Privacy Policy | Information Site

This Privacy Notice sets out how My Diabetes My Way uses and protects any information that you provide when you use this website.

As an NHS Scotland service, My Diabetes My Way is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this Privacy Notice.

My Diabetes My Way may change this notice occasionally by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy (version 2.3) is effective from 13th December 2024.

Who we are

My Diabetes My Way is operated by the University of Dundee on behalf of NHS Scotland. The service is funded by the Scottish Government. We process data on behalf of the Data Controller in your region to support enhanced diabetes management.

What we collect

The My Diabetes My Way service focusses on diabetes and gives consenting patients secure access to their medical records, tailored education resources and the ability to upload results.

When you register to access your NHS diabetes records, we collect the following information from you:

name
contact information including postal and email addresses
demographic information such as postcode
your NHS patient identification number (CHI number), if you know it

When you have completed your registration to access your diabetes records, we will collect the following information from your NHS GP, hospital, labratory and screening service records:

demographics (e.g. name, address, date of birth, GP practice)
diagnostic information (e.g. type of diabetes, date of diagnosis)
lifestyle factors (e.g. height, weight, smoking status)
test results (e.g. HbA1c, cholesterol, blood pressure)
screening results (eye and foot screening information)
goals and medication

In addition, general audit and bug reporting data are also collected to help improve the service we offer. We only collect the minimum amount of data required to support your diabetes self-management and for the service to operate effectively unless you have provided your consent for optional improved site functionality (see related Cookie Policy).

Any data you input directly into the website or app will contribute to the care record you can access on your device. Please note, this data is not currently shared with your healthcare team, and you should not assume your healthcare team will be aware of any manual data inputs or device uploads.

What we do with the information we gather

We require this information for the following reasons when you register to access your NHS diabetes records:

to identify you on NHS systems
to send you a form to sign to provide your consent for My Diabetes My Way to make your information available to you online
we may periodically send you diabetes news, information about new My Diabetes My Way products, or other information which we think you may find helpful in managing your diabetes, using the email address which you have provided.
we may also use your information to contact you by email for My Diabetes My Way service evaluation purposes.

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

The website and mobile app do not currently allow you to share data with other users, such as a carer or family member, as a feature. Any data you share is done so entirely at your own risk. The service does not currently permit data transfers.

We collect and process information about you only where we have a legal basis for doing so under applicable EU/UK laws.

The service does not involve any automated decision-making or profiling however it will provide basic lifestyle and education recommendations, based on your data record (e.g. type of diabetes, medications).

We follow the principle of data minimisation and only collect data and information which are important and relevant to diabetes care and self-management.

How do we collect your data?

We collect data and process data when you register online for any of our services, when you enter data into our website and when you use or view our website. We collect data relating to your diabetes from SCI-Diabetes, NHS Scotland Electronic Medical Record for diabetes. We track your progress through educational resources, available on our website. Data may also be collected via surveys or from feedback. And we may also monitor how you use the site.

Links to other websites

Our website contains links to other websites related to diabetes. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this Privacy Notice. You should exercise caution and look at the Privacy Notice applicable to the website in question.

How do we store data?

We take data security very seriously. Any data elements we store are held in NHS approved secure data centres, on encrypted servers. Our providers partner closely with the My Diabetes My Way Team in ensuring we comply with GDPR and the Data Protection Act (2018). My Diabetes My Way also has supporting policies and procedures which cover physical and technical security measures which address our approach to information risk management.

Data storage is on your local device unless you manually export the data. Data is encrypted while being sent from the service to your device as per standard encryption for data transfers over the internet. All data is protected using HTTPS with TLS encryption between the device and the host.

We will retain data for as long as the service is funded. Upon termination of funding, all data will be securely and completely destroyed. Given current volumes, the process to delete any personal data is documented and manually erased or scrubbed in accordance with ISO27001 standards.

We have implemented controls to ensure that regulatory obligations regarding data protection are followed, documented, and results logged. In the unlikely event of a data breach, we will assess the risk and where appropriate, notify the competent supervisory authority (in the UK, this is the ICO) within 72 hours. If the risk assessment indicates a high risk for you, we would also communicate any breach of personal data directly to you. Specific procedures for the management of security incidents and breach monitoring are in place.

mygovscot myaccount

Please note that if you access our service using your mygovscot myaccount details, the identity and login services are managed by the Scottish Government. The Scottish Government is the Data Controller for any personal information you provide to mygovscot myaccount. For this personal information, our role is a “Processor” only and we must act under the instructions provided by mygovscot myaccount.

Controlling your personal information

You may choose to restrict the collection or use of your personal information in the following ways:

whenever you are asked to fill in a form on the website, you may choose not to subscribe to the My Diabetes My Way mailing list
if you have previously agreed to subscribe to the My Diabetes My Way mailing list, you may change your mind at any time by emailing us at mydiabetes.myway@nhs.scot

We will not transfer your personal information to any third parties unless we have your permission or are required to do so by law. If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the following addresses. We will promptly correct any information found to be incorrect.

My Diabetes My Way

School of Medicine

Ninewells Hospital

Dundee

DD1 9SY

mydiabetes.myway@nhs.scot

What is a Privacy Policy for?

A Privacy Policy tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.

It is part of how we ensure we are open and transparent in the data processing activities we carry out in order to meet our service provision obligations. It covers information we collect directly from you or receive from other individuals or organisations.

A Privacy Policy is a written statement that individuals are given when information is collected about them. As a minimum, a Privacy Policy should tell people who we are, what we are going to do with their information and who it will be shared with.

Opting Out

If you wish to opt out of the MDMW service please notify us via the details above and your information will be promptly and securely removed from our system. If you have any questions or concerns regarding how we use your information, please use the Contact Us section of our website.

How to Contact the appropriate authorities?

Should you wish to report a complaint or if you feel that we have not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office.

Version 2.3 – last updated 13th December 2024

New User

User Support

Publications

Testimonials

What is Diabetes?

My Baby

My Complications

My Glucose

My Kids / Young Adults

My Lifestyle

My Story

My Treatments

My Languages

Ayrshire and Arran

Borders

Dumfries and Galloway

Glasgow & Clyde

Fife

Forth Valley

Grampian

Highland

Lanarkshire

Lothian

Orkney

Shetland

Tayside

Western Isles

My Diabetes My Way Privacy Policy