Privacy

COHESION understands that your privacy is important to you and that you care about how your personal data is used. We respect and value your privacy and will only collect and use personal data in ways that are described in this Privacy Notice and that are consistent with our obligations and your rights under the law.
Our Privacy Promise We promise:
  • To keep your personal information safe and secure.
  • To give you ways to manage and review your own data sharing choices at any time.
  • Not to sell your personal information or use it for marketing purposes.
NHS Data Privacy Compliance The Citizen Care Wallet can be used on its own, or configured in a way (e.g. the ROSI and Me app) that allows it to be linked to a NHS Service. When linked to a NHS Service:
  • Your data is managed in accordance with Data Protection Act 2018 for the purposes of your direct health and care, and in accordance with consent.
  • If you wish to change how your data is shared then please contact your usual healthcare team.
  • The Privacy Notice covering the use of your data is published on the website of your usual healthcare team.
What does this notice cover? This Privacy Notice explains how COHESION uses your personal data: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data.
This will allow you to make informed decisions on creating and using your Citizen Care Wallet account. Furthermore, there is User Help and guidance within the Care Wallet itself on these topics.
What is Personal Data? Personal Data is defined by the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (collectively, “the Data Protection Legislation”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’. As such, Personal Data is any information about you that enables you to be identified. In other words, Personal Data covers information such as your name and contact details, email address, but it also covers information such as identification numbers, electronic location data, and other online identifiers. The Personal Data that COHESION uses is set out in this Privacy Notice. Purpose of Citizen Care Wallet Our aim is to help promote better health and wellness experiences by providing you with facilities to make it easier for you to prepare, communicate and retain the relevant data for managing your own health, to allow others close to you (e.g. family, friends) to better assist you in coordinating your care, and to help you engage and communicate more effectively and conveniently with the health and care services you need. What Personal information is collected? Certain information is required to create a Citizen Care Wallet account, such as your name, password, email address, and mobile number.

You are also able to add additional information to your account, comprising the following:
  • Your general demographics-related data (e.g. name, postal address, date of birth, email, phone);
  • Your general health-related data (e.g. body metrics, lifestyle choices, allergies, symptoms);
  • Your general care-related data (e.g. background story, care preferences, services used, appointments, care contacts);
  • Key info about you such as your profile photo, birth certificate, passport evidence;
  • Your health record (e.g. data and information you shared with your connected services such as assessments, images, test results etc);
  • Notifications, latest information;
  • Settings (e.g. permissions, consent for sharing etc.).
After registering your account, it can be linked to a service using an appropriately acquired access code. Consequently, this connection enables sharing of the appropriate set of data (i.e. relevant to your personal care choices) between you and the service. This data sharing is on a need-to-know basis only.

Additionally, to improve the facilities we provide to you, we use information relating to how you use these facilities. This data includes:
  • IP addresses
  • Host names
  • Domain name
  • The time and date information is requested
  • The browser version and platform when information is requested
  • A record of which pages have been requested.
How is my information protected? COHESION is committed to protecting your privacy. Apart from the data needed to set up and operate your account, COHESION cannot access the information in your Care Wallet and has no influence over its content. Your information is kept on secure servers within the UK. We encrypt data so no one can see your health record except for the people you choose or those with a lawful basis.
How do we use information? Your personal data will be processed and stored securely in compliance with the Data Protection Legislation.
We use information we collect for the following purposes:
  • Provide our services to you – using the information we collect we are able to deliver the services to you. For example, to connect with health services to notify you of appointments.
  • Personalise our services for you – provide relevant information to your needs.
  • Improve our services for you – we use information we collect to improve the services and to develop new ones. For example, we use information from web servers and browsers to troubleshoot and protect against errors, perform data analysis and develop new features and services.
  • Support our services for you - if you send us a help request at support@cohesionmedical.com you are likely to tell us your name and email address.
How we do not use information COHESION does not access the care information in your Care Wallet. We do not use your account information:
  • For any type of marketing purposes without asking you first and receiving your opt-in
  • To disclose any of your account information except as described in this Privacy Notice.
Data disclosure and use COHESION allows you to choose to connect and share data with specific connected services appropriate to your care, which may be provided by other service providers.
COHESION may use personal information to provide you with important information about the services such as important updates and notifications.
COHESION may use other external service providers to provide services on our behalf, such as a support service to answer questions you may have. We will not share your information with any third parties unless we are required to do so by law. Where necessary, we will comply with a data access request received from a recognised legal authority.

Your data protection rights Under data protection law, you have rights including:
Your right of access - You have the right to ask us for copies of your personal information.
Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. Please contact us if you wish to make a request. Our contact details can be found under How Do I Contact COHESION.

Data Retention We keep your account information like your name, email address and password for as long as your account is in existence because we need it to operate your account. Data is deleted in line with our GDPR requirements on deletion of your account. Where your connected services retain your data as part of a medical health record, this data will be retained in accordance with the legal requirements and good practice guidelines in the appropriate jurisdiction.

Can I delete my Account? You can choose to delete your account at any time. If you no longer require the COHESION Care Wallet service that we are providing then the service can be terminated at your request, and the data is deleted in line with our GDPR requirements. Where your connected services retain your data as part of a medical health record, data can only be deleted in compliance with the medico-legal requirements of the appropriate jurisdiction.

Lawful Basis Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS login’s Privacy Notice and Terms and Conditions, please click the following weblink: https://access.login.nhs.uk/terms-and-conditions
This restriction does not apply to the personal information you provide to us separately.

As described below, a different arrangement exists for the other personal data that is contained within your account. Note that in the following description, “connecting” to a care provision service (e.g. the NHS ROSI service) means that you agree to share your relevant personal data with the care team of that service, up until the point where you decide you no longer wish to engage with the service.

Under circumstances where your configured Care Wallet (e.g. the ROSI and Me app) is not connected to a care provision service (e.g. ROSI Service), COHESION acts as the sole data controller for:
  • any data that you decide you want to collate and record yourself for your own purposes
  • any data that is a read-only, patient copy of data from a care provision service to which you were previously, but no longer, connected.
  • any data that is required by COHESION to set up and operate your Care Wallet account (e.g. name, email, phone, encrypted password). NB. This is equivalent to, but distinct from, the similarly named data used by NHS login.
  • any data that is required by COHESION to improve, personalise, or support your use of the Care Wallet (e.g. IP address, host name, domain name, OS and browser version, data pages accessed).
Under circumstances where your configured Care Wallet (e.g. the ROSI and Me app) is connected to a care provision service (e.g. ROSI Service), COHESION acts as the sole data controller for:
  • any data you can change using the Care Wallet that IS NOT shared with the care provision service
  • any data that is a read-only, patient copy of data from a care provision service to which you were previously, but no longer, connected.
  • any data that is required by COHESION to set up and operate your Care Wallet account (e.g. name, email, phone, encrypted password)
  • any data that is required by COHESION to improve, personalise, or support your use of the Care Wallet (e.g. IP address, host name, domain name, OS and browser version, data pages accessed).
Under circumstances where your configured Care Wallet (e.g. the ROSI and Me app) is connected to a care provision service (e.g. ROSI Service), COHESION acts as the joint data controller along with the care provision service (e.g. the NHS ROSI Service Partner Organisations) for:
  • any data you can change using the Care Wallet that IS shared with the care provision service
Under circumstances where your configured Care Wallet (e.g. the ROSI and Me app) is connected to a care provision service (e.g. ROSI Service), COHESION acts as the data processor and the care provision service (e.g. the NHS ROSI Service Partner Organisations) acts as the data controller for:
  • any data you can change using the Care Wallet that IS shared with the care provision service
  • any data you cannot change using the Care Wallet that is from the care provision service to which you are now connected (e.g. Care Plans).
The following lawful bases apply:
  • GDPR Article 6(1)(a) - the data subject has given consent to the processing of their personal data for one or more specific purposes.
  • GDPR Article 9(2)(a) - the data subject has given explicit consent to the processing of those personal data for one or more specified purposes.
  • GDPR Article 9(2)(h) - processing is necessary for the purposes of supporting care provision.
About COHESION COHESION is ISO 9001:2015 and 27001:2017 regulated, certified through the British Assessment Bureau, and a registered member of the Information Commissioner’s Office.
  • Data Protection Officer (DPO): Andrew Watson
  • Data Representative: Euan Cameron
  • Address: The HUB, 70 Pacific Quay, Glasgow G52 1EA.
  • Telephone number: 0141 611 9686
How Do I Contact COHESION? To contact us about anything to do with your personal data and data protection, including to make a subject access request, please contact:
If you have any concerns about our use of your personal information, you can make a complaint to us at:
If you have any other questions, please contact us at:
How to Complain to the ICO? COHESION is a registered member of the Information Commissioner’s Office (ICO) which regulates data protection in the UK. Our registration number is: ZA806581. You can complain to the ICO if you are unhappy with how we have used your data. The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk

Confidentiality COHESION maintains confidentiality clauses in employment contracts, corporate policies covering confidentiality and provides annual mandatory GDPR training to all employees.
Changes to this Privacy Notice We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection. Any changes will be made available from COHESION or you will be notified if the changes directly affect you.

This Privacy Notice (1.11) was last updated on 08/12/2023.
Our new website is coming soon.
Find us on social media and stay connected.