This privacy notice describes how Corin collates, uses and processes personal data (including health data) in connection with our various solutions.
These solutions include (but are not limited to) the OPSInsightTM, OMNITM, OPSReViewTM, CorinRegistryTM and CorinRPMTM technology solutions, as well as our implants and case booking systems. In this notice, we will refer to these solutions as our “Solutions”.
This privacy notice is intended for patients whose surgeon wishes to use our Solutions as part of their treatment plan. Therefore, reference to “you” and “your” is intended to refer to patients. However, this notice may also be useful for surgeons and their clinical teams.
Please read this privacy notice carefully as it sets out how Corin uses your data in connection with our Solutions and what your data privacy rights are.
It is important that you read this privacy notice together with any other privacy notice, data collection notice or terms & conditions which are provided to you on specific occasions. This privacy notice supplements these other documents and is not intended to override them.
If you are a Corin website user, you should also read our website’s terms of use which explain the conditions of using our websites, providing gateways to our products and services, as well as lots of other useful information. https://www.coringroup.com/terms-and-conditions.
We also have a privacy notice which applies to personal data other than those items described here, which can be found on our website.
Our Solutions provide clinicians with tools to help them plan, co-ordinate, execute, evaluate and monitor their surgical cases. Many of our Solutions are designed to help surgeons perform surgery which is personalised to each specific patient.
You can find more information on our Solutions on the Corin website (https://www.coringroup.com/uk/solutions/) or by speaking to your surgeon.
If our Solutions are used for your case, it is likely that Corin will receive personal data about you. The main categories of personal data which we may receive are:
|
Category
|
Examples |
|
Basic identifiers |
Name, date of birth, gender
|
|
Contact details
|
Your email address and home address |
|
Details of your surgery
|
Your surgeon’s name, your clinic/hospital, dates of surgery and consultations, type of surgery
|
|
Information about you |
Your height, weight, body mass index (BMI), ethnicity, tobacco and drug-usage, allergies
|
|
Physiological & Imaging Data
|
Your CT and/or x-ray scans, data points regarding your anatomy, physiology and movement
|
|
Other medical information |
Parts of your medical history, symptoms, diagnosis, treatment plans, clinical assessment and surgical notes
|
|
Outcomes data (PROMS) |
Activity levels, step counts, pain scores, mobility scores, satisfaction scores
|
Some of the data described above is categorised as “sensitive data”, “special category data” or “personal health information” and is therefore subject to a higher level of protection under national and international data privacy laws.
Some Solutions (e.g. OPSReViewTM) may also require you to provide payment card details so that you can purchase your report.
In general, your personal data will be provided to Corin through one (or more) of these methods:
|
Method
|
Description |
Examples |
|
Personal data is collected by our Solutions and/or Corin representatives
|
Some of our Solutions automatically collect personal data as they operate.
In other cases, Corin representatives may input data into the Solutions which is combined with data collected by the Solutions.
|
Some versions of the OMNITM delivery system collect data during surgery, which is linked with personal data inputted by Corin representatives who are involved in your case. |
|
You provide personal data to Corin
|
Some of our Solutions ask you to input personal data directly. This data is then stored and transferred to Corin via the Solutions.
|
Personal data which you input into the CorinRPMTM app, or data which you provide when ordering an OPSReViewTM report.
|
|
Your personal data is provided to Corin by your surgeon or other persons/organisations involved in your care or treatment. |
Your surgeon, clinical team, hospitals, imaging centres or other organisations may provide Corin with your data, which will be used in connection with the Solutions. |
When a surgeon uses our Solutions for your case, they will send us personal data for processing. This is typically done by email or upload to our secure cloud-based platform called CorinConnect TM.
Imaging centres may provide Corin with copies of your X-rays / CT scans (together with other personal data) for similar purposes.
Other persons or entities which collect data as part of your treatment/care journey may also provide personal data to Corin using the CorinConnect TM platform or other secure method.
|
Treatment Use
Principally, we use your personal data so that we can provide our Solutions to your surgeon and their clinical team. Your surgeon then uses these Solutions as part of your surgery journey and to co-ordinate your care. We call this “Treatment Use”. This section explains how we conduct “Treatment Use”.
In some cases, we will receive your personal data before your surgery happens (pre-operatively). We will analyse this data and use it to provide information to your surgeon. Your surgeon may use this information to co-ordinate, plan and execute your surgery.
In other cases, we will receive your data during or after surgery (intra- or post-operatively). Here, we will use the data to provide information which can be used by your surgeon for post-operative follow-ups, analysis or monitoring.
We analyse the data using various tools which we have developed in-house or sourced from third-party providers.
The information produced by our Solutions is provided to your surgeon through different media, most commonly by email or via our cloud-based platform called CorinConnectTM.
On CorinConnectTM, we present your personal data (and the information produced by our Solutions) to your surgeon to help them co-ordinate your care, plan/execute your surgery and review your case post-operatively. On CorinConnectTM, your surgeon can also compare your data (which may include personal data) against similar data from other patients.
The data which we use for Treatment Use is in identifiable form. In other words, it contains data which can identify you (such as those described in the table above).
De-Identified Use of Data
In many cases, your data will be useful for other purposes which are not directly related to your own surgery or care. In these cases, we may create a de-identified version of your personal data, and use it for these purposes.
“De-identified data” is a separate dataset which does not contain data that identifies you as an individual (such as your name and date of birth). In the European Union and UK, we refer to this as “pseudonymized data”.
The main cases where this applies are:
|
Purpose |
Summary
|
|
Research |
We may use the data for clinical or academic research purposes. We may conduct the research ourselves, or we may provide the data to third parties to facilitate their research activities.
|
|
Product Development |
We may use the data to help develop new products or improve existing products.
|
|
Comparisons and benchmarking
|
We may use the data as a comparable or benchmark against which we (and/or clinicians) can assess other patients or groups of patients whose data we have collected.
Similarly, we may use the data to help produce a plan or materials which help a clinician treat another patient or group of patients.
|
|
CorinRegistry |
We may wish to incorporate the data into the CorinRegistry, which is Corin-owned registry of clinical data pertaining to orthopaedics and orthopaedic treatments.
|
This activity may be performed on a commercial (i.e. revenue generating) or non-commercial basis.
Data to Clinical Registries
In some cases, we may provide your personal data to well-established, clinical data registries such as the UK National Joint Registry, American Joint Replacement Registry (AJRR) or Australian Orthopaedic Association National Joint Replacement Registry (AOANJRR).
Other Compatible or Lawful Secondary Uses
In limited circumstances, we may use your personal data for other secondary purposes. We will only do this where permitted under the laws of the relevant jurisdiction and safeguards have been put in place.
For more information on how we may use your personal data or the de-identification process described above, you can contact the data privacy team at dpo@coringroup.com or use the mailing address at the bottom of this notice.
Some of our Solutions (mainly those with an online/technology focus) are operated by a wholly-owned subsidiary of Corin called Optimized Ortho Pty Limited. In general, the personal data which we collect is processed by engineers and other Corin-employees who are employed by (or contracted to) Optimized Ortho.
Optimized Ortho is an Australian company based in Pymble, NSW. It is therefore necessary to transfer personal data to Australia for processing. The personal data is hosted on secure servers in Australia, including servers hosted by Microsoft Azure.
In some cases, we may also transfer personal data to Corin’s other group companies or third-party subcontractors in the UK, USA or European Union if required as part of our processes.
Personal data is only transferred overseas where legally permitted and in accordance with security standards.
If you do not want Corin to receive, use or commercialise your personal data, you should:
In this situation, it might not be possible to provide our Solutions to your surgeon for your particular case. However, alternative options should be available, and your surgeon will discuss these with you.
If you are willing to provide Corin with your personal data for Treatment Use, but do not want your data used for any other purposes (including de-identification), you should inform your surgeon at the earliest opportunity. You can also inform Corin directly by contacting our privacy team using the details at the bottom of this notice.
The basis on which we hold and use your personal data depends on your jurisdiction and the specific Solutions which are used for your case. Broadly:
Laws regarding secondary use of data may also apply.
Further details of the lawful basis can be obtained by contacting the privacy team using the details at the bottom of this notice.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for and to comply with our regulatory obligations as a medical device manufacturer.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Laws of the country where you are resident will also determine the period of data retention.
We may retain de-identified data indefinitely, subject to any legal restrictions which apply in the relevant jurisdiction.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, accessed, altered or disclosed in an unauthorised way.
In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a genuine need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
All data transferred or stored is protected with stringent technical security solutions deployed or contracted by Corin along with its data security policies.
We have also implemented procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
You have rights under data protection laws in relation to your personal data.
It is important that the personal information we hold about you is accurate and current. Please keep Corin informed (via your surgeon) if your personal data changes during your relationship with Corin.
Under certain circumstances, by law you have the right to:
You may request access to your personal data in order to receive a copy of the personal data we hold about you and to check that we are lawfully using and/or processing it.
We may need to request specific information from you to help Corin confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Where possible we try to avoid charging a fee for access requests to data, however, this may not be possible if there is a significant administrative overhead. We will charge a fee if your request is unfounded, repetitive or excessive, or alternatively, we may refuse to comply with your request in these circumstances. Where applicable, fees may be limited by the laws of your jurisdiction.
We try to respond to all legitimate requests within one month. Occasionally (and if permitted by law) it may take Corin longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You may request a correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may also need to verify the accuracy of the new data you provide to Corin.
You may request erasure of the personal data we hold about you where there is no legally justifiable or otherwise reason for Corin to continue to process or store it. You also have the right to ask Corin to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Where we are processing your personal data legally for a purpose that does not require your consent, but there is something about your particular situation which makes you feel that it impacts on your fundamental rights and freedoms, you are entitled to object to processing. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information.
You may request the restriction of processing of your personal data. This enables you to ask Corin to suspend the processing of your personal data in the following scenarios: (a) if you want Corin to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want Corin to erase it; (c) where you need Corin to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
You can request transfer of your personal data to a third party upon your written request to do so. We will provide to you, or directly to the third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for Corin to use or where we used the information to perform a contract with you.
Where we are relying on consent to process your personal data you may withdraw your consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. Please be aware that if processing of your data has commenced for clinical treatment, we are required to retain such medical data by law within the country it is processed for a set period of time.
We have a Privacy Team (headed by our Data Protection Officer) which is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, please email DPO@coringroup.com
or write to:
The Data Protection Officer at Corin Group, The Corinium Centre, Cirencester, GL7 1YJ, United Kingdom
If you have been in contact with Corin about a matter regarding data privacy and you do not think this was dealt with properly, you can make a complaint to the Regulator in your country of residence.
This site uses cookies to manage site functions including your preferences, track usage to improve and optimise information and to monitor the effectiveness of advertising campaigns.
Accept all cookies Manage cookie settings
English
French