PRIVACY NOTICE:
Introduction
Welcome to ENTRYBEE. We are a product & service of and trading as ‘2SN Healthcare Ltd’. We are called “we”, “us”, “our”, or “ENTRYBEE” in this Privacy Notice.
We talk about our website (https://entrybee.com) (the “Site”) and our service (the “Service”) (and anything we might provide in the future) together as ENTRYBEE.
ENTRYBEE provides a document management service to primary care providers and NHS GP surgeries across the UK to help manage their document admin workflow. Our services are as described as (our “Service”).
Our trading company details and our registration with the UK’s Data Protection Regulator (the ICO) can be found here. ENTRYBEE is a service of 2SN Healthcare Ltd, a company registered in the UK and incorporated in England and Wales with registered number 10296437. For more information available on Companies House, click here.
Your trust in our data security and privacy is at the heart of what we do. Being transparent about what we do with any personal data needed to provide our service is key to that.
The type of personal information we collect.
This document tells you what we do. Please see the following groups below to see how we use data about you:
- Health and Care Professionals
- Patients
- Prospective buyers from healthcare organisations
- User/ Market Research Participants
- Job Applicants and Prospects
This notice may change periodically and will be published on the ENTRYBEE website.
Health and Care Professionals
ENTRYBEE is a service provider for healthcare organisations like your employer – perhaps a GP practice or similar, offering remote, virtually insourced staff to undertake document management, including reading, filing, coding and actioning any necessary tasks arising from this process. If you’re a member of staff here who uses ENTRYBEE, we receive information about you in three ways:
- ENTRYBEE customer registration – when you/ your GP surgery sign on for an ENTRYBEE account to use our services.
- Ongoing use of the ENTRYBEE website or service.
- If you contact us directly, for example, through our email or website platform, Contact Us page or over social media channels.
ENTRYBEE customer registration
We create an ENTRYBEE account for a client (i.e. GP surgery) on sign up, we collect the following information about a GP surgery and link this to a unique identifier in our system:
- Name (Lead Contact)
- Telephone number
- Address of business
- Business operating standards – An agreed set of standards that a GP surgery operates under, usually including protocols and SOPs (Standard Operating Protocols) of that surgery. For example. All DNAs
- Staff names & roles for team tasks
Why:
We collect this information on the basis of legitimate interest and process a ‘contract’ as a legal basis to be ready to undertake work for the client organisation (after which we process your data as a data ‘processor’).
Ongoing use for your work in a healthcare organisation:
We provide our services to healthcare organisations, mainly GP surgeries in the NHS. These healthcare organisations are responsible for how your information is used with our service – in legal language, they are the “Data Controller”. They provide us with information and instruct us how to use it. This means we’re acting as a “Data Processor”. When client registration is linked to an organisation, we link the data to other information about you provided by yourself or your organisation, including your job role and actions you’ve taken in the ENTRYBEE service. We have a very clear agreement with your healthcare provider that sets out what we do with the data and how we keep it safe.
We do not engage with third-party marketing agencies or, social media platforms or telephone engagement unless instructed to by your GP Surgery.
If you contact us over social media, email, or via our website, we may collect the following information about you:
- Name
- Telephone number
- Social media handles
- Anything else you share with us in our engagement
We collect this information on the basis of our legitimate interest to respond to you.
Patients
ENTRYBEE is a document management service provider for healthcare organisations like your GP practice or primary care organisation. After a legal contract with the GP surgery, we will only process your information, where we will act as a Data Processor. If you’re a patient, we receive information about you in two ways:
- Via healthcare organisations that use ENTRYBEE services.
- If you contact us directly, for example, through our email or website platform
We provide a document management service to healthcare organisations involved in your care. These healthcare organisations are responsible for how your information is used – in legal language, they are the “Data Controller”. When they want to use our service to complete tasks with or about you, they provide us with information and instruct us how to use it. For example, we read a document pertaining to your care and code the information into your electronic medical records so that your care is up to date in that record.
Details and the description of this data will be in the form of letters and documents available on the electronic medical record (EMR), which include practice systems such as EMIS, SystmOne, or other similar platforms. Data may be identifiable to match that document to the correct patient and may include the following.
- Patient Identifiers including:
- Name,
- Age,
- Date of Birth,
- NHS Number,
- Gender
- Consultation information
- Diagnoses
- Medications
- Results and observations, for example: BMI, HBA1C,
- Blood Results,
- Blood Pressure.
- Review dates
- Safeguarding relevant letters/documents
This means we’re acting as a “Data Processor”. We have a very clear agreement with your healthcare provider that sets out what we do with the data and how we keep it safe. You can request the full agreement and more information about our role and how we protect data. We will never store, copy or share any form of patient-identifiable data. All data will remain within the safeguards and systems of your GP surgery and their computer systems.
Please note that many GP surgeries and primary care providers are managed by NHS England. NHS England is the controller for any personal information you provide to them. To see NHS England’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.
If we correspond with you directly or if you have contacted us, we’ll collect information about you. The exact information we collect about you will depend on the way you contact us.
By email (where applicable)
- Name
- Telephone number
- Social media handles
- Anything else you share with us over the correspondence
We collect this information on the basis of our legitimate interest to ensure we deal with your queries quickly and efficiently and understand how you interact with us.
Prospective buyers from healthcare organisations
If you work for a commissioner in the NHS or someone who buys software or services for healthcare providers.
When we speak to you about prospective deals for our services, we will collect the following information about you:
- Name
- Content of email communications with you and metadata (including delivery status)
- Any additional information you provide to us through our communications with you
Why:
We collect this information on the basis of our legitimate interests to discuss procurement and purchasing decisions of our products by your organisation. We will not be able to provide any patient-identifiable data but may be able to provide statistical data of our services i.e. number of patients processed, etc.
User/Market Research Participants
We try to build services that our clients use and are pleased with. To achieve this, we spend a lot of time speaking to healthcare professionals and organisations to understand their needs and what they’re looking for. We may conduct this research to improve existing services or inform the development of new products.
When you participate in our research, we will collect the following information about you:
- Name
- Any additional information you provide to us through surveys, interviews or other communications with us
Why:
We collect this information on the basis of our legitimate interest to ensure our services are fit for purpose and match your expectations as a healthcare professional or provider. Explicit consent will be obtained from you at the beginning of the research project. In most circumstances, we aim to anonymise collected data so that it can no longer be associated with an individual, and we may use this anonymised information indefinitely without notifying you. We use this anonymised information to analyse our services and support other improvements.
Job Applicants and Prospects
When you’ve signed up for information about events and job opportunities:
If you sign up for hiring events or opportunities updates, we gather information:
- Name
- Email address
- Any other information, for example, about roles that you are interested in, that you may provide when you sign up
Why:
To send you the event or hiring information or to process your booking in relation to an event we are organising.
When you apply for a role with us:
If you apply for a role at ENTRYBEE, we will collect the following information about you:
- Name
- Telephone number
- Email address
- Employment history and other data in your CV or otherwise submitted to us
- Assessments completed by you as part of the application process
- Feedback about you from our staff and your referees
Why:
We collect this information on the basis of our legitimate interest to assess job applications and to take steps necessary to enter into an employment contract with you. We also collect it because we have a legal obligation to ensure applicants have the right to work.
If you contact us over email or social media about a job application, we may also collect the following information about you:
- Name
- Telephone number
- Login information
- Time-zone setting
- Browser plug-in types and versions
- Operating system
- Platform
- IP addresses
- MAC addresses and social media handles
We retain information about you as a prospective employee for a maximum of 12 months, so we can use it to improve our hiring process or to inform you of other opportunities.
If we reach out to you via social media about a job opportunity we think you are a good match for, we will collect your name and social media URL and will retain this information for up to 12 months. This is to help us build a prospective candidate list that we can contact for any new opportunities and track how well our recruitment processes are working. We use your data in this way as it’s in our legitimate interest to find great people to work for us and improve our hiring practices.
You have the right to opt-op of your information being kept on file. If you wish to have this information deleted, please email info@entrybee.com and specify which information you would like to have removed.
Other websites:
We may sometimes provide links to other websites (including other apps) during any communication or on our website and social media channels. The websites will have their own privacy information, which you should read before using or sharing personal information with the site.
We are not responsible or liable for these websites, any content on them, or their policies and notices. A link does not mean we endorse the views of the linked website. We have no control over the availability of any of these websites.
How do we collect information?
We may collect information about you from a variety of sources:
- Email, telephone, social media and in-person interactions we have with you
- From other organisations within the health system
- Via the Contact Us function on our website
- Cookies on our website and pixels in our emails
- Publicly accessible sources including your employer’s website or your social media profile
How long do we retain your personal data?
Unless a longer retention period is required or permitted by law, we will only hold your Data on our systems for the period necessary to fulfil the purposes outlined in this privacy policy or until you request that the Data be deleted.
- Even if we delete your Data, it may persist on backup or archival media for legal, tax or regulatory purposes. However, we will never store patient-identifiable data unless the patient has made direct contact with us.
Our data retention periods for different groups are set out below. If you have questions about any categories of data not provided below, please contact info@entrybee.com
Type of Data | Retention Period |
Health Care and Professional | As long as necessary for the purpose of selling or providing our service, subject to your rights. |
Communications from patients who contact us directly | For up to 12 months after any direct contact with us. |
Prospective buyers | Up to 12 months after last contact with your organisation. |
User/Market Research Participants | For up to 12 months after research has been concluded unless otherwise stated in the project’s information and consent material. |
Job Applicants and prospects | For prospects, we will retain your information for up to 12 months. For job applicants, we retain your application information for up to 12 months after any hiring process you are directly involved in has been completed. |
Which third parties are involved in processing your data?
The parties we may share different groups’ data with are set out below. If you have questions beyond this, please contact info@entrybee.com.
Group | Parties your information may be shared with |
Health Care Providers & Professionals | We have contractual agreements in place with Integrate Care Boards and GP practices, which govern and protect the data about you when you use our software. If you contact us directly, your data may be securely stored in the software service providers of our email, office, live chat support, and social media systems. We may share your data with regulators, authorities and enforcement agencies if we’re under a duty to comply with any legal obligation or enforce our terms and conditions. |
Patients, | We have contractual agreements in place with Integrate Care Boards and GP practices, which protect your data when they work with you. If you contact us directly, your data may be securely stored in the software service providers of our email, office, and live chat support systems. We may also share your data with regulators, authorities and enforcement agencies if we’re under a duty to comply with any legal obligation or enforce our terms and conditions. |
Prospective buyers from healthcare organisations | Your data may be stored by our email, CRM software, and storage providers. This may include Google Drive and Microsoft One-Drive. |
User/Market Research Participants | Your data may be stored by our email, productivity, design, communication and storage providers. This may include Google Drive and Microsoft One-Drive. |
Job Applicants and Prospects | Your data may be stored in our recruitment platform provider well as in our email, productivity, design, communication and storage providers. This may include Google Drive and Microsoft One-Drive. |
International Processing of Data
ENTRYBEE works with GP surgeries and primary care providers, who are your data ‘controllers’. We act as the data ‘processor’ to undertake our service. Your data is held (stored) on servers and is based in the United Kingdom under the control of the data controller, usually a GP surgery.
ENTRYBEE may work with preferred partners, who are legally termed ‘Sub-processors’, to process your data. To make sure your personal information is protected no matter which company ENTRYBEE works with to process personal information, we have a group-wide arrangement known as Binding Corporate Rules (BCRs)
For the purpose of performing our service, we may have sub-processors that are based out of the economic EU region. This is done in order to allow operational efficiency and where a local service may be struggling to meet demand. This activity is done to support the operation of our business, where this is in our legitimate interests. The staff subcontracted are highly trained to work under strict conditions and under designated standard operating protocols that meet the UK standards of data privacy and confidentiality.
In order to perform this activity, ENTRYBEE, with permission of the data controller, allows the virtual insource of these staff into the electronic medical record based in the UK. Dedicated purpose-built hardware and the software used in remote desktop access prevent any capability to record, store, or physically and digitally transfer data from that computer to another location. ENTRYBEE policy stands to NEVER allow storage of any data or direct transfer of any data, including storage into third-party cloud drives or secure email in any case.
We have put legal protections in place to safeguard personal data processing in compliance with data protection laws. We have conducted a suitable transfer risk assessment of this process in keeping with the ICO standards and undertaken governance assurance processes from suitable supervising national bodies based in the UK.
We may process your personal information outside the UK / EEA. The service will include a remote virtual desktop connection to UK-based computers, and the connection is secure, encrypted and fully transparent to the data controller in real-time. The location where the processing takes place depends on a variety of factors and may include locations outside the United Kingdom and the European Economic Area. We may use Sub-processors from India, through a legitimate vetting process and strict data processing agreement, which is legally binding.
No matter where your data is processed, the same levels of security and data protection are maintained at all times. We select partners which are certified to the national standards, have satisfied a variety of due diligence checks and are certified to international data security and business standards.
What rights do you have under data protection laws?
You have various rights under data protection law in relation to the data that we process about you. Please note that if you are a patient or a member of staff in an organisation that uses ENTRYBEE, you should contact the organisation concerned (the data controller) to understand your rights and exercise any that you have. If you wish to exercise any of these rights or have any questions, please contact your data controller, usually your GP surgery.
Access: You can request access to and obtain a copy of your personal data.
Rectification: You can correct incomplete or inaccurate data we hold about you
Erasure: You can ask to erase personal data we hold about you
Restrict: You can ask us to restrict how we handle your personal data.
Portability: You can ask us to transfer your personal data to a third party.
Object: you can object to how we’re using your personal data
You also have the right to lodge a complaint with us or the Information Commissioner’s Office, the supervisory authority for data protection issues in England and Wales.
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office,
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Changes to this Privacy Notice
ENTRYBEE, reserves the right to change this privacy policy as we may deem necessary from time to time or as may be required by law. Any changes will be immediately posted on the Website, and you are deemed to have accepted the terms of the privacy policy on your first use of the Website following the alterations. You may contact ENTRYBEE by email at info@entrybee.com.
Change of Business Ownership or Control
ENTRYBEE may, from time to time, expand or reduce our business, and this may involve the sale and/or the transfer of control of all or part of ENTRYBEE. Data provided by clients will, where it is relevant to any part of our business so transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this privacy policy, be permitted to use the Data for the purposes for which it was originally supplied to us.
We may also disclose Data to a prospective purchaser of our business or any part of it. This will never include patient-identifiable data.
In the above instances, we will take steps with the aim of ensuring privacy is protected in all cases.