Magnus Health and GDPR

The European Union’s General Data Protection Regulation (GDPR) requires that personal data from the European Union (EU)/European Economic Area (EEA) is subject to special protection. The GDPR also provides EU-based individuals (“Data Subjects”) with certain individual rights with respect to their personal information that is collected by Magnus Health. These include:

  1. The right to be informed about the collection and use of their personal data.
  2. The right of access to find out what data is stored about them.
  3. The right to rectification of their personal data if it is inaccurate or incomplete.
  4. The right to erasure to enable an individual to request the deletion or removal of certain personal data where there is no compelling reason for its continued processing.
  5. The right to restrict processing to ‘block’ or suppress processing of personal data.
  6. The right to data portability allowing individuals to obtain and reuse their personal data for their own purposes.
  7. The right to object to the processing of personal data under certain circumstances.
  8. Various rights in relation to certain kinds of automated decision making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual).

The GDPR applies to organizations located within the EU and organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects of the European Union, regardless of the company’s location. The goal of GDPR is to ensure protection of the fundamental privacy rights of Data Subjects, such as ensuring the security and confidentiality of Personal Data, but also ensuring proper notice, choice, right of access, rectification and erasure of data collected on EU Data Subjects. With the implementation of the GDPR, it is our goal to increase the knowledge and transparency of how your personal data is stored and processed. To see a full list of key changes instituted by the GDPR, click here.

Magnus Health will make all reasonable efforts to abide by the GDPR and to provide at least the same level of data protection for personal data received and processed from the EU, as the privacy protections set forth in our Privacy Policy. We will also make reasonable attempts to accommodate requests by Data Subjects to exercise the rights listed above. Where necessary and appropriate, we have implemented organizational and technical measures that include internal data protection policies and maintaining documentation on our processing activities. We have also appointed a Data Protection Officer.

In order to enable Data Subjects to exert their rights under the GDPR, we are making the following disclosures for data received directly from an individual and data received from third parties. For purposes of this disclosure document, references to “we”, “us” or “our” mean Magnus Health and its appropriate affiliates, and references to “you” and “your” mean the Data Subject.

I. HOW WE USE PERSONAL DATA

We use Personal Data for purposes related to collecting, storing, and tracking protected health information collected on behalf of your school. The services we provide include, but are not limited to: Student Health Form Collection, Student Health Management, Parent Communication, Emergency Response System, and Software Integrations. Please review the applicable Notice of Privacy Practices for additional information.

II. WHO RECEIVES PERSONAL DATA?

We understand the importance of keeping your student and parent data secure, therefore, we do not share personal health information of students or parents with any third party, with the exception of our third party service providers. These third party services providers are for support and business purposes, and help us better assist your parent and student community. Each service provider that may have access to the Protected Health Information (PHI) of  your student and parent data are upheld with service agreements.

There are three types of service providers that we utilize to ensure the best product and experience to our users: Student Information System Integration Partners, Health Information Partners, and Business Support Partners.

III. HOW LONG IS DATA STORED?

We store data for as long as is necessary to provide the services and for a reasonable retention period. To comply with federal regulations, such as HIPAA, we are required to store student and parent data for a minimum of seven years. At any time, you can request the data of a particular account to be removed.

IV. YOUR RIGHTS WITH RESPECT TO YOUR PERSONAL DATA

You have the right at any time to request access to and rectification or erasure of personal data that we hold. You can also request restriction of processing of your Personal Data, and you have the right to data portability. If you would like to exercise any of these rights, please send a written request to our Privacy Team at the address listed below. Not all requests can be granted. If your request is denied, you will be provided with the reason for the denial.

V. WITHDRAWAL OF CONSENT

You have the right to withdraw consent at any time. You must withdraw your consent in writing, addressed to the Privacy Team listed below. In order to ensure timely and accurate processing of your withdrawal, you must include your name, address, your school name, and the specific processes for which you no longer consent in your request. Withdrawing consent will not affect the lawfulness of processing that took place based on the consent you provided before the withdrawal.

VI. COMPLAINTS

You have the right to lodge a complaint with the appropriate data protection authority.

VII. SOURCE OF DATA AND LEGAL BASIS FOR OUR DATA PROCESSING

In order to provide services to you, we receive Personal Data from you, from your providers of medical care, from your employer, and from other third parties. We need access to your Personal Data, such as name, address, and medical information, regardless of who provides it, in order for us to provide the services described above.

VIII. IS PERSONAL DATA USED FOR AUTOMATED DECISION-MAKING OR PROFILING?

We use automated decision-making processes and profiling in the performance of our provided services. For example, account creation through auto roster import or an integration is essentially an automated process. We also use profiling to identify individuals and track the specific features they are utilizing provided by Magnus Health. By doing so, we use profiling to identify opportunities for training and communication.

IX. LOCATION OF DATA PROCESSING

All Personal Data is processed in the United States.

X. ADDITIONAL PROCESSING

If we intend to use Personal Data for a purpose other than the original purposes for which we collected the Data (see Privacy Policy and Item 1. above), prior to that additional processing, we will provide you with information on that other purpose and any further relevant information, insofar as you do not already possess such information.

XI. PROCESSORS AND CONTROLLERS

Depending upon the engagement and purpose Magnus Health is the Data Processor with respect to your Personal Data. Our address is 401 Edgewater Place, Suite 360, Wakefield, MA 01880.

Our Data Protection Officer can be reached at 401 Edgewater Place, Suite 360, Wakefield, MA 01880 or via email at privacy@magnushealthportal.com.