Privacy and Personal Data Protection Policy

We, Neuro Event Labs Oy (NEL), believe that your privacy is critically important. That is why we handle your personal data with great care.

This document describes what personal data we gather, why we gather it, and how we manage and store the data.

Nelli as a term used in this document refers to the epilepsy monitoring service provided by NEL. Nelli system refers to the information system that is used in the Nelli service.

Last updated on 21 August 2019.

Our principles for privacy and personal data

We apply these basic principles to all personal data that NEL stores and processes. The data can broadly be categorized as follows:

  • data in the Nelli system about patients being monitored with the Nelli system
  • data about users of the Nelli system
  • data used in NEL’s business processes about NEL employees, applicants, business associates, and prospective customers

In each of these categories, we gather and store only the personal data that is required to provide the Nelli service and conduct NEL’s business operations. Personal data is disclosed only to parties and persons on a need-only basis and only for the purpose it was collected. Each NEL or contractor employee who has access to the personal data is contractually obligated to safeguard and maintain confidentially of such data.

No personally-identifiable information is retained or transferred to a third party beyond the data processors mentioned in this document. Where possible, data is stored in such a manner (e.g. encrypted) that the third-party service provider cannot derive any meaningful information from data which is stored or processed by that provider.

We follow all applicable local and regional laws for data protection, including the European General Data Protection Regulation (GDPR), the US Health Insurance Portability and Accountability Act (HIPAA) Security, and Privacy Rules.

Cookie Policy

NEL does not use cookies to track its users’ usage of the NEL website or the Nelli system. Cookies are used only for functional purposes, e.g. to manage a secure user session with Nelli.

Data we collect in Nelli, why, and what

Patient data

Patient data, also known as Protected Health Information (PHI), is collected by NEL in order to provide source material for the Nelli monitoring service. This service provides an analysis of epilepsy patient recordings which occur in an inpatient (e.g. hospital) or an outpatient (e.g. home) setting. The analysis results in a report that aims to track and quantify seizure activity. This report serves as a medical record and presents the results of the analyses requested by the clinician.

Patient data includes:

  • Patient identification: name and birthdate: needed to identify the patient uniquely in the system
  • Optionally, patient contact information, including residence address: needed in the case of outpatient home monitoring
  • Optionally, caregiver contact information: needed in the case of outpatient home monitoring
  • Requested monitoring periods: needed as input for monitoring planning and execution
  • Raw video, audio, and other sensory data from monitoring periods: needed as input data for analysis
  • Analysis data: the results of automatic and manual analysis. Analysis data may contain automatically-detected neurological events (like seizures) and vital measures (e.g. breathing rhythm and pulse) as well as manually-added annotations
  • Analysis reports: processed summaries of analysis data. Reports are available for online viewing and as PDF documents for the Nelli system users

All data collection by the Nelli service is volunteered by the NEL customer (hospital/clinic) and the patient as a part of the healthcare plan of the patient. For the purposes of the service, NEL serves only as a data processor and assumes no legal ownership of the data. Depending on the jurisdiction, the data may be considered controlled by the customer organization (e.g. in a form of public health records) or the patient.

Collected data can be removed by the NEL customer from the Nelli system. Patients are directed to the customer organization to have their own records removed from the system.

User data

Users of the Nelli system are doctors and clinicians from the customer organization, as well as NEL personnel providing the Nelli service for the customer. User data is collected by NEL in order to give controlled and audited access to the Nelli system.

Data collected about Nelli users includes:

  • Nelli user identification: name and email address. Needed to identify the user in the system
  • User access rights: patient registers and privileges within registers
  • User activity logs: all user access to the system and read or write of patient data is logged for auditing purposes

Nelli data storage and processing

The Nelli system consists of a dedicated data collection device, a cloud-based server infrastructure for data analysis, and a web-based dashboard for viewing the results of analysis.

The Nelli data collection device is designed by NEL using industry-standard components and security measures to protect collected patient data before sending it encrypted to the cloud for processing. Data is stored in the collection device only temporarily. All data is stored encrypted at rest.

The Nelli system is implemented using Amazon Web Services (AWS). AWS as a data processor uses the shared security responsibility model and is compliant with HIPAA requirements for Protected Health Information (PHI).

Personal data is stored, encrypted while at rest, in AWS cloud services and the data travels over a secure channel (TLS 1.2) when being transferred between data processing steps.

Data storage and processing are done in a private network with no public internet access.

Personal data is stored and processed in the geographically optimal AWS data center in relation to customer operations.

Personal data we collect in NEL business processes system, why and what

NEL business associates and prospective customers

NEL business associates and prospective customers may contact NEL via website (or email) to ask questions and request more information about NEL and Nelli. NEL stores the email address of the contacting person and any other contact information that has been disclosed as part of the request. This contact information enables NEL to respond to the request.

This information is kept on file at least one year or as long as there is an active dialog ongoing with the person.

NEL employees

Employees’ personal data is used to manage the employee-employer relationship. NEL collects and stores personal data that is needed to manage this relationship and is partially based on legal obligations, in addition to the information that is required in the company processes (payroll, occupational healthcare, insurance, performance management, etc.).

Employee data is stored during the employment period. Local legislation requires archival of employee data after employment has ended.

Applicants

Applicant personal data is used solely for the purposes of the recruitment and employee selection process of Neuro Event Labs. By applying, the applicant consents to the processing and storing of their data in the applicant CV database.

The collected data includes some or all of the following:

  • applicant’s name, birthdate, and contact information
  • education, work history, and information related to professional skills
  • applicant’s expectations of the applied position
  • job application with the attachments (e.g. cv, photo, certificates) and any other information provided by the applicant

Additionally, the evaluations of the applicant’s suitability for the position and the possible recruitment assignment are stored in the register.

An application will be kept on file for a maximum of six (6) months from the application date. During this period, the application can be reviewed and used to fill open positions. After 6 months, the data will be deleted permanently. Upon the applicant’s request, the data will be removed from the file prior to that date.

NEL business data storage and processing

The service provider processing and storing NEL business data is Google, namely, Gmail and Google Drive, are used in daily business operations. Please refer to Google’s Privacy Policy for more information.

Right to verify, correct, stop data processing, and/or remove personal data

In compliance with the European Personal Data Act, everyone is entitled to verify the data regarding him/her that is contained in the personal data file.

Furthermore, the data subject is entitled to request rectification of erroneous or incomplete data contained in the personal data file. The request for rectification shall identify the error to be rectified, and provide the correct information.

Also, the data subject has the right to withdraw his/her consent about the use and processing of his/her personal data and ask for removal of the data. Removal of the data may have limitations from other legislation that requires retention of the data even after processing has been stopped for the purpose it has been gathered.

The request of verification, rectification, or removal of personal data shall be made in writing or in email, signed and delivered to the NEL Data Protection Officer (DPO). See contact details.

Changes to this Privacy and Personal Data Protection Policy

We will continue to evaluate these policies as we update our services, and we may make changes to these policies accordingly. We will post any changes here and revise the last updated date above. If we make significant changes to policies concerning patient and uses of personal data in the Nelli system, we will notify affected parties as required by the law.

Questions About this Privacy and Security Policy

If you have any questions about this Privacy and Security Policy, you can contact us at: contact@neuroeventlabs.com.

For more specific matters, you can use contacts listed in Contact Information.

Contact Information

Security Officer: Andrew Knight, security@neuroventlabs.com

Data Privacy Officer: Jyrki Kaski, dpo@neuroventlabs.com