At Lister we are committed to protecting and respecting your privacy. This policy outlines details of the information that we collect, store and process, and the measures we take to protect and safeguard this information. We always welcome suggestions to improve our information governance, privacy, and cyber security policies and procedures.
Who are we?
How your information is used
If you register your email address will be used to obtain further information from you. We will also use your email to contact you with suitable surveys, job opportunities and updates from Lister only if you give us express permission to do so. This may include details of new features and updates to the application. Our processing basis for this communication is Consent, which you will be requested for at the time you submit a form.
How long do we hold data for?
Any personal data which you have provided to us, except in registering and user the Lister task management platform, will be deleted after a period of 12 months, or earlier if the we no longer have need of the data or if the terms of your consent to give us the data express more restrictive limitations on holding the data. Personal data provided to us as part of your registration and use of the Lister clinical task management platform must be held for at least 8 years after your last active use of the platform, but would only be used if it is requested of us legitimately in the context of a patient safety incident or legal investigation. As soon as you no longer have an active account on the Lister platform, we will cease processing or accessing your data for any other purpose.
Lister only retain data for as long as it is strictly required. This means data that you provide through the contact form is held for 12 months. After this time all stored data will be removed from our live systems. Prior to removal we will attempt to contact you to inform you.
In order to operate a reliable system and to avoid data loss we perform regular encrypted backups of the system. These backups are retained for up to 90 days, and after this time are removed. This means that a removed account will be completely removed from all backups 90 days after removal. Data related to patient clinical information will be retained for 8 years.
Who has access to your data?
Lister will never sell or share personal data related to you or any clinical/health data inputted into the Lister task management system.
Lister will not sell or rent your information to third parties, and we do not share information for marketing purposes with any third parties.
Lister may share some personal data with 3rd party partners working on our behalf – this includes contractors & workshop providers who work with Lister to provide services. Where such a relationship is in place there are contractual safeguards in place to protect your information. Lister will only share data that is relevant to the tasks being completed and to the delivery of service to you, and where possible the data will be anonymised. None of these organisations and individuals are permitted to use the data for any other purpose. We will never share any clinical or health data inputted into the Lister task management system with any 3rd party provider, unless we are entirely satisfied that those providers adhere to industry best practice for information governance and cyber security. Typically, we require such providers to be independently certified against a recognised standard, such as ISO 27001.
At any time you will be free to remove consent by contacting us at email@example.com.
How will we keep your data secure?
Lister has been designed with a privacy first development methodology meaning that we follow a rigorous development process which places the security of personal information at its core. To that end we host our application and website using a GDPR compliant cloud data provider hosting the application and site in the UK. We use AWS as our cloud provider, and AWS are certified against ISO 27001 and have a published NHS Digital Data Security and Protection Toolkit score of “Exceeds Requirements”. All of our services run over HTTPS using TLS ensuring data transmitted between the application/website and our servers is secure. Data you provide to us which is stored is encrypted when it is stored, and in any backups taken. We take lengths to ensure that the network environment in which the application/website is hosted is kept secure by following best practices and ensuring that security updates are applied in a timely fashion.
Lister is independently certified against the Cyber Essentials and Cyber Essentials Plus standards. The Lister task management platform undergoes yearly independent cyber security penetration testing.
How do we support your rights?
We will not contact you for marketing purposes by email unless you have given your prior consent. You can change your marketing preferences at any time by contacting us by email: firstname.lastname@example.org
The accuracy of your information is important to us. If you change email address, or any of the other information we hold is inaccurate or out of date and you cannot already change it in the app, please email us at email@example.com.
The data that we keep about you is your data and we ensure that we keep it confidential and that it is used appropriately. You have the following rights when it comes to your data:
- You have the right to request a copy of all of the data we keep about you. Generally, we will not charge for this service;
- You have the right to ask us to correct any data we have which you believe to be inaccurate or incomplete. You can also request that we restrict all processing of your data while we consider your rectification request;
- You have the right to ask that we erase any of your personal data which is no longer necessary for the purpose we originally collected it for. We retain our data in line with the Information Governance Alliance’s guidelines (https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016)
- You may also request that we restrict processing if we no longer require your personal data for the purpose we originally collected it for, but you do not wish for it to be erased.
- You can ask for your data to be erased if we have asked for your consent to process your data. You can withdraw consent at any time – please contact us to do so.
- If we are processing your data as part of our legitimate interests as an organisation or in order to complete a task in the public interest, you have the right to object to that processing. We will restrict all processing of this data while we look into your objection.
You may need to provide adequate information for our staff to be able to identify you, for example, a passport or driver’s licence. This is to make sure that data is not shared with the wrong person inappropriately. We will always respond to your request as soon as possible and at the latest within one month.
If you would like to complain about how we have dealt with your request, please contact:
Information Commissioner’s Office
Right to remove consent
Where we rely upon your consent to perform data processing we allow you to revoke the previously granted consent by contacting us at firstname.lastname@example.org where upon we will comply with your request.
It is possible to switch off cookies by setting your browser preferences. For more information on how to switch off cookies on your computer, visit our full cookies policy. Turning cookies off may result in a loss of functionality when using our website.
Review of Policy
We regularly review our policies – the last review of this policy was undertaken in October 2022.