Introduction

Please read this privacy policy carefully as it contains important information on who we are and how and why we collect, store, use and share your personal information. This Privacy Policy explains your rights in relation to your personal information and how to contact us or supervisory authorities in the event you have a complaint.

Please also read the Terms and Conditions, which are available on the Vhi App, carefully as they contain important information on the scope of the services we provide and how we deliver them. By using our services, you are deemed to have accepted the Terms and Conditions. If you do not agree to the terms of use, please refrain from accessing or using our services.

How and why we use your personal information

We collect and process your personal and sensitive information solely for the purpose of providing you with access to our services. When we do so we are subject to the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

HealthHero Solutions Ltd provides HealthHero Healthcare Ireland Ltd with administrative services to support its healthcare provision in Ireland. HealthHero Healthcare Ireland Ltd and HealthHero Solutions Ltd are joint data controllers for the purposes of those laws and for the provision of the services to you. Data transfers between HealthHero Healthcare Ireland Ltd and HealthHero Solutions Ltd are made under the provisions of Article 45 of the GDPR.

The Data Protection Officer for HealthHero Healthcare Ireland Ltd is registered with the Data Protection Commission in Ireland. HealthHero Solutions Ltd is regulated by the Information Commissioner’s Office (ICO) in the United Kingdom (UK).

Under the Data Protection Act 2018 and GDPR, we can only use your personal information if we have a proper reason for doing so. For example:

  • to comply with our legal and regulatory obligations.
  • for the performance of a contract with you or a third party or to take steps, at your request, before entering into a contract.
  • to collect feedback from you on our services.
  • for our legitimate interests or those of a third party.
  • where you have given consent.

The lawful basis we rely on for processing your personal and sensitive (health) data is provided for under Articles 6(1)(b), 6(1)(f) and 9(2)(h) of the GDPR.

Personal information we collect about you

We routinely collect and use the following personal information about you and the patient, if different, including:

  • your name and contact information, including your home address, telephone number and email address.
  • your location at the time of your consultation if different to your home address (for use only in the case of a medical emergency)
  • your date of birth; and
  • if necessary, the name of the partner organisation who provides you with access to our services (e.g. your employer, insurer, or membership group) and any access code, policy, or membership number you may have.
  • health data, which can include images and documents.

This personal information is required to provide our services to you. If you do not provide all the personal information we ask for, it may delay or prevent us from providing our services to you.

Images or other health documents you provide to us will be stored in your HealthHero record and form part of the consultation record.

All calls, consultations and electronic communications are recorded to protect the interests of all parties.

How your personal information is collected

We collect personal information directly from you. This may be via:

  • Telephone
  • Email
  • Online Services (Webforms/Progressive Web Apps)
  • Mobile Applications (App)
  • Third Party Applications via APIs (Application Programming Interfaces)

We may also collect information directly from third parties e.g. insurance companies and other organisations which you are a member of.

Who will we share your personal information with?

We will not share any personal information with any third parties without your explicit consent or as otherwise set out in this privacy policy. We only allow third parties to handle your personal information if we are satisfied that they take appropriate measures to protect your personal information.

Where we have a lawful basis to do so, we may share personal information with:

  • other companies within the HealthHero Group we use to deliver our services to you.
  • third parties we use to help deliver our services to you.
  • other third parties we work with to provide services to you, e.g. insurance companies.
  • other third parties we use to help us run our business e.g. website hosts.
  • third parties approved by you.

If you consent for us to do so, we may share your sensitive personal information with third parties to provide you with additional services if they are available to you.

If the consulting clinician feels it is appropriate, and with your consent, we will also share a copy of the consultation notes with your own GP.

The partner organisation who provides you with access to our services may require us to share personally identifiable information to validate your eligibility or confirm that you have used the service.

We may also be asked by the partner organisation who provides you with access to our services to disclose relevant consultation records if you are in the process of making a claim, or to facilitate continuity of care. Where we do not already have a lawful basis to share this information, we will seek your consent to do so.

We may also need to share aggregated information with other parties, such as potential buyers of some or all our business, or during a re-structuring. The recipient of any information will be bound by confidentiality obligations.

We may share aggregated information publicly and with our partners. For example, we may share information publicly to show trends about the general use of our clinical services.

Information that we may be obliged to share for other contractual or legal reasons

You may have been referred directly to our services by a partner organisation as part of their contractual obligations to you, for the purposes of preventive or occupational medicine, the assessment of your working capacity, medical diagnosis or the provision of healthcare or treatment. Where this is the case, we may be obliged to share special categories of personal data with them in order that they can fulfil their contractual obligations to you.

We will share personal information with other third parties if we have a belief in good faith that access, use, preservation, or disclosure of the information is reasonably necessary to:

  • meet any applicable law, regulation, legal process, or enforceable governmental request.
  • enforce applicable Terms of Service, including investigation of potential violations.
  • detect, prevent, or otherwise address fraud, security, or technical issues; and/or
  • protect against harm to the rights, property, or safety of HealthHero Healthcare Ireland Ltd/HealthHero Solutions Ltd, our partners, users, or the public, as required or permitted by law.

Where we process data

We process data at the trading offices of HealthHero Healthcare Ireland, 2 Dublin Landings, North Wall Quay, Dublin 1, D01 V4A3 and HealthHero Solutions Ltd; Inspired, Easthampstead Road, Bracknell, Berkshire, RG12 1YQ, UK and (under contract) at the sites of data processors and third parties appointed by us within The Republic of Ireland and The United Kingdom.

Data security

We take appropriate technical and organisational measures to maintain your personal information in a secure environment to prevent your personal information being accidentally lost or unauthorised access and use. Our partners are bound by contract to do the same. We limit access to your personal information to those who have a genuine business need to access it.

We use Transport Layer Security (TLS) to encrypt and protect data traffic generated as part of our normal operations. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software and you have a responsibility to ensure that any email you send is within the bounds of the law.

We will notify you and supervisory authority of any suspected data security breach where we are legally required to do so.

Data Retention

Where we have been provided with your personal information to establish your eligibility to use the services, we will only retain this information for as long as you are declared as eligible by the partner organisation who provides you with access to our services.

HealthHero GP records are retained for a minimum of 10 years after death. Current guidance is that Electronic Health Records (EHRs) must not be destroyed or deleted. This includes any video or audio recordings.

HealthHero Mental Health Services (EAP – Employee Assistance Programme) records are retained for 7 years from last date that service was delivered.

Online services – Cookies

Our corporate websites and online services use cookies. Cookies are small text files that are stored on your device (e.g. computer, smartphone or other electronic device) to allow websites to store information about you in relation to the site. We collect statistics from our online services using Google Analytics, allowing us to record visitor numbers, number of pages viewed and referral source. This data simply helps us to administer and enhance the sites and services provided.

For full information on the cookies we use, please see our cookie policy.

You can manage your cookie preferences in your browser settings. 

Third party links in online services

If you are using an online service provided by us, you may have access to links to other web sites. If you follow links to other sites from our hosted services, your data will be subject to the privacy policies of those sites. You should refer to these policies before providing any personal data to them. These other third-party websites may also use cookies or similar technologies in accordance with their own separate cookie policies.

The owners of these sites may be independent from us and we do not endorse or accept any responsibility for their content or services they may offer.

Your rights

Under the Data Protection Act 2018 and the GDPR, you have several rights which may apply to the services we provide including the right:

  • to ask us for copies of your personal information (the right of access).
  • to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete (the right to rectification).
  • under certain circumstances, to require us to delete your personal information (the right to be forgotten). Please note that the right to erasure does not extend to EHRs.
  • under certain circumstances, to require us to restrict processing of your personal information e.g. if you contest the accuracy of the data (the right to restrict processing).
  • under certain circumstances, to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party (the right to data portability).
  • under certain circumstances, to object to our continued processing of your personal information e.g. processing carried out for the purpose of our legitimate interests (the right to object).

You can withdraw your consent to future processing at any time, but this right cannot be applied to data already processed.

For further information on each of those rights, including the circumstances in which they apply, please contact us.

Contacting us

Should you wish to exercise any of your rights, if you have had a recent consultation, you can make a Subject Access Request by calling the telephone number you have been given to access the service for support.

Alternatively, you may request access to information held about you by emailing dpo.epc@healthhero.com or writing to:

The Data Protection Officer

HealthHero Healthcare Ireland

2 Dublin Landings

North Wall Quay

Dublin 1

D01 V4A3

 

If we are unable to confirm or have reasonable doubts concerning the identity of the person making a request to exercise the rights above, we will require additional proof of identity (e.g. a copy of your driving licence or passport and a recent utility or credit card bill) and/or evidence of the requester’s authority to exercise these rights.

We will ask for information on the right you wish to exercise and the information to which your request relates.

If you make a request, we will respond to you without undue delay and in any event within one month of receiving your request. 

Complaints

We hope that we can resolve any query or concern you may raise about our use of your information. However, if you are not happy with how we have processed your personal information, handled your privacy rights or responded to a privacy related complaint, you can raise your concern with The Data Protection Commission at https://forms.dataprotection.ie/contact

Policy Changes

Changes may be necessary to this privacy policy from time to time to reflect contractual, legal or data processing developments. If we change the policy, we will update them on our website so that you can review the changes. If we are involved in a merger, acquisition, or asset sale, we will continue to ensure the confidentiality of any personal information and give notice to you if affected before personal information is transferred or becomes subject to a different privacy policy.

Links checked and policy last updated on 20th June 2024.