PRIVACY POLICY

Welcome to the SFR Medical Portal


This page outlines the Privacy Policy which you agree to when you visit and use the SFR Medical Portal (Portal). The below also provides information regarding the nature, purpose, use, and sharing of Personally Identifiable Information (PII) data collected via the Portal.

The Portal is updated and maintained by Streamlined Forensic Reporting Limited (also referred to as SFR Medical). SFR Medical provides this site to you subject to the following conditions. Please read them carefully. 

On this website the terms ‘we’, ‘us’ and ‘our’ refer to the SFR Medical Team and the terms ‘you’ and ‘your’ refer to you, the user.
You can print the Privacy Policy by clicking the print button. Please also use the glossary to understand the meaning of some of the terms used.

Policy index 

•    Privacy Policy
•    Purpose
•    Data collection and protection
•    International transfers
•    Data security
•    Data retention
•    Your legal rights
•    Glossary
•    Contact us

Privacy Policy

Purpose
SFR Medical respects your privacy and is committed to protecting your personal data. The Privacy Policy informs you how we collect, process, and/or store your personal data when you engage with us both on- and off-line, and tells you about your rights and how the law protects you. 

We consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
This Portal is not intended for children. When appropriate and when consent has been given, we do collect data about children who are subjects of an SFR medical report.
It is important that you read this Privacy Policy with any other policies we may provide on specific occasions so that you are fully aware of how and why we are using data.  Any time there are updates, the user will be asked to read and agree to updated terms. This Privacy Policy supplements other notices and policies and is not intended to override them.

By accessing and using this Portal, you acknowledge that we will collect your personal data in accordance with this policy.

Changes to the Privacy Policy 
We regularly review our Privacy Policy. This version was last updated on 27 October 2020.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Data Collection

Data controller
SFR Medical is a Data Controller and responsible for personal data (collectively referred to as Streamlined Forensic Reporting Limited, "we", "us" or "our" in this Privacy Policy).

If you have any questions about this Privacy Policy, including requests to exercise your legal rights, please contacts us:
•    Full name of legal entity: Streamlined Forensic Reporting Limited
•    Email address: contact@sfrmedical.com
•    Telephone number: 01234943111, Option 3
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
The data we collect 
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you, as well as victims and/or their family members. We have grouped this data together as follows:
•    Identity data may include a first and last name, job title, biography, and business association
•    Incidence data may include the date and location of an incidence, date of hospital or GP visit, the time a victim was examined, DOB, gender, date of discharge, and a summary of the medical examination (may include additional details around the incident itself)
•    Contact data may include a billing address, delivery address, email address and telephone number
•    Profile data may include requests made by you, as well as victims and/or their family members, and feedback from us
•    Usage data may include information about how you use our website, products and services
We do not collect any special categories of personal data about you, as well as victims and/or their family members. This includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data.
Information you provide whilst using the services provided by the SFR Medical Portal, including your personal information, may be disclosed to those in the Criminal Justice System, including but not limited Police Departments, the courts, Department of Health and Social care, the CPS, and the NHS, for criminal proceedings and further investigations.

We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data could be derived from your, as well as victim’s and/or their family members, personal data but is not considered personal data in law as this data will not directly or indirectly reveal someone’s identity. For example, we may aggregate usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with personal data so that it can directly or indirectly identify someone, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.
If you fail to provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you or under the consent provided by the victim, and you fail to provide that data when requested, we may not be able to perform the service(s) we have or are trying to enter into with you. In this case, we may have to cancel a contract you have with us but will notify you if this happens.

How is personal data collected?
We use different methods to collect data from and about you through:
•    Direct interactions. You may give us the data referenced above by filling in forms or corresponding with us by post, phone, email, the Portal, or in other ways. This includes data you provide when you:
o    contract with us for our products or services
o    utilise our service
o    are the victim of a crime and have signed a consent form
o    are the authorised Officer and have signed a consent form
o    submitted an online request through the Portal
o    request marketing materials
o    give us feedback or contact us
•    Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources, including but not limited to:
o    police forces
o    a signed consent form(s), shared by a police force
o    hospitals and/or doctors
o    hospital and/or police websites and/or FOIA requests
o    analytics providers
o    search information providers
How we use personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
•    where we need to execute against the engagement we are about to enter or have entered into with you
•    where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
•    where we need to comply with a legal obligation
You have the right to withdraw consent at any time by contacting us.
Purposes for which we will use personal data
Below is a description of the ways in which we may use your, as well as victim’s and/or their family members, personal data, and of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal grounds we are relying on to process your personal data.
Disclosures of personal data
We may share your personal data with the parties below for the purposes set out above:
•    internal and/or external third parties listed in the glossary
•    specific third parties with whom we may choose to merge parts of our business or our assets with or business we may seek to acquire 
If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law.
We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

International transfers

We may share your, as well as a victim’s and/or their family members, data with authorised SFR Medical staff and other service providers on a need to know basis. This may involve transferring your, as well as a victim’s and/or their family members, data outside the European Economic Area (EEA).

We ensure your, as well as a victim’s and/or their family members, personal data is protected by requiring everyone to follow the same rules when processing this personal data. These rules are called "binding corporate rules". For further details, see European Commission: Binding corporate rules.
Whenever we transfer you, as well as a victim’s and/or their family members, personal data outside of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
•    Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries
•    Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US. For further details, see European Commission: EU-US Privacy Shield
Please contact us if you want further information on the specific mechanism used by us when transferring your, as well as a victim’s and/or their family members, data personal data out of the EEA.

Data security

We have put in place appropriate security measures to prevent your, as well as a victim’s and/or their family members, personal data from being accidentally lost, used or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to personal data to employees, agents, contractors and other third parties who have a business need to know. They will only process your, as well as a victim’s and/or their family members, personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Data retention

We will only retain your personal data for as long as is reasonably necessary and lawfully acceptable to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your, as well as a victim’s and/or their family members, personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation with respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your, as well as a victim’s and/or their family members, personal data, the purposes for which we process personal data (and whether we can achieve those purposes through other means), and the applicable legal, regulatory, tax, accounting or other requirements.
Details of retention periods for different aspects of your, as well as a victim’s and/or their family members, personal data are available in our Retention Policy which you can request by contacting us.
In some circumstances you can ask us to delete your data: see your legal rights below for further information.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Your legal rights

Under certain circumstances, you, as well as a victim and/or their family members, have rights under data protection laws in relation to personal data:
•    Access to personal data: this is commonly known as a "data subject access request" and enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it
•    Correction of personal data that we hold about you: this enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us
•    Erasure of personal data: this enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
•    Object to processing of personal data: if we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground or if you feel it impacts your fundamental rights and freedoms, you can object to processing. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms
•    Restrict processing of personal data: this enables you to ask us to suspend the processing of your personal data in the following scenarios:
o    if you want us to establish the data's accuracy;
o    where our use of the data is unlawful, but you do not want us to erase it;
o    where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
o    you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it
•   Transfer of personal data to you or to a third party: we will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
•   Withdraw consent at any time: consent can be revoked at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above, please contact us.
No fee usually required
You will not have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. 

What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data or to exercise any of your other rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response time to respond.

Time limit to respond
We try to respond to all legitimate requests within 30 business days. Occasionally it could take us longer if the request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.

Glossary

•    SFR medical report: a Streamlined Forensic Report, the medical evidence which SFR Medical (the company) provides to the police after a crime has taken place, at the request of a police officer
•    Consent form: the form victim(s) sign giving SFR Medical access to their personal, medical, and other data for the purpose of writing an SFR medical report
•    Legitimate interest: the interest of our business in conducting and managing our business to enable us to provide the best service/product via the most secure experience
•    Comply with a legal obligation: if required, we will process your personal data in a way that is compliant with and adheres to the relevant law(s)
•    Victims: those who are subjects of SFR medical reports as they have been injured as a result of a crime
•    Internal third parties: other entities in SFR Medical (acting as joint controllers or processors), who are based outside the EEA (in but not limited to India, South Africa, and the US) provide IT and system administration, SFR processing and report writing, operational, marketing, and leadership services.
•    External third parties: includes the following:
o    service providers acting as processors, based India, Canada, and the US who provide IT and system administration services
o    professional advisers, acting as processors or joint controllers including lawyers, bankers, auditors, funding sources, and insurers based in the UK and India who provide consultancy, banking, legal, insurance and accounting services
o    HM Revenue & Customs, regulators, and other authorities, acting as processors or joint controllers, based in the UK who require reporting of processing activities in certain circumstances
o    police forces and other criminal justice partners (including CPS and hospitals), acting as processors or joint controllers, based in the UK

Contact us

In case of any ambiguity or doubts, users are advised to check with the SFR Medical Team by contacting via us email or phone, using the details provided on the Website and below:  
•    Full name of legal entity: Streamlined Forensic Reporting Limited
•    Email address: contact@sfrmedical.com
•    Telephone number: 01234943111