Privacy and Personal Data Protection Policy
We, Neuro Event Labs Oy (NEL), believe that your privacy is critically important. That is why we handle your personal data with great care.
This document describes what personal data we gather, why we gather it, and how we manage and store the data.
Nelli® as a term used in this document refers to the epilepsy examination service provided by NEL. Nelli® system refers to the information system that is used in the Nelli® service.
Last updated on 3 November 2019.
Our principles for privacy and personal data
We apply these basic principles to all personal data that NEL stores and processes. The data can broadly be categorized as follows:
- raw media of patients captured by the Nelli® system
- summary biomarker data derived from the raw media in the Nelli® system
- data about users and patients (e.g. contact information) within the Nelli® system
- data used in NEL’s business processes about NEL employees, applicants, business associates, and prospective customers
In each of these categories, we gather and store only the personal data that is required to provide the Nelli® service and conduct NEL’s business operations. Personal data is disclosed only to parties and persons on a need-only basis and only for the purpose it was collected. Each NEL or contractor employee who has access to the personal data is contractually obligated to safeguard and maintain confidentially of such data.
No personally-identifiable information is retained or transferred to a third party beyond the data processors mentioned in this document. Where possible, data is stored in such a manner (e.g. encrypted) that the third-party service provider cannot derive any meaningful information from data which is stored or processed by that provider.
We follow all applicable local and regional laws for data protection, including the European General Data Protection Regulation (GDPR), the US Health Insurance Portability and Accountability Act (HIPAA) Security, and Privacy Rules.
Data we collect in Nelli®, why, and what
Patient data, also known as Protected Health Information (PHI), is collected by NEL in order to provide source material for the Nelli® examination service. This service provides an analysis of epilepsy patient recordings which occur in an inpatient (e.g. hospital) or an outpatient (e.g. home) setting. The analysis results in a report that aims to track and quantify seizure activity. This report serves as a medical record and presents the results of the analyses requested by the clinician.
Patient data includes:
- Patient identification: name and birthdate: needed to identify the patient uniquely in the system
- Optionally, patient contact information, including residence address: needed in the case of outpatient home examination
- Optionally, caregiver contact information: needed in the case of outpatient home examination
- Requested examination periods: needed as input for examination planning and execution
- Raw video, audio, and other sensory data from examination periods: needed as input data for analysis
- Analysis data: the results of automatic and manual analysis. Analysis data may contain automatically-detected neurological events (like seizures) and vital measures (e.g. breathing rhythm and pulse) as well as manually-added annotations
- Analysis reports: processed summaries of analysis data. Reports are available for online viewing and as PDF documents for the Nelli® system users
All data collection by the Nelli® service is volunteered by the NEL customer (hospital/clinic) and the patient as a part of the healthcare plan of the patient. For the purposes of the service, NEL serves as a data processor and assumes no legal ownership of the raw data. Depending on the jurisdiction, the data may be considered controlled by the customer organization (e.g. in a form of public health records) or the patient.
Derived summary biomarker data is considered to be an artifact of the Nelli® system, which, when detached from its patient profile, is considered to be non-sensitive and non-personally-identifiable. This data can be detached from all identifying characteristics and retained for the continuous improvement and quality assurance of the Nelli® system. Such terms are made in agreement with every NEL customer.
Users of the Nelli® system are doctors and clinicians from the customer organization, as well as NEL personnel providing the Nelli® service for the customer. User data is collected by NEL in order to give controlled and audited access to the Nelli® system.
Data collected about Nelli® users includes:
- Nelli® user identification: name and email address. Needed to identify the user in the system
- User access rights: patient registers and privileges within registers
- User activity logs: all user access to the system and read or write of patient data is logged for auditing purposes
Nelli® data storage and processing
The Nelli® system consists of a dedicated data collection unit (Personal Recording Unit – PRU), a cloud-based server infrastructure for data analysis, and a web-based dashboard for viewing the results of analysis.
The PRU is designed by NEL using industry-standard components and security measures to protect collected patient data before sending it encrypted to the cloud for processing. Data is stored in the PRU only temporarily. All data is stored encrypted at rest.
The Nelli® system is implemented using Amazon Web Services (AWS). AWS as a data processor uses the shared security responsibility model and is compliant with HIPAA requirements for Protected Health Information (PHI).
Personal data is stored, encrypted while at rest, in AWS cloud services and the data travels over a secure channel (TLS 1.2) when being transferred between data processing steps.
Data storage and processing are done in a private network with no public internet access.
Personal data is stored and processed in the geographically optimal AWS data center in relation to customer operations.
Personal data we collect in NEL business processes system, why and what
NEL business associates and prospective customers
NEL business associates and prospective customers may contact NEL via the NEL website (or email) to ask questions and request more information about NEL and Nelli®. NEL stores the email address of the contacting person and any other contact information that has been disclosed as part of the request. This contact information enables NEL to respond to the request.
This information is kept on file at least one year or as long as there is an active dialog ongoing with the person.
Employees' personal data is used to manage the employee-employer relationship. NEL collects and stores personal data that is needed to manage this relationship and is partially based on legal obligations, in addition to the information that is required in the company processes (payroll, occupational healthcare, insurance, performance management, etc.).
Employee data is stored during the employment period. Local legislation requires archival of employee data after employment has ended.
Applicant personal data is used solely for the purposes of the recruitment and employee selection process of Neuro Event Labs. By applying, the applicant consents to the processing and storing of their data in the applicant CV database.
The collected data includes some or all of the following:
- applicant’s name, birthdate, and contact information
- education, work history, and information related to professional skills
- applicant’s expectations of the applied position
- job application with the attachments (e.g. cv, photo, certificates) and any other information provided by the applicant
Additionally, the evaluations of the applicant’s suitability for the position and the possible recruitment assignment are stored in the register.
An application will be kept on file for a maximum of six (6) months from the application date. During this period, the application can be reviewed and used to fill open positions. After 6 months, the data will be deleted permanently. Upon the applicant’s request, the data will be removed from the file prior to that date.
NEL business data storage and processing
Right to verify, correct, stop data processing, and/or remove personal data
In compliance with the European Personal Data Act, everyone is entitled to verify the data regarding him/her that is contained in the personal data file.
Furthermore, the data subject is entitled to request rectification of erroneous or incomplete data contained in the personal data file. The request for rectification shall identify the error to be rectified, and provide the correct information.
Also, the data subject has the right to withdraw his/her consent about the use and processing of his/her personal data and ask for removal of the data. Removal of the data may have limitations from other legislation that requires retention of the data even after processing has been stopped for the purpose it has been gathered.
The request of verification, rectification, or removal of personal data shall be made in writing or in email, signed and delivered to the NEL Data Protection Officer (DPO). See contact details.
Changes to this Privacy and Personal Data Protection Policy
We will continue to evaluate these policies as we update our services, and we may make changes to these policies accordingly. We will post any changes here and revise the last updated date above. If we make significant changes to policies concerning patient and uses of personal data in the Nelli® system, we will notify affected parties as required by the law.
Questions About this Privacy and Security Policy
If you have any questions about this Privacy and Security Policy, you can contact us at: email@example.com.
For more specific matters, you can use contacts listed in Contact Information.
Security Officer: Andrew Knight, firstname.lastname@example.org
Data Privacy Officer: Jyrki Kaski, email@example.com