Data Security and Privacy

Overview

In this section we outline the data processes that happen as part of COMPASS and explain what data will be collected and what happens to that data. Handling your information securely and confidentially is extremely important to us. As well as the data security processes we outline below, COMPASS will log you out automatically after 20 minutes of inactivity.
We also recommend:

  • logging out whenever you have finished working on COMPASS
  • keeping your COMPASS username and password in a secure place
  • not sharing any unnecessary personal information or contact details with your guide via your journal or online messages (this is explained in more detail below).

Device security

Your security and privacy on COMPASS depends on the device you use to access the website. You are able to use COMPASS on a computer, tablet or smartphone, as long as you are connected to the internet.
To ensure maximum security, we recommend you keep your software up-to-date, choose strong passwords which are not easy to guess, use security protection software and avoid unsecured public internet connections.

Cookies

The COMPASS website does not use marketing cookies. This means that your browsing information is not used for advertising or commercial purposes. The COMPASS website does use one type of cookie – this is an essential cookie which is used to make sure you get a consistent user experience. It is required for the website to maintain where you are up to in the program. It also means it can show you personalised information when you are signed in.

Who developed COMPASS?

COMPASS was developed by a team of researchers at King’s College London University. COMPASS at King’s College London works in partnership with:

  1. The NHS – a healthcare professional will have referred you to COMPASS.
  2. SPIKA – a software development company who programmed Compass. SPIKA host and maintain the website. SPIKA meets NHS Digital standards for privacy, confidentiality and security.
  3. Mayden – an electronic patient record system used by your local Improving Access to Psychological Therapy Service. Mayden meets NHS Digital standards for privacy, confidentiality and security.

Personal Data

What personal data/information will COMPASS ask me for?

COMPASS is a website. So that you can use COMPASS, we need you to register with an email address. COMPASS provides a service for the NHS. This means that we also need to ask for the following information:

  1. Your name
  2. Your date of birth
  3. Your NHS number
  4. Your address
  5. Your telephone number
  6. Your gender

So that we can keep track of your health – we will also ask you to complete self-report questions about your mood at regular points during the program.

Why does COMPASS need to collect this personal information?

Because COMPASS provides a service for the NHS your healthcare team needs accurate and up-to-date information. Collecting this information means that your healthcare team can monitor your progress. They are able to contact you to provide you with extra support either by email, the COMPASS in-site messaging service, over the telephone or by arranging an appointment to meet face-to-face.

Where is my data kept?

The COMPASS website is hosted by SPIKA. This means that the data collected by COMPASS is held on a database managed by SPIKA. This database is located in a securely protected and approved provider cloud solution. When you register for COMPASS you are assigned an anonymous COMPASS ID which is stored with your data. Additionally, because your data is confidential, the data that COMPASS collects is held in an encrypted state. Please note, if you upload photos or documents to your Tasks these will not be saved in an encrypted state, so please do not include any personal or identifying information.

Who can access my personal information?

So that COMPASS can be used in the NHS we have to follow strict privacy, confidentiality, and online security procedures.
Your personal information will only ever be accessed by your healthcare team. COMPASS will never share your information with other parties without your written consent. For example, if access is needed to your COMPASS account due to a technical error we will ask for your written consent for a member of the technical team to do this.

Does COMPASS collect other information about me?

To help the team at King’s College London improve the website, COMPASS collects information about:

  1. Length of time users spend logged in to COMPASS
  2. Number of sessions completed
  3. Type of sessions completed
  4. Number of messages sent between you and your guide (Please note the content of these messages will NEVER be seen by King’s College London unless you consent to this as part of a research study)

This information is ALWAYS anonymous and will never include data that can identify you as an individual.

Does COMPASS share my information with anyone else?

If you have been referred to COMPASS through your local Improving Access to Psychological Therapy service, the COMPASS program works in partnership with Mayden. Mayden processes data for your healthcare team. This means that when you complete self-report questionnaires about your LTC and mood, the data is transferred from COMPASS to your electronic medical record at your local Improving Access to Psychological Therapy service. This makes sure that your healthcare record is kept up-to-date.
Data is only transferred using the highest levels of data security and encryption, which meets NHS Digital requirements. This process happens automatically and does not involve people who work for Mayden accessing your personal information.
If you have a technical problem or question, then King’s College London will receive the following information if you submit a question/concern via the “Contact Us” form:

  1. Your name
  2. Your email address
  3. Information you type in your message

In order to solve a technical problem, support from the SPIKA software team who programmed COMPASS may be needed. We will never share your information with SPIKA or ask them to look into the problem without gaining your informed consent first.
COMPASS will never share your personal information with anyone without your consent.

Links

Some sessions may contain links to other websites which are owned, operated or maintained by third parties. If you click on a third party link, you will be directed to that website in a new tab. We provide these links as helpful sources of further information, not as an endorsement, authorisation or representation of our affiliation with that third party, nor as an endorsement of their privacy or information security policies or practices. We do not have control over third party websites and we do not have control over their privacy policies and terms of use.

Who can see what I write in COMPASS?

When you join COMPASS you will be linked with a guide. Your guide is a qualified healthcare professional who will provide you with support during your time on the program, either by phone, online messaging or both. Your guide is part of your healthcare team so will be able to see your personal details, including name, date of birth, phone number and email address.


In order to ensure that their support is relevant and specific to you, and to ensure your wellbeing, your guide will be able to see your progress on the website, i.e. which sessions you have completed and your mood scores. They will also be able to see your goals and tasks. Additionally, they are able to see the notes you make in the ‘Reflections’ section, as this can help structure their support. However, if you would like to, you can choose for the content in the reflections to be hidden from your guide.

The COMPASS Team at King’s College London

Project Lead for COMPASS: Professor Rona Moss-Morris
Data Protection Officer at King’s College London on behalf of COMPASS is: Albert Chan (Assistant Director of Business Assurance; Information Compliance)

The legal bits

Information collected by COMPASS will in line with General Data Protection Regulation (2018). Our lawful basis for collecting this information includes:

  1. Function of a public task
  2. Vital interest
  3. Legitimate interest
  4. Consent

Your rights

Your personal data will be processed in accordance with your rights under data protection legislation.
Your rights are:

  1. right to be informed
  2. right to gain access to your data
  3. right of rectification (e.g. change inaccurate information)
  4. right to erasure (e.g. to delete records held about you on the Compass platform)
  5. right to restriction (e.g. to stop processing information about you)
  6. right to portability (e.g. to move or transfer your data)
  7. right to object (e.g. to change your mind)
  8. right not to be subject to automatic profiling or decision making (e.g. to know if a decision was made by a computer rather than a person)

Summary

Your personal information will be managed and shared in line with the General Data Protection Regulations (2018) and common law duty of confidentiality.

  1. COMPASS will ask for personal information. This information will be stored in line with NHS Digital data privacy and security standards.
  2. COMPASS is developed and owned by King’s College London and is a provider for the NHS. COMPASS will share essential medical information in partnership with Mayden who process data on behalf of the NHS and follow NHS Digital data privacy and security standards.
  3. COMPASS will collect anonymous information about the length of time spent logged in to COMPASS, number of online sessions completed, and number of online messages sent. This information will be used by King’s College London to improve the COMPASS website.
  4. Filling in the COMPASS contact us form, means your email address and typed message will be seen by the King’s College London team.
  5. If you experience a technical problem, the COMPASS team at King’s College London will respond to your concern and gain your consent for the web-developers of COMPASS to access your information.

If you have any concerns or further questions, please contact the COMPASS team using the form which you can find in ‘Contact Us.’
You can find more tips for staying safe online at www.cyberaware.gov.uk.The following video also provides a useful overview of patient data – vimeo.com/264239790

Advertisement