Privacy Notice: Project ECHO

Project ECHO is a virtual community of practice using telementoring through a hub-and-spoke model. This means that expert teams deliver clinical sessions in a central ‘hub’ and YAS clinicians remotely join as a ‘spoke’ in order to network, learn, and share practice. Participants only need to register once in order to access any future sessions.

We collect:

  • Identity data - first name, last name
  • Employment data - place of work, job title
  • Location data - First part of the postcode where you will be joining the ECHO sessions
  • Contact data - Email address, Mobile phone number
  • Usage data - Participation and attendance in ECHO sessions
  • Visual and audio data - Video and audio of participants in attendance in ECHO sessions

We process your data in the following ways:

  • To fulfil the services we have been engaged to perform (Performance of a Contract).
  • To give you certificates of attendance (Performance of a Contract).
  • To understand the growth and impact of Project ECHO (Legitimate Interest).
  • To contact you with regards to important information about Project ECHO (Performance of a Contract).
  • To contact you to inform you of upcoming ECHO sessions (Performance of a Contract).
  • To continue to meet our legal obligations (Legal Obligation).
  • Performing anonymisation or pseudonymisation on personal data sets prior to analysis.
  • Using analysed and aggregated data for reporting to funding and governmental entities (Legal Obligation).
  • Using analysed and aggregated data for research related to the ECHO movement (Legitimate Interest).
  • Using data quality assurance and in decision making related to new initiatives (Legitimate Interest).
  • For Project ECHO promotional materials (Legitimate Interest).

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator (including the ICO: Information Commissioner's Office) of a breach where we are legally required to do so.

In order to provide the service, we only share your data with third parties and other organisations in the following circumstances:

  • To fulfil the services, we have been engaged to perform;
  • To publicise Project ECHO in the public domain;
  • To manage and maintain the accuracy of records;
  • To handle any complaints and improve the service;
  • To meet legal obligations, for example, for the purposes of national security and criminal investigations.

Limited personal data is entered onto the ECHO Institute database, which requires us to record the number of ECHO sessions we deliver and the numbers of attendances of each session. Your personal identifiable data is not entered onto any system, only your anonymised attendance along with your employment location (city).

Your use of Zoom to participate in Project ECHO is subject to your privacy agreement with Zoom Video Communications Inc., found at https://zoom.us/privacy

Records are maintained in line with the Trust’s Records Management Policy and retention periods are based on guidance provided in the Records Management Code of Practice for Health and Social Care (NHS Digital, 2016).

We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected. When assessing what retention period is appropriate for your personal data, we take into consideration:

  • The requirements of our business and the services provided;
  • Any statutory or legal obligations;
  • The purposes for which we originally collected the personal data;
  • The lawful grounds on which we based our processing;
  • The types of personal data we have collected;
  • The amount and categories of your personal data;
  • Whether the purpose of the processing could reasonably be fulfilled by other means.

After such time, we will securely delete, destroy or anonymise your personal data.