Privacy Policy


We are Optima Diagnostics Limited (“Optima”) registered in England and providers of the OSHENS software application. Ocean Cloud Software Inc. (“Ocean Cloud”) is a wholly owned subsidiary of Optima registered in Pennsylvania, USA.

Any references in this Policy to “Optima “, “Ocean Cloud”, “OSHENS”, “we”, “our”, “us” etc. will be interpreted as a reference to us. Our contact details can be found below under Section 10 - Enforcement and Dispute Resolution.

Any references in this Policy to “you” will be interpreted as a reference to the Data Subject.

Please read the following information carefully to understand our views and practices regarding your personal data and how we will treat it.


Optima Diagnostics Limited (Optima) processes your personal data in several ways, depending on how you interact with us.

  • We process personal data when you visit our main brochure website (www.OSHENS.com). Optima is the Data Controller for this personal data;
  • We process personal data about prospective customers of Optima. Optima is the Data Controller for this personal data;
  • We process personal data about our existing customers, such as contact information about key users. Optima is the Data Controller of this data;
  • We process personal and personal sensitive data about employees of Optima. Optima is the Data Controller for this personal data;
  • We process personal and personal sensitive data which may be contained within the content uploaded by our customers to the OSHENS software application such as files and comments. Optima is the Data Processor for this data;
  • We process personal and personal sensitive data when you use our OSHENS application and associated tools/services. Optima is the Data Processor for this data.


We may modify this Policy from time to time. If we make any changes to this Policy, we will change the “Updated” date above. We encourage you to check this Policy whenever you use our services to understand how your personal information is used.


4.1 Optima’s brochure website (www.OSHENS.com)

We may collect and process the following data about you when you visit www.OSHENS.com to view information about Optima and our OSHENS software application:

  • Information you complete when filling contact or demonstration request forms on the website (i.e. www.OSHENS.com);
  • The information we may collect about you includes your name and email address; your title, company and other profile information you provide as well as information about your proposed user of the OSHENS application;
  • Information that you provide to us by completing surveys on our site or as carried out by our approved third parties;
  • Information we receive from third-party search engines such as but not limited to Google, Yahoo and Microsoft (Bing and MSN) relating to your search activity;

If you contact us via the brochure website we will not require nor ask for sensitive personal data such as – general medical information, race/ethnicity, gender, political opinions or sexuality.

If you believe you have either submitted or been asked to provide this information as part of completion of forms on this website, please contact dpo@optimadiagnostics.com to have this information deleted or removed from our records.

4.2 OSHENS Software Application

4.2.1 Personal information

  • Employee first name and surname
  • Employment number
  • Email address

The OSHENS software application uses Internet Protocol (IP) addresses. IP addresses are assigned to your computer by your Internet Service Provider (ISP), so you can access the Internet. It is possible that the IP address we collect may contain information that could be deemed personal information.

We use your IP address to report aggregate information on usage and to help improve the quality and security of our service.

4.2.2 Personal sensitive information

OSHENS has the capability, if required, to hold additional personal information such as date of birth, home address and next of kin information.

This is exclusively for use in assisting auto-completion of statutory reports (e.g. OSHA 301 or RIDDOR F2508). However, this additional data is by no means a pre-requisite to successful application usage and is a choice made by each customer organization in their capacity as data controller.

OSHENS also stores detail of accidents that occur to individuals. These records can include details of the nature of an injury or illness and of any first aid treatment given.

OSHENS does not hold detailed medical history information

4.3 Employees of Optima/Ocean Cloud

We may collect the following types of personal data:

  • Relevant contact information including your name, address, email address, telephone number and any other contact information that allows us to meet our organisational and statutory obligations to you as your employer;
  • Details we require to ensure payment is made in line with our contractual obligations to you, including your National Insurance number, bank account details, and information relating to your salary;
  • Right to work documentation and other security screening information:
  • Job-related information such as years of service, work location, holiday information and contract data;
  • Data that we require to ensure we fulfil our health and safety obligations as an employer including but not limited to, next-of-kin details, individual risk assessment details, personal information emergency evacuation plans and information relating to workplace accident (including but not limited to accident reports, relevant photographs, witness statements);
  • Data that we require to fulfil statutory obligations including but not limited to data relating to: tax, statutory leave (including maternity leave, paternity leave, parental leave etc.); and work permits;
  • Data that is necessary for the organisational functioning of Optima/Ocean Cloud. This includes, but is not limited to, data related to recruitment, training and development, absence, disciplinary matters, health and safety, and security;
  • Sensitive personal data relating to (i) physical or mental health, or (ii) racial/ethnic origin. This processing will not happen without the employee’s knowledge;
  • Information relating to racial/ethnic origin will be processed for the purpose of confirming immigration, right-to-work and residence status only. This processing will not happen without the employee’s knowledge.


Optima and Ocean Cloud may use the information on you in the following ways:

For the purpose of legitimate interests being pursued by us in relation to the OSHENS software application that we provide.

For example, we will use your information to:

  • Provide our OSHENS service and features to you and to measure and improve those services and features;
  • Provide you with implementation and technical support through customer relationship processes;
  • Contact you with any service-related announcements from time to time;
  • Ensure that content from our sites are presented in the most effective manner for you and for your computer;
  • Detect and prevent fraud or malicious use.

Where it is necessary for the performance of a contract with you.

In order to comply with any legal obligation that we have, in connection with any legal proceedings, or in order to establish, exercise or defend our legal rights.

Where we have relied on our legitimate interests to process your personal data, you may contact us to obtain more information, including in relation to our assessment of the impact on you.


6.1 Data relevance

As part of implementing the OSHENS software application with a customer organization we always conduct a review of the relevance and need for all data collection activities.

6.2 Data accuracy

OSHENS contains a series of workflows, including confirmation points available to users with appropriate permissions and access rights. This enables all data captured to be properly verified/validated. Modular areas of the system also have their own audit trails/histories that show who has made amendments to which data and when.

6.3 Data matching

Data matching primarily takes place during import of a customer organization’s human resource information to OSHENS. Existing data held within OSHENS is compared against the incoming source data. The use of import criteria to match data takes place. The incoming source data is always regarded as having pre-dominance.

Mismatched entries can be corrected on a case-by-case basis. This capability exists extensively across the user interface although for certain types of information (e.g. an employee record) edit rights are restricted to dedicated administrative users only.


7.1 User application access

Access to OSHENS is generally controlled by username and password entry. The system has a range of sophisticated password configuration options. Customer organizations can determine a balance of measures commensurate with the type of data being processed and the nature of users accessing the system. You/your users are responsible at all times for the safe storage of your access credentials to OSHENS.

OSHENS can also be configured to run using Single Sign-on authentication methodologies.

7.2 Access controls and restrictions

All records that contain personal sensitive data within the system are protected by permission controls that restrict access to only those that have been granted overt access rights.

There is no default access to this type of data: you must be given these rights by a customer’s administrative user.

User permissions can be revoked at any time by administrators.

7.3 Data retention

We act as the Data Processor and as such we do not delete customer data while the customer still has a valid contract. The customer, acting as the Data Controller, can use the system to comply with their own data retention policy.

Customers can edit/delete this data or make specific request of Optima to do the same on their behalf.

Upon termination or lapse of the contract, the live system is removed from the hosted server environment and can no longer be accessed online. Data stored in the system can be provided to you as an export if required.

Once 90 days have elapsed from the contract termination date, all backups are permanently deleted. Backups can be deleted prior to this time upon request. Once backups have been deleted there is no possible way to restore the data.

Optima is a data processor in relation to, and does not control, the content recorded within or uploaded to our OSHENS software application by customer users. As such, we shall keep your personal and personal sensitive data for as long as determined by the relevant data controller customer.

Should you wish to remove your personal and personal sensitive data from within customer content, you should contact the relevant customer, who is responsible for giving effect to your rights in relation to personal and personal sensitive data, including the right of access and erasure.

7.4 Server management

All information relating to you is stored on secure servers operated by us or our third-party providers. All servers are located in the United Kingdom (UK). Backups are taken nightly and removed to an alternative UK site via electronic transfer on a weekly basis. Backups are also retained in the UK only.

During transmission of OSHENS data between users’ web browsers and Optima servers all data is subject to TLS 1.2 encryption. Data is encrypted whilst at rest using transparent data encryption.


Optima Diagnostics Limited is registered as a data controller with the UK Information Commissioner’s Office. Our data protection registration number is Z7265039.

Optima Diagnostics has appointed a Data Protection Officer with responsibility for Optima Diagnostics Limited and Ocean Cloud Software Inc.

Optima’s Information Security Management is 3rd party ISO 27001:2013 certified.

Safeguards using appropriate technical and organizational measures to minimize the risk of accidental loss, unlawful processing, destruction or damage have been implemented.

Optima will ensure that all its permitted subcontractors shall, in providing services, comply to the same standards as Optima in relation to data protection and processing and security of personal and personal sensitive data.


The data that we collect from you may be processed by staff operating outside the EEA who work for Ocean Cloud Software Inc. in the United States of America. Such staff maybe engaged in, among other things, the provision of customer relationship management services and support services on our behalf.

Ocean Cloud Software Inc. complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Ocean Cloud has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.

If there is any conflict between the terms of this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/

The Federal Trade Commission (FTC) has jurisdiction over Ocean Cloud's compliance with the Privacy Shield.

All Ocean Cloud employees who handle personal data from Europe are required to comply with the Principles stated in this Policy.

9.1 Responsibilities and Management

The Data Protection Officer at Optima Diagnostics Limited has been appointed to oversee Ocean Cloud’s compliance to the Privacy Shield program. Any questions, concerns, or comments regarding this Policy also may be directed to the Data Protection Officer using the email address dpo@optimadiagnostics.com.

Ocean Cloud will maintain, monitor, test, and upgrade information security policies, practices, and systems to assist in protecting the personal and personal sensitive data that it collects. Ocean Cloud personnel will receive training, as applicable, to effectively implement this Policy.

9.2 Renewal and verification

Ocean Cloud will renew its EU-US Privacy Shield certification annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism.

Prior to the re-certification, Ocean Cloud will conduct an in-house verification to ensure that its attestations and assertions about its treatment of personal and personal sensitive data are accurate and that the company has appropriately implemented these practices. Specifically, as part of the verification process, Ocean Cloud will undertake the following:

  • Review this Privacy Shield policy and its publicly posted website privacy policy to ensure it accurately describes the practices regarding the collection of personal and personal sensitive data;
  • Ensure that its privacy policy informs customers of Ocean Cloud's participation in the EU-US Privacy Shield program and where to obtain a copy of additional information (e.g. a copy of this Policy);
  • Ensure that this Policy continues to comply with the Privacy Shield principles;
  • Confirm that customers are made aware of the process for addressing complaints and any independent dispute resolution process (Ocean Cloud will do so through individual customer contracts);
  • Review its processes and procedures for training Employees about Ocean Cloud's participation in the Privacy Shield program and the appropriate handling of personal and personal sensitive data.

Ocean Cloud will prepare an internal verification statement on an annual basis.

9.3 Collection and use of data

Section 4 of this Privacy Policy describes in detail the methods of collection and use of personal and personal sensitive data.

9.4 Disclosures and Onward Transfers of Data

Except as otherwise provided herein, Ocean Cloud discloses personal and personal sensitive data only to third parties who reasonably need to know such data within the scope of the contractual agreements held by Ocean Cloud and Optima Diagnostics. Such recipients must agree to abide by confidentiality obligations.

Ocean Cloud may provide personal and personal sensitive data to third parties that act as agents, consultants and contractors to perform tasks on behalf of and under our instructions.

For example, should Ocean Cloud store such personal and personal sensitive data in facilities operated by third parties, such third parties must agree to use such personal and personal sensitive data only for the purposes for which they have been engaged by Ocean Cloud and they must either:

  • Comply with the Privacy Shield principles or another mechanism permitted by the applicable EU data protection laws for transfers and processing of personal and personal sensitive data; or
  • Agree to provide adequate protections for the personal and personal sensitive data that are no less protective than those set out in this policy.

Ocean Cloud may disclose personal and personal sensitive data for other purposes or to other third parties when a customer organization, as data controller, has consented to or requested such disclosure.

Ocean Cloud may also be required to disclose a customer’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

Ocean Cloud is liable for appropriate onward transfers of personal data to third parties.

9.5 Data Integrity and Security

Sections 6 and 7 of this Privacy Policy describe in detail the company’s approach to Data Integrity and Security.

9.6 Notification

Ocean Cloud notifies customer organizations about its adherence to the EU-US Privacy Shield principles through individual customer contracts and adherence to the current policy when they provide their information to us in the transactional process.

9.7 Accessing Personal and Personal Sensitive Data

Section 5 of this Privacy Policy describes in detail the ways in which Ocean Cloud personnel may access and use personal and personal sensitive data only if they are authorized to do so and only for the purpose for which they are authorized.

9.8 Right to Access, Change or Delete Personal and Personal Sensitive Data

Ocean Cloud acts as the data processor of the personal and personal sensitive data it holds on behalf of its customer organizations who are the data controllers of such data.

Therefore, Ocean Cloud is not permitted to grant individuals access to their data - except in cases where this is required by law – and is contractually obliged to refer individual data subjects back to the data controller.

All requests by individual data subjects to exercise their legal right to access, amend and erase data must be made directly with the data controller.

9.9 Changes to this Policy

This Policy may be amended from time to time, consistent with the Privacy Shield Principles and applicable data protection and privacy laws and principles. We will make employees available of changes to this policy through email or other means.

We will notify customers if we make changes that materially affect the way we handle data previously collected, and we will allow them to choose whether their data may be used in any materially different manner.


Complaints, questions and comments and requests regarding this Privacy Policy should be addressed to either: dpo@optimadiagnostics.com, or

Data Protection Officer
Optima Diagnostics Limited
6 Raleigh House
Admirals Way
London, E14 9SN

If you are not satisfied with our response or you believe our use of your information does not comply with data protection law, you can make a complaint to the relevant privacy regulator. In the UK, that is the Information Commissioner’s Office (ICO) – see www.ico.org.uk for more information.

10.1 EU-US Privacy Shield

In compliance with the EU-US Privacy Shield Principles, Ocean Cloud commits to resolve complaints about your privacy and our collection or use of customer’s personal and personal sensitive data.

If a customer's question or concern cannot be satisfied through this process, Ocean Cloud has further committed to refer unresolved privacy complaints under EU-US Privacy Shield to and cooperate fully with the panel established by the EU data protection authorities (DPAs). We will comply with the advice given by such authorities with regard to unresolved Privacy Shield complaints concerning data transferred from the EU including human resources data transferred from the EU in the context of the employment relationship.

Finally, as a last resort and in limited situations, EU customers may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.

Updated: 3rd August 2018