We're holding back temporarily while we validate the information, and look at the sign-up/consent process at each clinic specifically.
As above, we're considering trying to document this for every clinic right on listings
-
A friendly and supportive community, register today. Our forums use a separate account system.
Clinics Overseas processing of patient requests/data by clinics.
- Thread starter GrownHealth
- Start date
We're holding back temporarily while we validate the information, and look at the sign-up/consent process at each clinic specifically.
As above, we're considering trying to document this for every clinic right on listings
It is alleged @TreatIt_Clinic are using remote staff in Sri Lanka, below is all that's stated in their privacy policy.
We are unaware of any explicit consent sought to store/process data in the country whatsoever.
Any 'encrypted' data below is still stored while accessed.
___________________________________________________________________________________________
The clinic that's allegedly using the Philippines for remote staff, doesn't currently note it in their privacy policy whatsoever.
As this clinic has previously sent legal threats to us, we'll be doing some further checks to ensure the claim is provable before saying more
____________________________________________________________________________________________
Another quote from the same X thread
I have just checked the privacy policy on my CB1 Medical app and it appears that they are using a 3rd party company in India named IDEOSHIFT
We are unaware of any explicit consent sought to store/process data in the country whatsoever.
Any 'encrypted' data below is still stored while accessed.
___________________________________________________________________________________________
The clinic that's allegedly using the Philippines for remote staff, doesn't currently note it in their privacy policy whatsoever.
As this clinic has previously sent legal threats to us, we'll be doing some further checks to ensure the claim is provable before saying more
____________________________________________________________________________________________
Another quote from the same X thread
I have just checked the privacy policy on my CB1 Medical app and it appears that they are using a 3rd party company in India named IDEOSHIFT
joint_account
Filling Out
- Messages
- 404
- Likes/Reactions
- 952
- Clinic
- 🏴 Alternaleaf
This probably way more common that we likely realise across a host of industry.It is alleged @TreatIt_Clinic are using remote staff in Sri Lanka, below is all that's stated in their privacy policy.
We are unaware of any explicit consent sought to store/process data in the country whatsoever.
Any 'encrypted' data below is still stored while accessed.
View attachment 7583
___________________________________________________________________________________________
The clinic that's allegedly using the Philippines for remote staff, doesn't currently note it in their privacy policy whatsoever.
As this clinic has previously sent legal threats to us, we'll be doing some further checks to ensure the claim is provable before saying more
____________________________________________________________________________________________
Another quote from the same X thread
I have just checked the privacy policy on my CB1 Medical app and it appears that they are using a 3rd party company in India named IDEOSHIFT
I've checked Alternaleaf and appear okay. I wonder how long this has been apart of the policy.
joint_account
Filling Out
- Messages
- 404
- Likes/Reactions
- 952
- Clinic
- 🏴 Alternaleaf
Got to commend them on that reply to be honest. I still don't like the idea of 3rd party data processing but you got to respect the candid attitude.
What will it take for @CB1Medical to move these jobs back to the UK? Data transfer to countries without suitable data protection themselves cannot legally be done by just burying something in terms and conditions.
You must seek explicit consent to transfer 'special category' personal data to a country legally considered not to have adequate data protection laws (as defined by the UK secretary of state.)
Every single CB1 Medical patient should have been explicitly asked, with a dedicated check at sign-up for consent, to having their data transferred or processed in India.
As we said before, if your patients are currently unaware – explicit consent to transfer/process the data in India cannot have been sought.
If CB1 wants to continue employing in India instead of the UK, it at least needs to seek explicit consent to send 'special category' data there for processing.
From our perspective this is a serious data protection breach, which would be heavily penalised by the ICO, the "Information Commissioner's Office".
We strongly recommend you self-report the breach, there's a self-assessment tool on the following link: https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/
You must seek explicit consent to transfer 'special category' personal data to a country legally considered not to have adequate data protection laws (as defined by the UK secretary of state.)
Every single CB1 Medical patient should have been explicitly asked, with a dedicated check at sign-up for consent, to having their data transferred or processed in India.
As we said before, if your patients are currently unaware – explicit consent to transfer/process the data in India cannot have been sought.
If CB1 wants to continue employing in India instead of the UK, it at least needs to seek explicit consent to send 'special category' data there for processing.
From our perspective this is a serious data protection breach, which would be heavily penalised by the ICO, the "Information Commissioner's Office".
We strongly recommend you self-report the breach, there's a self-assessment tool on the following link: https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/
joint_account
Filling Out
- Messages
- 404
- Likes/Reactions
- 952
- Clinic
- 🏴 Alternaleaf
Something i did find shady about this is that IDEOSHIFT act like they're a British company but in their privacy policy they also mention that your data may be outsourced outside of the UK.
I worded this a little strongly in frustration, but truth is they need to go even further than stated - they literally need to provide patients with an exclaimer/details on the risks associated with having their data stored/handled/processed in a country the UK legally defines as not having adequate data protection themselves.
This shouldn't have ever happened without explicit consent, and CB1 are just one of three we're aware are currently/allegedly doing this - with another two whom have privately/quietly confirmed to us they're following the same path.
Let's just hope enough noise has been made that every clinic starts properly asking for explicit legal consent to transfer data abroad to countries without data protection equivalency.
For example - if signing up to our main database, there's explicit consent sought to process/store data in the US if required (higher trust legally defined). This is because we use some US services, and overall the MedBud platform is owned by MedBud Inc, a US public benefit corporation. Though ironically, while we're seeking this consent for if/whenever needed, right now our platform is entirely UK run/stored.
Similar Discussions (Automatically Generated)
- Article
- Article