Privacy Policy

Hilltop Digital Lab Ltd, and its subsidiaries and affiliated companies (collectively, the “Hilltop Digital Lab”, “Company”, “We”, or “Us”) strive to properly address applicable data protection requirements. 

This Hilltop Digital Lab Privacy Policy (“Policy”) provides the individuals who receive our services, with certain essential information about how the Company manages his/her personal information (including sensitive personal information). Hilltop Digital Lab is the primary data processor for the processing of Personal Information. 

Types of data processed

Personal information processed might include the following types of personal information: 

When you are a client, we process client contact information;
Client Contact Information is personal information related to contacting a client who would like to learn more about available products and services or for the administration of contracts and payments. Client Contact Information includes personal information such as name, email address, telephone number, or fax number. Client Contact Information is collected via telephonic, face-to-face, or online interactions and is held in administrative systems and files. 

When you are a service provider, we process service provider information;
Service Provider Information is personal information related to providers, provide services to, or which provides services to our business.  Service Provider Information includes personal information such as name, address, email address, or telephone number. Service provider information may be captured in a patient’s medical record, assessment reports, assessment results, and administrative systems. 

When you are a patient of a general practice or an employee of a clinical commissioning group, we process personal information;
Patient Information is personal information related to patients of a General Practice (GP) who may be part of a Clinical Commissioning Group (CCG)/ Integrated Care System (ICS) that we have a contract with. Patient Information that we process may include but not be limited to patient name, address, date of birth, email address, telephone number, gender, NHS number, health data, genetic data and biometric data. Employee data we process on behalf of the CCG/ICS may include but not be limited to name, address, date of birth, email address, telephone number, gender, NHS number, and marital status. 

Purpose of personal information processing and legal basis for doing so

Our use and processing of Personal Information – Our personal information processing includes:

Quality Management;
We use personal information for Quality Management such as ensuring the quality-of-service delivery, including call monitoring and recording, case consultations, and service feedback. Call recording is performed, and quality monitoring is performed. De-identified personal information may be shared with a supervisor or senior member of the staff to provide consultation on customer cases.

Client Reporting;
We use personal information for Client Reporting such as providing aggregate statistical reports to client organisations related to overall service delivery information, trends within and across organisations, and anonymized customer satisfaction and feedback information.

Client Requests;
We use personal information to respond to Client Requests such as responding to requests for more information about products and services. 

Business Administration;
We use personal information for business administration such as responding to requests for more information about products and services.

Accreditation and Legal Requirements

We use personal information for Accreditation and Legal Requirements such as complying with accreditation requirements and achieving the legal basis of our personal information processing. 

The legal basis of our personal information processing – The legal basis of our personal information processing includes processing that is:

  • Necessary for the Company’s legitimate interests, including those described above.
  • Necessary for compliance with the Company’s legal obligations, including the provision of services to Participants.
  • Necessary for medical diagnosis, the provision of health or social care or treatment of the management of health or social care systems or services.
  • Necessary for the establishment, exercise or defence of legal claims.
  • Necessary to protect the vital interests of the Participant of another natural person.
  • Necessary for reasons of public interest in public health; or,
  • Based on consent by the Participants, which may subsequently be withdrawn at any time by contacting us at the address listed below in the “Contact Information” section without affecting the lawfulness of processing based on consent before its withdrawal.

Hilltop Digital Lab Ltd Partners, Personnel and Cross-border Transfers 

We disclose personal information to third parties (“Hilltop Digital Lab Partners”), such as health care providers and community providers, who help us to deliver the Hilltop Digital Lab services.  Hilltop Digital Lab Partners also share personal information with us for these purposes. Our personnel may access (on a need-to-know only basis) and process personal information in connection with their job responsibilities or contractual obligations. Such access includes those individuals who are in charge of Hilltop Digital Lab program activities mentioned above and IT services as well as senior executive company managers. Where permitted, we may use some third parties, Hilltop Digital Lab Partners, and Company personnel located outside of the EEA, including in countries that may not provide the same level of data protection as your home country, such as the United States of America.  We take appropriate steps to ensure that such entities are bound to duties of confidentiality, and we implement measures such as standard data protection contractual clauses to ensure that any transferred Personal information remains protected and secure.  

Client Reporting

e provide reports to Clients (“Client Reports”).  The Client Reports are aggregate statistical reports provided to Client organisations related to overall service delivery information, trends within and across organisations, and anonymized customer satisfaction and feedback information.  

Your Consent and Your Responsibility

You are not required by law to provide us with your personal information. If you do not provide us with personal information and consent to our personal information processing policy, we may be unable to provide the Hilltop Digital Lab service that you might request.  If you provide your consent, you can withdraw consent at any time.  When you withdraw your consent, we may no longer be able to provide you with Hilltop Digital Lab services. If you provide third-party information to us (such as information from financial institutions, information or advice from solicitors, etc.), it is your responsibility to ensure that it is lawful for you to share the information with us and obtain our further processing of the information.

Direct Marketing

We will not use your personal information for direct marketing purposes without obtaining your consent prior to doing so. If you provide your consent for direct marketing, you may request to withdraw your consent at any time.  For example:  On each item of marketing collateral, we include instructions for withdrawing your consent to direct marketing. You may also request to withdraw your consent by following the instructions by contacting us as instructed in the “Contact Information” section below.

Retention of Personal Information

Personal information will be retained only for so long as necessary for the purposes set out above, in accordance with applicable laws.

Data Security and Data Integrity

We maintain reasonable safeguards to protect personal information from loss, interference, misuse, unauthorized access, disclosure, alteration or destruction.  We also maintain reasonable procedures to help ensure that personal information is reliable for its intended use and is accurate, complete and current.  If you are aware of changes or inaccuracies in your personal information, you should inform us of such changes so that the personal information can be updated or corrected.

Your Rights in Personal Information that Concerns You

You may contact us by following the instructions below in the “Contact Information” section to request access to the personal information that concerns you, to request correct any mistakes, deletion of this data or to withdraw your consent to our personal information processing, in accordance with applicable law. 

We might be unable to comply with such a request were doing so would place us in breach of our obligations under applicable laws, regulation or codes of practice.  However, in some circumstances, you might be able to request that your data be blocked from further processing.  You might also have a right to data portability to another data controller under certain circumstances. Where we rely on your consent for our personal information processing, your consent may be withdrawn at any time, although the withdrawal might impact or disrupt the services, we provide to you.  Whether we comply with your request or do not comply with your request, we will prepare a response within the time permitted by law, generally within a month of receiving your request, subject to extension, when permitted, in certain situations. 

You may lodge a complaint with a supervisory authority if you believe that our personal information processing infringes on applicable law.

Disclosures Required or Permitted by Law

Regardless of any other provisions in this Privacy Policy, we may disclose or otherwise process personal information in the context of any sale or transaction involving all or a portion of the business, or as might be required or permitted by law or required for the purposes of any regulatory audit to which the Company may be subject from time to time.

Contact Information

By following the instructions below, you may request clarification about our Policy, complain about our personal information processing, make a request to exercise rights in the personal information that concerns you, and/or request a copy of our contractual clauses designed to protect personal information.  

When you contact us, we might need to make an appointment with you, where necessary, to better understand the nature of your question or clarify a request access or amendment/correction. During this process, we must verify your identity to ensure that the request is made by you, or by another person who is authorised to make a request on your behalf, such as a legal guardian.

To contact the supervisory authority:
The Information Commissioner
Wycliffe House
Water Lane
United Kingdom

To contact us:
Attention: Data Protection Officer

Effective Date

The Effective Date of this Privacy Policy is the 1st of October 2020. We might revise our Policy from time to time to reflect changes that we undertake in personal information processing. We will notify you of significant changes.