When you use the My Nightingale blood test and app, you trust us with your personal data. We not only promise to maintain that trust but also believe in being transparent about it.
That’s why we’re writing a blog about some of the most-asked questions related to data and privacy, without the legal jargon. So, here’s a quick list about what information we collect from you, how we use it and protect it — in a clear language that anyone can understand.
We ask you to share a bunch of things from basic information like name, phone number and email address to details like your date of birth or unique identification number. However, be assured that none of these details is collected without a purpose. While your name, phone number and email address are needed to provide good customer service (like notifying you about your visits and results), the date of birth or identification number is a requirement needed to identify you as a person before taking your blood sample. Similarly, we need your sex and age as these biological factors might have a direct effect on your health results.
Be assured that all the personal data we collect is handled and processed according to the EU GDPR (General Data Protection Regulation) as well as in compliance with all the relevant Finnish healthcare laws and regulations.
We never sell your health data or other personal data. Also, we do not give your health data to third parties, unless you give us your written consent, or the law requires us to share that information. When using external service providers to manage our information systems (such as our appointment booking system), we have strong data processing agreements with all of them, ensuring the confidentiality of the data. Also, such service providers have the right to process your data only to the extent necessary to provide the service.
Your health data is confidential. And we apply all necessary — physical, technical and administrative — safeguards under our certified quality management system to protect data from misuse.
Among other measures, we control and filter the network traffic, make use of encryption techniques and safe data centres and have strict data accessing rights to keep your information safe.
Confidential data and records are stored in a secure patient data system, and access rights are granted based on if a person's job description requires so. People whose job require them to process such information are bound by an additional patient data confidentiality obligation.
To ensure that there are no gaps in our data policies, and they are strictly implemented everywhere, we also have data processing agreements with our subcontractors. For instance, our booking system provider is a subcontractor who processes the customer appointments data on behalf of us.
Apart from providing a good service and accurate health results, we also draw insights from the data generated in various parts of our service to further develop the product and make it better every day. These research insights work in your advantage as the findings are used to create a shared knowledge pool, where every user contributes to and improves the service. Learnings from this knowledge pool come back to you in the form of a new and deeper understanding of your health, adds more context and helps in personalising your results even further.
However, before using this data for research and development, it is completely anonymised. Meaning, the data is not only separated from the identifying information, such as name, date of birth or email address but is also scrambled in a way that no one (not even us) can link it back to you.
Your health data never gets transferred outside the EU or the European Economic Area (EEA). In case an external service provider (such as our booking system provider, mentioned above) needs to process some other non-health data outside the zone, we provide solid safeguards, as the data protection laws require us to do. For example, we always verify that there is adequate evidence, like security certifications, to make sure that the external service provider meets our security requirements.