Privacy Policy

1. Introduction 

1.1 About us and what we do 

Momentum Data Ltd is a pioneering healthcare data analytics and scientific research company. We provide research which helps to improve the lives and outcomes of people living with chronic conditions. 

We specialise in providing observational and minimally interventional healthcare research services primarily using large routinely collected healthcare datasets. We also work with care providers to facilitate quality improvement projects as part of routine care. We have supported and completed numerous research projects using multiple data sources and a across a wide range of chronic conditions including diabetes, rheumatoid arthritis, psoriatic arthritis, inflammatory bowel disease, thromboembolic disease, cardiovascular disease, atopic dermatitis, and others. We mandate that all our research must be conducted for the benefit of those whose condition is being studied. 

1.2 Why we have this privacy notice 

This privacy notice tells you how Momentum Data collects, processes, stores, uses or shares personal data when you contact us, use our website or use one of our services. Personal data is information that relates to an identified or identifiable individual. 

In order to provide good quality services, Momentum Data needs to collect and process personal data from service users, employees and contractors, suppliers, businesses and collaborators, and research subjects. Momentum Data takes the privacy of individuals extremely seriously. We comply with the General Data Protection Regulation 2016 (GDPR), the Data Protection Act 2018 (DPA), and any other relevant legislation when handling personal data. 

We may update this privacy notice at our discretion from to time when our data handling practices change. Any update to this notice will be applied to the handling of personal data as of that update date.

1.3 Who we collect personal data from 

We may collect personal data from individuals when they use or request a service with us, complete a survey, questionnaire or enrolment form, apply for employment with us, or communicate with us by email, telephone, in writing or in person. 

We may also collect personal data about individuals when they provide or supply a service to us. This information is necessary to manage the relationship and work wo do with the supplier or service provider, such as contact details, contracting information, invoicing or payment details. 

We may collect personal data about individuals involved in our supported research studies. This information will be limited to that necessary to conduct the research study. 

We may collect personal data from the public domain if permitted by law, for example, from registration and regulatory bodies. 

1.4 What personal data we collect and why 

The types of personal data we collect will vary depending on relationship between the Momentum Data and the individual or the organisation. These include personal data collected from phone, teleconference, email contact, via data forms, or through data transfer from another organisation. 

We collect only the information that we need for a particular function, and only hold it for as long as it remains necessary for the purposes for which it was collected. We only use or disclose personal data for the purposes for which the individual gave it to us for, or for directly related purposes the individual would expect, or other purposes if agreed with the individual. 

1.5 Personal data collected from phone, teleconference, and email contact 

We may collect personal data when individuals contact our services or interact with us by phone, teleconference or email. We use this information for administrating our services and to correspond with service users. We never disclose this information without the individual’s consent. 

1.6 Personal data collected on our website 

We collect personal data when individuals visit our website, complete forms or questionnaires on our website, apply for employment with us via our website, or provide contact details through our website. We use this information to respond to the user’s enquiry, or to provide a requested service or to make improvements to our website. 

When a user visits our website, our web server may request that the user’s browser create a cookie on the user’s computer. A cookie is a small piece of information sent by the server of a website to the user’s browser by other sites. We use cookies to measure how individuals use our website to help us make website updates and improvements. 

Our website cookies do not contain personal information about users. However, cookies can identify a user’s browser. The cookies transferred by our website are used for such things as capturing information about a user’s web browser, controlling a pop-up window or enabling login access to password protected areas of the website. The cookies have an expiration date set 24 months from the most recent website visit date. 

We use a third-party service, Google Analytics, to collect information regarding visitor activity to the website. This is not used to identify the user as an individual but is collated into aggregate results or classifications. We do not make attempt, to find out the identities of the visitors to our website. 

If users do not wish to receive any cookies, they may set their browser to refuse or disable them. When you visit our website, you will be notified that we use cookies and asked if you agree to this or choose to decline. Please note that some features of our website may not work if cookies are disabled. 

1.7 Personal data collected for healthcare research 

Personal data processed for this purpose is collected from multiple different sources, and is always processed in the least invasive manner possible. This personal data includes, but is not limited to, identifiable healthcare data and other related datasets. 

An example of personal data collected for healthcare research is the processing of NHS GP or Hospital records, where we would process this data with consent from the individual. An example of a related dataset could be demographic information that is used to enrich a study, which would also be processed with consent from the individual. Special class data may also be processed for this purpose. An individual will always be aware if we are using their own special class or identifiable healthcare data for this purpose if collected with explicit consent, and will have the right to object or raise other requests to this as detailed in section 1.14. Other lawful bases may be used as appropriate, such as a legitimate interest of Momentum, where explicit consent is not appropriate or possible. All healthcare research carried out in this manner is held to the strictest ethical standards, and is conducted for the benefit of patients. 

All healthcare data collected by Momentum for this purpose is stored within the EU under strict information governance and data security procedures. 

We do not use automated decision-making, such as profiling, in regards to this purpose. Only suitably qualified and trained professionals process healthcare data in regards to this purpose using acceptable software and technology. The use of an individual’s personal data for this purpose has no impact on an individual’s access to healthcare or other services. 

If you have any questions or concerns around this processing, or are unsure if we hold any personal data related to yourself, please contact us using the details in section 1.16. 

We also use anonymised healthcare records for research purposes. These are no longer considered personal data, and as such as are not covered in this privacy notice. 

1.8 Personal data from images and photos 

We will seek individual’s consent prior to taking a photo or image, or using it. In some cases that consent may be implied, such as the taking of photos at events to be used in publications. 

If the photo or image contains sensitive information about a person e.g. information relating to their health, we will obtain the individual’s consent to take the photo or image and specify what it will be used for. This consent should be informed and freely given by the individual whose photo or image is to be shared. Individuals may withdraw their consent at any time. If this occurs, we will take all reasonable steps to stop using the image or photo from the time the consent is withdrawn. 

1.9 How we use personal data 

We may use personal data to: 

  • respond to enquiries from individuals, service users and suppliers; 

  • conduct evaluations of our products, materials, programs and services; 

  • assist service users in conducting or participating in our quality improvement programmes and education workshops; 

  • assist service users in conducting or participating in Momentum Data-supported research; 

  • to conduct Momentum Data-supported research; 

  • invite individual to participate in research or quality improvement projects; 

  • contact individuals for feedback on products, materials, programs and services; and 

  • assist us to perform our corporate, regulatory and contractual obligations. 

1.10 How we disclose or share personal data 

Personal data that we hold is only shared or disclosed in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA). We will disclose personal data if we are required to do so by law, by court order, government department or to prevent fraud or other crime. 

We do not disclose personal data to third parties for marketing purposes. We do not sell personal data or confidential information to third parties. 

We do not disclose any personal data collected in the UK to overseas entities. Personal data we collect is only stored in the European Economic Area (EEA). 

We may disclose personal data to contractors to whom we outsource certain functions, or which provide services to us. We take all reasonable measures with contractors to ensure they comply with the law on data protection. Contractors must not to disclose any personal data or confidential information without prior approval in writing from us, unless they are required to disclose the information by law, court order, or to prevent fraud or crime. 

We may disclose personal data to relevant institutions or accreditation bodies for the purpose of certifying completion or participation or for recording continuing professional development points, when individuals participate in our educational activities. 

We may disclose personal data to data linkage authorities for linking data from different healthcare data sources, where this is approved by the relevant research ethics committee. 

1.11 How we store personal data 

Momentum Data is committed to ensuring that any personal data we hold is as safe as possible, both while it is processed and when it is stored. We store the personal data we collect on secure electronic databases. Personal data is only stored in the UK and within the European Economic Area (EEA) in line with data protection laws. 

We have archiving policies and procedures for the secure, permanent destruction of personal data when it is no longer required. 

Please note that we hold de-identified patient data from multiple data providers which includes primary and secondary care patient records and other healthcare information. The de-identified data stored in these databases is not personal data. 

1.12 How long we keep personal data 

We retain the personal data we collect for as long as needed to continue to meet the purposes for which the information is collected. We will delete personal data in line with our records retention policy or as required by law, which is typically eight years after any enquiry is closed or contract terminated. 

1.13 How we protect and secure personal data 

Momentum Data takes preserving and protecting a person’s identity and personal data very seriously and it is a key responsibility of all our staff, contractors and partners. We have technical and organisational procedures in place to prevent unauthorised access or disclosure of personal data we hold. 

We also make sure that any contractors and third parties we deal with have an obligation to keep secure all personal data they process on our behalf. 

The steps we take to keep the personal data we hold secure include: 

  • Regularly assessing the risk of misuse, loss, interference, modification, unauthorised access or disclosure of personal data. 

  • Putting measures in place to address the above risks including robust information technology security, data encryption, restricted user access, and data security and protection policies. 

  • Regularly ensuring that our staff and contractors only access personal data when needed. 

  • Ensuring our staff and contractors are regularly trained on data protection. 

  • Conducting regular internal audits to assess compliance with these measures and the GDPR/DPA. 

  • Undertaking and complying with the NHS Data Security and Protection Toolkit assessment annually. This assessment ensures we comply with the National Data Guardian’s Data Security Standards. 

1.14 Your data rights under the GDPR and DPA 

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) provide every individual with data rights. 

You have a right to:

  • request information about how your personal data is processed 

  • request access to your personal data 

  • request for any inaccurate information in your personal data to be corrected 

  • request that your personal data is erased, if there is no longer a justification to keep it 

  • ask for the processing of your personal data to be restricted in certain circumstances 

  • request to receive a copy of your personal data in a structured, commonly used and machine-readable format if you provided the information to us yourself 

  • raise an objection about how your personal data is processed 

  • object to your personal data being used for automated decision-making or profiling. (Please note that OPC does not use personal data for any automated decision-making or profiling). 

If you have any of the above requests, please contact our Data Protection Office using contact information provided below. Please note that we are only able to help you exercise your data rights if we hold your personal data. 

If you have questions about the use of your personal data in a research study or trial, please contact your GP practice who will hold records about your involvement. 

1.15 Your right to opt-out of data sharing 

You have the right to opt-out of the sharing of your de-identified medical data (this is data which you cannot be identified from) by your GP practice. Opting-out of sharing your de-identified medical data will not affect the direct care that you receive. 

If you do not wish for your de-identified medical data to be collected, processed or used for any purpose including research and healthcare planning, please contact and inform your GP practice. Individuals in England can also opt-out of data sharing through the National Data Opt-out policy. 

1.16 Contact us 

If you have any questions or feedback about this privacy notice or if you have any complaints about how we handle personal data, please contact our Data Protection Officer by email, post, or using the contact form on our website. 

Data Protection Office 

Email: dataprotectionoffice@momentumdata.co.uk 

Post: Pendragon House, 65 London Road, St. Albans, Hertfordshire, AL1 1LJ 

If you wish to make a complaint to the Information Commissioner’s Office (ICO) or to request independent advice, the ICO can be contacted at: 

Information Commissioner’s Office

Email: casework@ico.org.uk 

Tel: 0303 123 1113 

Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF 

[Notice last updated 23 Jan 2024]