Your privacy is important to us. This privacy statement explains what personal data Oxford Medical Simulation Ltd ("OMS”) collects from you, through our products and how we use that data.
OMS serves a number of group of users in different ways. References to products in this statement include OMS services, which are offered through our websites and app. Please read product-specific details in this privacy statement, which provide additional information about some OMS products.
This policy applies to any users of the services of OMS or its affiliates anywhere in the world, and to anyone else who contacts OMS or otherwise submits information to OMS, unless noted below.
1. Data Protection Principles
We are committed to complying with data protection law and principles, which means that your data will be:
- Processed lawfully, fairly and in a transparent way;
- Collected for specific, explicit and legitimate purposes stated in this policy and not used in any way that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary for those purposes;
- Accurate and, where necessary, kept up to date;
- Kept for no longer than is necessary for those purposes; and
- Processed securely.
2. Collection of Personal Information
OMS acts as the data processor and/or the data controller for the information you or your institution provide or that is collected by OMS or its affiliates. OMS collects data to operate effectively as a business and to provide you, the user, with tailored services and products.
You have choices about the data we collect. When you are asked to provide personal data, you may decline. But if you choose not to provide data that is necessary in order for us to provide services to you, you may not be able to use that product.
We provide further information, below, on the types of personal data we obtain and how we use them, throughout your use of our service and products.
- Data provided during account registration
At the registration process on the OMS platform, your institution is asked to provide the following information:
- Your first and last name
- Your email address
- Your profile password
They may optionally provide additional information including:
- An user code or identification number
- Graduation year
This basic information is necessary to complete your user registration and for you to use our app and services (for more information on what we use your data for, see section 3) If you decline to provide this information during the registration process you will not be able to create an account on the app and use our services. OMS reserve the right to confirm the accuracy of registration data for medical verification purposes using external third party sources, such as publicly available sources such as open government databases or other data in the public domain.
We may not always specifically ask for location data but we can infer your location based on your IP address during registration and for opt-ins. In addition to IP address, our platform automatically collects data about your device, including the model, platform, locale code and UUID (universally unique identifier). This is in order to help direct you to the appropriate subdomain of the OMS site and to store your data on the appropriate US or EU server.
In order to optionally complete your OMS profile, we ask for you to also provide your preferred voiceover gender. This is in order to personalize the Simulation experience. You do not have to provide a preferred voiceover gender, and in this case the voiceover gender will default to male.
- App and service engagement data
When you begin to use our app or services, we monitor engagement and feature usage on our platform by recording every interaction you have with products you are registered on. This includes, but is not limited to, page visits, simulation content viewed and completed (including performance metrics associated with simulations such as score and duration).
- Cookies and other data collection technologies
In addition to cookies, we may log information about your device, including the existence of cookies, your IP address and information about your browser. The purpose of this information collection is to diagnose service issues and to administer and track your usage of our platforms.
- Third party aggregate data
Our third parties may gather non-personal digital properties to enrich aggregate analytics, including Oculus, Sendgrid, Zendesk, and Google Analytics.
3. How OMS uses Personal Information
OMS uses your personal information for the following reasons:
- To operate effectively as a business and to perform essential business operations, including developing and providing products optimised for medical professionals and trainees.
We are motivated to provide products which offer outstanding resources for medical professions, including resources tailored to a user’s specific role, stage of training, location and medical specialty. To enhance your enjoyment and productivity on our platform, we endeavour to identify and recommend the most relevant content, feedback, and analytics through personalised notifications, based on your profile and recent activities. To ensure your experience with our products is seamless, we continuously re-examine and iteratively optimise user journeys on our platform. We infer your location from your device IP address in order to geo restrict certain content on our platform.
Product issues, identified by users and communicated through customer support, are effectively diagnosed and resolved using data collected from interactions on the platform. Decisions on product development and evaluations of product performance are based on aggregate analysis and business intelligence based on non-personal data.
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal data in line with our policies. We only allow them to process your personal data for specified purposes and in accordance with our instructions.
In addition to the specific disclosures of personal data set out in this section, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
- To deliver communications of personal interest including product and content releases, motivational training prompts and in response to product queries or support requests.
Communications sent by OMS come in the form of emails to the email address provided by you or your institution during the registration process and through notifications delivered to your device. OMS may send you communications relating to new and existing product and content releases and updates. We send such communications so that you are aware of changes we are making to the content or features of our products, or new releases, which could affect the usefulness of our core services to you.
- To inform your institution (including but not limited to curriculum/residency programme director, simulation faculty, and other faculty) of personal and aggregate engagement, interactions, and performance on our platform, with your prior knowledge and consent.
If you accept an electronic invitation to complete registration the OMS platform, you grant OMS permission to share your OMS profile and relevant activity metrics on the OMS platform, including the Site and Software, with your institution.
Access to the OMS Simulations is provided through licenses purchased by your institution. We process and share engagement and performance metrics with your institution to allow them to track the quantity of users viewing and interacting with the OMS Site and Software, including the Simulations. Metrics can be aggregated by preferred voiceover gender, graduation year, role, or groups your hospital has assigned. Institutions may use these metrics as they see fit in the delivery of training to medical professionals.
- To inform commercial partners of aggregate engagement and interactions on branded content hosted on our platform.
Some simulation content on our platform may be created in partnership with a partner, such as a hospital organisation, a medical or nursing school or a medical device or pharmaceutical organisation. We share aggregate (non-personal) engagement metrics with our partners to allow them to track the quantity of users viewing and interacting with their content. Metrics can be aggregated by profession, medical specialty, location and hospital affiliation. Additionally, we share aggregate (non-personal) performance metrics of assessments related to their content. Commercial partners use shared metrics only for the purposes of product development and improving delivery of content and training to medical professionals.
We will never share your personal information with commercial partners without your explicit consent, which we would obtain separately. You will be informed clearly and in a transparent manner, what type of personal data will be shared. Circumstances where we share your personal information include, but are not limited to, registering your interest for targeted campaigns placed in our products on behalf of our commercial partners. Examples of campaigns include registering for conferences and training events, connecting with a medical device specialist and for marketing research purposes. In order for the commercial partner to verify you as a medical professional and contact you, we will share your name and email address, but only with your explicit permission.
Please note that OMS adheres to the NAI, a set of self-regulating principles that require companies to provide notice and choice with respect to Interest-Based Advertising and Ad Delivery and Reporting activities. Moreover, we adhere to the Digital Advertising Alliance (DAA) and European Interactive Digital Advertising Alliance (EDAA) and the Digital Advertising Alliance of Canada (DAAC).
4. Choices and Transparency
In this section, we have summarized the rights that you have under data protection law. The information we provide in this section is a brief summary of your rights under data protection law and you should still read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
Your principal rights under data protection law are:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability
- the right to object; and
- rights in relation to automated decision making and profiling.
You have the right to confirmation as to whether or not we hold or process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data, or do one of the following:
- We may ask you to verify your identity, or ask for more information about your request; or
- Where we are legally permitted to do so, we may decline your request, but we will explain why if we do so
You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.
In some circumstances you have the right to the erasure of your personal data without undue delay. Those circumstances include: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw consent to consent-based processing; you object to the processing under certain rules of applicable data protection law; the processing is for direct marketing purposes; and the personal data being unlawfully processed. However, there are exclusions of the right to erasure. The general exclusions include where processing is necessary, for example: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims.
You have the right to request that your personal data is no longer processed for example, due to the inaccuracy of the data or the reason for the data being processed.
If you have given additional consent for your data to be shared to a third party, including academic institutions, medical device companies and pharmaceutical companies, you have the right to withdraw this consent at any time. You have the right to request that your personal data be transferred to another party.
If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal. If you opted in to third party marketing communications when you registered, you may opt-out at any time within the app, or by emailing firstname.lastname@example.org.
Lastly, you will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.
You may exercise any of your rights in relation to your personal data by written notice to us or by any of the methods specified in section.
To contact us in relation to any of these requests, please use the email address email@example.com.
5. Duration of Data Retention
OMS retains personal data for as long as necessary to provide our products and fulfill the transactions you have requested, or for other essential purposes such as complying with our legal obligations, and enforcing our agreements. Because these needs can vary for different data types in the context of different products, actual retention periods can vary significantly. The general rule that establishes a baseline for data retention is the length of time required to store and analyse the data for the purpose it was collected (as described in section 3). Moreover, we are required to maintain appropriate business records, and this may include records of assessments used for compliance. Where possible, data that can be anonymised may be retained for research and development purposes to continue improvement of the OMS platform.
6. Information Security and International Transfers
OMS is committed to protecting the security of your data by endeavouring to ensure appropriate technologies and processes are maintained to avoid unauthorised access or disclosure. We utilise, for all data storage and processing purposes, the Heroku platform, which is owned by Salesforce and is built on Amazon Web Services “AWS” architecture. OMS uses separate AWS storage containers and databases in the US and in Ireland (EU).
If you would like further information about privacy at OMS, you will find more information, please contact us at firstname.lastname@example.org.