data . We collect and hold information about our clients for our own business purposes and we make decisions about how best to use that data.

(b) Prospective Client Data . We collect and hold information about prospective clients for our own business purposes and we make decisions about how best to use that data.

(c) Personal Data which we collect from a user of Elemental (User) outside the scope of our Services to our Client .

For example, this could include:
● identity and contact details if a User opted in to receiving marketing from us when they set up their user account on Elemental;
● details about complaints or queries or support questions from that User; and
● usage Data which we might collect to ensure the integrity of Elemental.

4.3 We are a Processor in respect of any Personal Data about Professional Users or Patients which our Client Administrative Users or Referral Agents) gives us or which we collect on behalf of our Client to enable us to provide our Services.

5.1 We might collect Personal Data in the following ways:
Client Contact Data
(i) Direct interactions with our client: information which our Client provides us with directly about its key contacts, including:
● Identity and contact data: name, email address
● Job data: job role and employment status
● Transactional data: we may retain details about our Client’s transactions with us. We will not store or access any financial details of our Client.
● Biographical data: that is data about our Client’s preferences, comments or any other data our Client might give us when they contact us
Prospective Client Data
(i) Direct interactions with a prospective client: any information which a prospective client gives us when they contact us or us them. This might include their contact details, information about key contacts in the prospective client, information about their business and job role, their interests and needs.
(ii) Online traffic data: we may use cookies to find out about how people who visit our site use our site. If you would like to know more about our cookies policy, please click here.
(iii) Information which we collect from publicly available sources: to help make sure the right people know about what we do, we may carry out research to find out who we think might be interested in using Elemental. We may collect the following information about the personnel of prospective clients which we’ve identified:
● Identity and business contact data
● Business data : such as an individual’s job role and position in a company

Professional User Data
(i) Data given to us by Client personnel to facilitate the Social Prescription Programme: We will hold Personal Data about Professional Users primarily because they have been designated by our Client (or Administrative Users or Referral Agents) to take part in our Client’s Social
Prescription Programme. This might include:
● Identity and contact data: name, email address
● Job data: job description and role and administrative rights
● Professional details: for Community Providers, this is likely also to include details of services provided and timetables for events
(ii) Direct interactions with Professional Users (when they use Elemental or contact us): This might include:
● Identity and contact data: name, email address
● Marketing preferences
● Use preferences
● Opinions, comments or complaints or any other data they provide us with
● Professional details
(iii) Online tracking: Elemental is set up to automatically collect certain information using cookies and other similar tracking technologies. As such, we may also collect information about how a Professional User uses Elemental. This might include:
● Usage Data: information about interactions with Elemental
● Technical Data: data about a Professional User’s IP address, a Professional User’s login data, browser type and version, time zone setting and location, browser plugin types and versions, operating system and platform and other technology on the devices a Professional User uses when they access Elemental.
● Traffic Data: that is, information about which websites or links a Professional User accesses when they’re using our services. For more information about the cookies we use, please have a look at our cookies policy, which can be accessed here.

Patient Data
(i) Data given to us by Client Personnel to facilitate the Social Prescription Programme: We will hold Personal Data about Patients primarily because they have been designated by our Client (or Administrative Users or Referral Agents) to take part in our Client’s Social Prescription Programme. This information may include the following:
● Identity and contact data: name, email address
● Health and well-being data
(ii) Data added to Elemental by Professional Users: The majority of the data we will hold data about Patients will be because Professional Users upload it on to Elemental (or pull it over from their own system) and we will store it. This could be information about:
● Identity and contact data: name, email address
● NHS number
● Health and well-being data : and any other data which a Patient provides to a
Professional User and which the Professional User deems relevant to record for the purposes of the Social Prescription Programme
● Attendance notes
● Recording Consent
● Attendance at community events
(iii) Data which a Patient gives us if they set up and use an account on Elemental or if they contact us directly. This might include:
● Identity and contact data: name, email address
● Marketing preferences
● Use preferences
● Opinions, comments or complaints or any other data they provide us with
● Health and well-being data :
● Attendance notes
● Recording Consent
● Attendance at community events
(iv) Online Tracking: Elemental is set up to automatically collect certain information using cookies and other similar tracking technologies. As such, we may also collect information about how a Patient (who has decided to set up an account on Elemental) uses Elemental. This might include:
● Usage Data: information about interactions with Elemental
● Technical Data: data about a Patient’s IP address, a Patient’s login data, browser type and version, time zone setting and location, browser plugin types and versions, operating system and platform and other technology on the devices a Patient uses when they access Elemental.
● Traffic Data: that is, information about which websites or links a Patient accesses when they’re using our services. For more information about the cookies we use, please have a look at our cookies policy, which can be accessed here.

It is likely that some of the Personal Data which we collect and store on behalf of our Client, in relation to Patients, may include Special Categories of Personal Data. Special Categories of Personal Data includes details about an individual’s race or ethnicity, religious or philosophical beliefs, sex life,
sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data.

General
5.2 We may also collect, use and share Aggregated Data such as statistical or demographic data which we collect from interactions with our Clients or any Users of Elemental. Aggregated Data may be derived from Personal Data but since it cannot be used to identify an individual, it is not Personal Data.

Client Data
(i) We hold and process Client Contact Data as a Controller, which means we must have a ‘lawful basis’ for doing so. We have set out how we use Client Contact Data along with our lawful basis in the table below.
(ii) Anywhere we are relying on legitimate interest we believe that such processing is necessary for the purposes of our legitimate interest , which in this case is to function as a business. We consider such use goes no further than a Client would reasonable expect; is likely to align with the Client’s interests (by enabling us to provide a sustainable business model) and is unlikely to be detrimental to the fundamental rights and freedoms of our Client.

To provide our services
Agreeing the parameters of the Social Prescription Programme and facilitating the set-up and managing payment
Identity Data, Contact Data, Transaction Data
Necessary for the performance of the contract for the provision of our services or taking steps necessary to enter into a contract.

To manage our relationship with you
To notify you of updates to our (or our Licensor’s) services or software or updates to our privacy notice
Identity Data, Contact Data
Necessary for the performance of the contract for the provision of our services or taking steps necessary to enter into a contract.

Administration and Dispute Resolution
We may also need to process Personal Data about you to meet our internal administration requirements and for matters such as dispute resolution.
Identity Data, Contact Data, Transaction Data
Legitimate Interest

Marketing
From time to time we might contact you by telephone or email about updates to our services, new features or functions or new products we are bringing out. Our marketing may be tailored on the basis of what we think your interests are (from looking at data collected using cookies and other similar technologies as well as past transactions and interactions). We will always include the right to opt out in any such correspondence.
Identity Data, Contact Data, Transaction Data, Profile Data, Traffic Data
Legitimate Interest

Prospective Client Data
We hold and process Prospective Client Data as a Controller, which means we must have a ‘lawful basis’ for doing so. We have set out how we use Prospective Client Data along with our lawful basis in the table below.

Responding to your requests for information (solicited marketing)
This may involve sending you information about our services if you have asked us to do so or contacting you whether by telephone or email to discuss proposals for a Social Prescription Programme.
Identity Data, Contact Data
Necessary steps to enter into a contract

Profiling and Marketing
We may carry out research online (including by looking at traffic data collected by cookies and other similar technology) and through word of mouth in order to find businesses we think might be interested in hearing about Elemental. We may use such information to make marketing calls or send an email.

We are relying on legitimate interest as our legal basis for profiling and marketing. The legitimate interest being the promotion of our business. We believe that marketing of this kind is integral to getting our product known in the correct circles, and, since the marketing communication is targeted to individuals working in the field of Social Prescription, and we will only use contact details published on business websites, we believe that this will this will not be considered invasive by the Data Subject and in this case our interests and the Data Subject’s may be aligned.

Professional User Data
(i) Any Professional User Data which we have been given by our Client (Administrative Users or Referral Agents) or which we collect on behalf of our Client to enable us to provide our Services, we hold as a Processor. Provided we are acting in accordance with our Client’s instructions, we are not required to have a lawful basis for our processing. If you would like more information about who our Client is and their lawful basis, please contact us at dpo@elementalsoftware.co and we will pass your query to our Client.

(ii) Any Professional User Data which we collect directly from a Professional User but which falls outside the scope of our services to our client, we hold as a Controller which means we must have a ‘lawful basis’ for doing so. We have set out how we use Professional User Data along with our lawful basis in the table below.

(iii) Anywhere we are relying on legitimate interest we believe that such processing is necessary for the purposes of our legitimate interest, which is in this case is to function as a business. We consider such use will go no further than a Professional User would reasonable expect; is likely to align with the Professional User’s interests (by enabling us to provide a sustainable business model) and is unlikely to be detrimental to the fundamental rights and freedoms of a Professional User.

(iv) We may also collect aggregate data about how a Professional User uses our software. This data will be anonymised and will not identify a Professional User.

Monitoring account usage
We may record usage patterns or other data we collect from your use of Elemental in order to make sure such use is in accordance with our terms of use.

Administration And Dispute Resolution
We may also need to process Personal Data about you to meet our internal administration requirements and for matters such as dispute resolution.

Marketing (profiling and direct mail)
If you have agreed that we may do so, we may contact you by email from time to time with information about our goods and services or similar goods and services which we think may be of interest to you. We may tailor these communications on the basis of information we have collected about your usage of Elemental and traffic data we’ve collected.

Patient Data
(i) Any Patient Data which we have been given by our Client (or Professional Users) or which we collect on behalf of our Client (including Professional Users) to enable us to provide our Services, we hold as a Processor. Given the nature of the services we facilitate, it is likely that this will include Special Categories of Personal Data. Provided we are acting in accordance with our Client’s instructions, we are not required to have a lawful basis for our processing. If you would like more information about who our Client is and their lawful basis, please contact us at dpo@elementalsoftware.co and we will pass your query to our Client.

(ii) Any Patient Data which we collect directly from a Patient but which falls outside the scope of our services to our Client, we hold as a Controller which means we must have a ‘lawful basis’ for doing so. We have set out how we use Patient Data along with our lawful basis in the table below. We do not envisage that any of the Patient Data which we hold as a Controller will include Special Categories of Personal Data.

(iii) Anywhere we are relying on legitimate interest we believe that such processing is necessary for the purposes of our legitimate interest, which is in this case is to function as a business. We consider such use will go no further than a Patient would reasonable expect; is likely to align with the Patient’s interests (by enabling us to provide a sustainable business model) and is unlikely to be detrimental to the fundamental rights and freedoms of a Patient.

(iv) We may also collect aggregate data about a Patient’s use of Elemental and participation in the Social Prescription Programme. This data will be anonymised and will not identify any Patient.

Monitoring account usage
We may record usage patterns or other data we collect from your use of Elemental in order to make sure such use is in accordance with our terms of use.

Administration and Dispute Resolution
We may also need to process Personal Data about you to meet our internal administration requirements and for matters such as dispute resolution.

Marketing (profiling and direct mail)
If you have agreed that we may do so, we may contact you by email from time to time with information about our goods and services or similar goods and services which we think may be of interest to you. We may tailor these communications on the basis of information we have collected about your usage of Elemental and traffic data we’ve collected.

7.1 Disclosures of Patient Data  made as part of the Social Prescription Services: The purpose of the Social Prescription Programme is to enable Professional Users to disclose and share information to each other about a patient’s progress in connection with the Social Prescription Programme. The decision to transfer Patient Data is made by the Professional Users themselves or a Patient (if they have set up their own account on Elemental). We’ve put together an infographic that might help to explain the process.

If you have any questions about who your data might be transferred to if you take part in our Client’s Social Prescription Programme, please ask the Referring Agent or Referral Handler. If you don’t know who that is, feel free to send us an email at dpo@elementalsoftware.co and we will pass your query to our Client for them to contact you directly.

7.2 Disclosures of Personal Data by us to third parties. We may disclose Personal Data to third parties, for the following purposes:

(a) To employees and third parties (including professional advisors, such as lawyers and accountants) who are contracted to help us to provide Elemental and our business. Any such third parties and/or data processors contracted by us will be subject to strict contractual requirements only to use Personal Data in accordance with our privacy notice. If you would like more information about third party processors used by us, please contact us at dpo@elementalsoftware.co.

(b) If we are under a duty to disclose or share Personal Data in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements or to protect the operation of our website, or the rights, property, or safety of us, our customers, or others.

(c) Third parties if we sell, transfer or merge parts of our business or our assets. If a change happens to our business, then the new owners will only be entitled to use Personal Data in accordance with the provisions set out in this privacy notice.

8.1 It is our policy to ensure that all Personal Data held by us is handled correctly and appropriately according to the nature of the information, the risk associated with mishandling the data, including the damage that could be caused to an individual as a result of loss, corruption and/or accidental disclosure of any such data, and in accordance with any applicable legal requirements.  Measures include the encryption of data while in transit via SSL, encryption of sensitive data fields at the database level including password hashing and a layers architecture with tightly controlled firewall permissions.

Elemental are/have:

1. Cyber Essentials
2. Cyber Essentials Plus
3. NHS Data Protection Security Toolkit- Standards Met March 2020
4. GCloud 12

Working towards:

1. IS027001
2. GPIT Futures

8.2 There are some steps you can take to help make sure that your data is protected. For example:

(a) if you are a Professional User contacting us with a query or complaint, only ever give us your work details rather than your personal contact details;

(b) if you are sending any financial details or sensitive information, consider sending it in separate emails or encrypted, password protected documents; and

(c) make sure that you keep any passwords associated with your Elemental account secure.

9.1 For Clients based in the EU, we only use servers in the EU (and Britain). Our current host servers are provided by Amazon Web Services, whose servers are based in London.

9.2 If you are based outside the EEA and would like further information about where we hold your data, please contact us by email: dpo@elementalsoftware.co.

Client Contact Data
10.1 Our retention policies for Client Contact Data are as follows:

(a) we may store data related to financial transactions for up to 7 years to ensure that we have sufficient records from an accounting and tax perspective;

(b) we may archive data relating to negotiations, contracts agreed, payments made, disputes raised and your use of our software for up to 6 years to protect ourselves in the event of a dispute arising between you and us;

(c) we may retain data which is held for marketing purposes for up to 5 years from the date of termination of our contract with our Client (unless the relevant Data Subject requests erasure of their data prior to that date);

(d) we may store aggregate data without limitation (on the basis that no individual can be identified from the data).

Prospective Client Data
10.2 We will retain Prospective Client Contact Data for up to 1 year from the point of collection or last interaction. If a Prospective Client becomes a Client, the retention policy set out in paragraph 10.1 shall apply.

Professional Data
10.3 Any Professional User Data which we hold as a Processor will be held only for the duration of our contract with our Client. Upon termination of the contract, we will return or delete the Professional Data.

10.4 Any Professional User Data which we hold as a Controller will be retained in accordance with the following provisions:

(a) we may archive data relating to disputes raised and your use of our software for up to 6 years to protect ourselves in the event of a dispute arising between you and us;

(b) we may retain data which is held for marketing purposes for up to 5 years from the date of termination of our contract with our Client (unless the relevant Data Subject requests erasure of their data prior to that date); and

(c) we may store aggregate data without limitation (on the basis that no individual can be identified from the data).

Patient Data
10.5 Any Patient Data which we hold as a Processor will be held only for the duration of our contract with our Client. Upon termination of the contract, we will return or delete the Patient Data.

10.6 Any Patient Data which we hold as a Controller will be retained in accordance with the following provisions:

(a) we may archive data relating to disputes raised and your use of our software for up to 6 years to protect ourselves in the event of a dispute arising between you and us;

(b) we may retain data which is held for marketing purposes for up to 5 years from the date of termination of our contract with our Client (unless the relevant Data Subject requests erasure of their data prior to that date); and

(c) we may store aggregate data without limitation (on the basis that no individual can be identified from the data).

11.1 Data Subjects have the following rights in respect of Personal Data relating to them which can be enforced against whoever is the Controller. (a) Right to be informed: the right to be informed about what Personal Data the Controller collects and stores about you and how it’s used.

(b) Right of access: the right to request a copy of the Personal Data held, as well as confirmation of:
(i) the purposes of the processing;
(ii) the categories of personal data concerned;
(iii) the recipients to whom the personal data has/will be disclosed;
(iv)  how long it will be stored; and
(v) if data wasn’t collected directly from the Data Subject, information about the source.

(c) Right of rectification: the right to require the Controller to correct any Personal Data held about the Data Subject which is inaccurate or incomplete.

(d) Right to be forgotten: in certain circumstances, the right to have the Personal Data held about the Data Subject erased from the Controller’s records.

(e) Right to restriction of processing: the right to request the Controller to restrict the processing carried out in respect of Personal Data relating to the Data Subject. You might want to do this, for instance, if you think the data held by the Controller is inaccurate and you would like to restrict processing the data has been reviewed and updated if necessary.

(f) Right of portability: the right to have the Personal Data held by the Controller about the Data Subject transferred to another organisation, to the extent it was provided in a structured, commonly used and machine-readable format.

(g) Right to object to direct marketing: the right to object where processing is carried out for direct marketing purposes (including profiling in connection with that purpose).

(h) Right to object to automated processing: the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects (or other similar significant effects) on the Data Subject.

11.2 If you want to avail of any of these rights, you should contact us immediately at dpo@elementalsoftware.co. If we are not the Controller, we will need to transfer your request to the Controller – but we will only do so with your consent. If you do contact us with a request, we will also need evidence that you are who you say you are to ensure compliance with data protection legislation.

12. 1 If we are holding Personal Data about you as a Processor, we will need to transfer your request to the Controller who has engaged us to provide our Services – that will be our Client. To the extent that we are holding Personal Data about you to facilitate our Client’s Social Prescription Programme, such a request is likely to impact on your ability to be a part of the programme.

12.2 If we are holding Personal Data about you and using that data for marketing purposes or for any other activities based on your consent, you may notify us at any time that you no longer want us to process Personal Data about you for particular purposes or for any purposes whatsoever and we will stop processing your Personal Data for that purpose. This will not affect your ability to be a part of our Client’s Social Prescription Programme.

13.1 If you have any questions or concerns about how we are using Personal Data about you, please contact our Data Protection Officer immediately at our registered address (see paragraph 1.1 above) or by email to dpo@elementalsoftware.co.. If we are processing Personal Data about you on behalf of our Client, we will need to pass your complaint to our Client – we will only do so with your consent.

13.2 If you wish to make a complaint about how we have handled Personal Data about you, you may lodge a complaint with the Information Commissioner’s Office by following this link: https://ico.org.uk/concerns/.

14.1 Throughout this notice you’ll see a lot of defined terms (which you can recognise because they’re capitalised). Where possible, we’ve tried to define them as we go, but we thought it might be useful to have a glossary at the end for you. Anywhere in this notice you see the following terms, they’ll have the following meanings:

Client means the party we entered into a contract with to facilitate an agreed Social Prescription Programme;

Client Contact Data means Personal Data about our Client (including key contact data);

Controller is a legal term set out in the General Data Protection Regulation (GDPR), it means the party responsible for deciding what Personal Data to collect and how to use it;

Elemental means the online platform which facilitates the provision of social prescription services;

Data Subject means the individual who can be identified from the Personal Data;

Patient Data: that is Personal Data about any individuals who have been identified to receive social prescription services as part of our Client’s Social Prescription Programme;

Personal Data means data which can be used to identify a living individual. This could be a name and address or it could be a number of details which when taken together make it possible to work out who the information is about. It also includes information about the identifiable individual;

Processor is another legal term set out in the GDPR, it means the party who has agreed to process Personal Data on behalf of the Controller;

Professional Users means any or all of the following groups of individuals:

• Administrative Users:  any individuals who have been designated to use Elemental in order to manage any aspect of our Client’s Social Prescription Programme.
• Referral Agents: any individuals who have been designated to provide social prescription referrals as part of our Client’s Social Prescription Programme. This might be a general practitioner.
• Referral Handler: any link or support workers who have been designated to use Elemental as part of our Client’s Social Prescription Programme.
• Community Provider: any individuals involved in providing programmes, activities, events or services who have been designated to provide services to Patients in connection with our Client’s Social Prescription Programme.

Prospective Client Data: that is Personal Data about our prospective clients (including key contact data);

Social Prescription Programme means a programme implemented by a clinic, trust, housing executive or other body to assess a patient’s social, emotional and practical needs and make referrals to non-clinical services within a patient’s community;

Special Categories of Personal Data means details about an individual’s race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data; and

User means a user of Elemental.

1.1. A cookie is a small text file containing anonymous information (letters and numbers) which acts as an identifier that will be sent by our server to your computer or mobile device when you use our Site .
1.2. By allowing us to identify you, your user experience will be improved. For instance, our Site will be able to remember your preferred settings, user name and preferences, saving you time each time you log in.

2.1. In our provision of services to you, we use both ‘essential’ and ‘non-essential’ cookies.
2.1.1. ESSENTIAL COOKIES
Some cookies are required to perform essential functions on our Site. We use essential cookies for the purposes such as:
● to enable you to access private information for the duration of your visit;
● for the administration of our services; and
● to improve those services provided by us to you.
2.1.2. NON-ESSENTIAL COOKIES
The table below explains the non-essential cookies we use and why

3.1. By using our Site, you are consenting to our use of these non-essential cookies. If you do not consent to our using non-essential cookies you may opt to block the cookies by using the appropriate setting on your browser. For more information on how to disable cookies please see: ​www.allaboutcookies.org​.
3.2. Please note that blocking cookies could affect some of the services provided on our Site.

4.1. Any changes we may make to our cookies policy in the future will be posted on this page.

5.1. Questions, comments and requests regarding this cookies policy are welcomed and should be addressed to dpo@elementalsoftware.co