We, Neuro Event Labs Oy (NEL), believe that your privacy is critically important. That is why we handle your personal data with great care.
This document describes what personal data we gather, why we gather it, and how we manage and store the data.
Nelli as a term used in this document refers to the epilepsy monitoring service provided by NEL. Nelli system refers to the information system that is used in the Nelli service.
Last updated on 21 August 2019.
We apply these basic principles to all personal data that NEL stores and processes. The data can broadly be categorized as follows:
In each of these categories, we gather and store only the personal data that is required to provide the Nelli service and conduct NEL’s business operations. Personal data is disclosed only to parties and persons on a need-only basis and only for the purpose it was collected. Each NEL or contractor employee who has access to the personal data is contractually obligated to safeguard and maintain confidentially of such data.
No personally-identifiable information is retained or transferred to a third party beyond the data processors mentioned in this document. Where possible, data is stored in such a manner (e.g. encrypted) that the third-party service provider cannot derive any meaningful information from data which is stored or processed by that provider.
We follow all applicable local and regional laws for data protection, including the European General Data Protection Regulation (GDPR), the US Health Insurance Portability and Accountability Act (HIPAA) Security, and Privacy Rules.
Patient data, also known as Protected Health Information (PHI), is collected by NEL in order to provide source material for the Nelli monitoring service. This service provides an analysis of epilepsy patient recordings which occur in an inpatient (e.g. hospital) or an outpatient (e.g. home) setting. The analysis results in a report that aims to track and quantify seizure activity. This report serves as a medical record and presents the results of the analyses requested by the clinician.
Patient data includes:
All data collection by the Nelli service is volunteered by the NEL customer (hospital/clinic) and the patient as a part of the healthcare plan of the patient. For the purposes of the service, NEL serves only as a data processor and assumes no legal ownership of the data. Depending on the jurisdiction, the data may be considered controlled by the customer organization (e.g. in a form of public health records) or the patient.
Collected data can be removed by the NEL customer from the Nelli system. Patients are directed to the customer organization to have their own records removed from the system.
Users of the Nelli system are doctors and clinicians from the customer organization, as well as NEL personnel providing the Nelli service for the customer. User data is collected by NEL in order to give controlled and audited access to the Nelli system.
Data collected about Nelli users includes:
The Nelli system consists of a dedicated data collection device, a cloud-based server infrastructure for data analysis, and a web-based dashboard for viewing the results of analysis.
The Nelli data collection device is designed by NEL using industry-standard components and security measures to protect collected patient data before sending it encrypted to the cloud for processing. Data is stored in the collection device only temporarily. All data is stored encrypted at rest.
The Nelli system is implemented using Amazon Web Services (AWS). AWS as a data processor uses the shared security responsibility model and is compliant with HIPAA requirements for Protected Health Information (PHI).
Personal data is stored, encrypted while at rest, in AWS cloud services and the data travels over a secure channel (TLS 1.2) when being transferred between data processing steps.
Data storage and processing are done in a private network with no public internet access.
Personal data is stored and processed in the geographically optimal AWS data center in relation to customer operations.
NEL business associates and prospective customers
NEL business associates and prospective customers may contact NEL via website (or email) to ask questions and request more information about NEL and Nelli. NEL stores the email address of the contacting person and any other contact information that has been disclosed as part of the request. This contact information enables NEL to respond to the request.
This information is kept on file at least one year or as long as there is an active dialog ongoing with the person.
Employees’ personal data is used to manage the employee-employer relationship. NEL collects and stores personal data that is needed to manage this relationship and is partially based on legal obligations, in addition to the information that is required in the company processes (payroll, occupational healthcare, insurance, performance management, etc.).
Employee data is stored during the employment period. Local legislation requires archival of employee data after employment has ended.
Applicant personal data is used solely for the purposes of the recruitment and employee selection process of Neuro Event Labs. By applying, the applicant consents to the processing and storing of their data in the applicant CV database.
The collected data includes some or all of the following:
Additionally, the evaluations of the applicant’s suitability for the position and the possible recruitment assignment are stored in the register.
An application will be kept on file for a maximum of six (6) months from the application date. During this period, the application can be reviewed and used to fill open positions. After 6 months, the data will be deleted permanently. Upon the applicant’s request, the data will be removed from the file prior to that date.
In compliance with the European Personal Data Act, everyone is entitled to verify the data regarding him/her that is contained in the personal data file.
Furthermore, the data subject is entitled to request rectification of erroneous or incomplete data contained in the personal data file. The request for rectification shall identify the error to be rectified, and provide the correct information.
Also, the data subject has the right to withdraw his/her consent about the use and processing of his/her personal data and ask for removal of the data. Removal of the data may have limitations from other legislation that requires retention of the data even after processing has been stopped for the purpose it has been gathered.
The request of verification, rectification, or removal of personal data shall be made in writing or in email, signed and delivered to the NEL Data Protection Officer (DPO). See contact details.
We will continue to evaluate these policies as we update our services, and we may make changes to these policies accordingly. We will post any changes here and revise the last updated date above. If we make significant changes to policies concerning patient and uses of personal data in the Nelli system, we will notify affected parties as required by the law.
If you have any questions about this Privacy and Security Policy, you can contact us at: firstname.lastname@example.org.
For more specific matters, you can use contacts listed in Contact Information.
Security Officer: Andrew Knight, email@example.com
Data Privacy Officer: Jyrki Kaski, firstname.lastname@example.org