NEUROMEDICA LTD PATIENT PRIVACY NOTICE

Introduction

This Privacy Notice sets out details of the information that we, as a clinical team are responsible for your treatment (and including my medical secretaries), may collect from you and how that information may be used. Please take your time to read this Privacy Notice carefully.

About us

In this Privacy Notice we use “We” or “ours” or “our” to refer to Neuromedica Ltd who is using your personal information.

In the event that you have any queries, comments or concerns in respect of the manner in which we have used, or potentially will use, your personal information then you should contact us directly and we would be happy to discuss further. Contacts should be made via our secretarial team and mobile contact and email are available on our website (www.neurologymidlands.co.uk)

Your personal data

We are the Data Controller in respect of your personal information which we hold about you. This will mainly relate to your medical treatment, but will be likely to also include other information such as financial data in relation to billing. We must comply with the data protection legislation and relevant guidance when handling your personal information, and so must any medical secretary who assists us in an administrative capacity. Your personal data may include any images taken in relation to your treatment which must not only be managed in accordance with the law, this Privacy Notice but also all applicable professional standards including guidance from the General Medical Council and British Medical Association.

We will provide your treatment from a Spire Healthcare Hospital/Park BMI Hospital/Nuffield Derby and, in due course, it may be necessary for Spire Healthcare Hospital/Park BMI Hospital/Nuffield Derby to also process your personal data. We will do so in accordance with the law, the principles of this Privacy Notice and to the extent that it is necessary to do so. This could be where Spire Healthcare Hospital/Park BMI Hospital/Nuffield Derby needs to arrange other healthcare services as part of your treatment, such as nursing or dietician advice, or support other aspects of the treatment which we provide to you. In that case, Spire Healthcare Hospital/Park BMI Hospital/Nuffield Derby will become a joint Data Controller in respect of your personal information and you will be provided with a copy of their Privacy Notice which sets out how they will manage that information.

Your personal information will be handled in accordance with the principles set out within this Privacy Notice. This means that whenever we use your personal data, we will only do so as set out in this Privacy Notice. From time to time, we may process your personal information at a non-Spire Healthcare Hospital/Park BMI Hospital/Nuffield Derby site (medical or non-medical), as may my medical secretary.

What personal information do we collect and use from patients?

We will use “special categories of personal information” (previously known as “sensitive personal data”) about you, such as information relating to your physical and mental health.

If you provide personal information to us about other individuals (including medical or financial information) you should inform the individual about the contents of this Privacy Notice. We will also process such information in accordance with this Privacy Notice.

In addition, you should note that in the event you amend data which we already hold about you (for instance by amending a pre-populated form) then we will update our systems to reflect the amendments. Our systems will continue to store historical data.

Personal information

As one of our patients, the personal information we hold about you may include the following:

Name
Contact details, such as postal address, email address and telephone number (including mobile number)
Financial information, such as credit card details used to pay us and insurance policy details
Occupation
Emergency contact details, including next of kin
Background referral details

Special Categories Personal Information

As one of our patients, we will hold information relating to your medical treatment which is known as a special category of personal data under the law, meaning that it must be handled even more sensitively. This may include the following:

Details of your current or former physical or mental health, including information about any healthcare you have received from other healthcare providers such as GPs, dentists or hospitals (private and/or NHS), which may include details of clinic and hospital visits, as well as medicines administered. We will provide further details below on the manner in which we handle such information.
Details of services you have received from us
Details of your nationality, race and/or ethnicity
Details of your religion
Details of any genetic data or biometric data relating to you
Data concerning your sex life and/or sexual orientation

The confidentiality of your medical information is important to us, and we make every effort to prevent unauthorised access to and use of information relating to your current or former physical and mental health (or indeed any of your personal information more generally). In doing so, we will comply with UK data protection law, including the Data Protection Act 2018 and all applicable medical confidentiality guidelines issued by professional bodies including, but not limited to, the General Medical Council and the Nursing and Midwifery Council.

From 25 May 2018, the current Data Protection Act will be replaced by the EU General Data Protection Regulation (GDPR) and a new Data Protection Act. All uses of your information will comply with the GDPR and the new Data Protection Act from that date onwards

How do we collect your information?

We may collect personal information from a number of different sources including, but not limited to:

GPs
Dentists
Other hospitals, both NHS and private (including Spire/other independent provider)
Mental health providers
Commissioners of healthcare services
Other clinicians (including their medical secretaries)

Directly from you

Information may be collected directly from you when:

You enter into a contract with me or Spire Healthcare Hospital/Park BMI Hospital/Nuffield Derby for the provision of healthcare services
You use those services
You complete enquiry forms on the Spire Healthcare Hospital/Park BMI Hospital/Nuffield Derby website
You submit a query to us including by email or by social media
You correspond with us by letter, email, telephone or social media.

From other healthcare organisations

Our patients will usually receive healthcare from other organisations, and so in order to provide you with the best treatment possible we may have to collect personal information about you from them. These may include:

Medical records from your GP
Medical records from other clinicians (including their medical secretaries)
Medical records from your dentist
Medical records from the NHS or any private healthcare organisation

Medical records include information about your diagnosis, clinic and hospital visits and medicines administered.
From third parties

As detailed in the previous section, it is often necessary to seek information from other healthcare organisations. We may also collect information about you from third parties when:

You are referred to us for the provision of services including healthcare services
We liaise with your current or former employer, health professional or other treatment or benefit provider
We liaise with your family
We liaise with your insurance policy provider
We deal with experts (including medical experts) and other service providers about services you have received or are receiving from us
We deal with NHS health service bodies about services you have received or are receiving from us
We liaise with credit reference agencies
We liaise with debt collection agencies
We liaise with Government agencies, including the Ministry of Defence, the Home Office and HMRC
How will we communicate with you?
We may communicate with you in a range of ways, including by telephone, SMS, email, and / or post. If I contact you using the telephone number(s) which you have provided (landline and/or mobile), and you are not available which results in the call being directed to a voicemail and/or answering service, we may leave a voice message on your voicemail and/or answering service as appropriate, and including only sufficient basic details to enable you to identify who the call is from, very limited detail as to the reason for the call and how to call us back.
However:
to ensure that we provide you with timely updates and reminders in relation to your healthcare (including basic administration information and appointment information (including reminders), we may communicate with you by SMS and/or unencrypted email (where you have provided us with your SMS or email address).
to provide you with your medical information (including test results and other clinical updates) and/or invoicing information, I may communicate with you by email (which will be encrypted) where you have provided me with your email address. The first time I send you any important encrypted email that I am not also sending by post or which requires action to be taken, I will endeavour to contact you separately to ensure that you are able to access the encrypted email you are sent.
Please note that although providing your mobile number and email address and stating a preference to be communicated by a particular method will be taken as an affirmative confirmation that you are happy for us to contact you in that manner, we are not relying on your consent to process your personal data in order to correspond with you about your treatment. As set out further below, processing your personal data for those purposes is justified on the basis that it is necessary to provide you with healthcare service.
What are the purposes for which your information is used?
We may ‘process’ your information for a number of different purposes, which is essentially the language used by the law to mean using your data. Each time we use your data we must have a legal justification to do so. The particular justification will depend on the purpose of the proposed use of your data. When the information that we process is classed as a “special category of personal information”, we must have a specific additional legal justification in order to use it as proposed.
Generally we will rely on the following legal justifications, or ‘grounds’:
Taking steps at your request so that you can enter into a contract with us to receive healthcare services from us.
For the purposes of providing you with healthcare pursuant to a contract between you and us. We will rely on this for activities such as supporting your medical treatment or care and other benefits, supporting your nurse, carer or other healthcare professional and providing other services to you.
We have an appropriate business need to process your personal information and such business need does not cause harm to you. We will rely on this for activities such as quality assurance, maintaining our business records, monitoring outcomes and responding to any complaints.
We have a legal or regulatory obligation to use such personal information.
We need to use such personal information to establish, exercise or defend our legal rights.
You have provided your consent to our use of your personal information.
Note that failure to provide your information further to a contractual requirement with us may mean that we are unable to set you up as a patient or facilitate the provision of your healthcare.

We provide further detail on these grounds in the sections below.

Appropriate business needs

One legal ground for processing personal data is where we do so in pursuit of legitimate interests and those interests are not overridden by your privacy rights. Where we refer to use for our appropriate business needs, we are relying on this legal ground.

The right to object to other uses of your personal data

You have a range of rights in respect of your personal data, as set out in detail in sections 69-90. This includes the right to object to us using your personal information in a particular way (such as sharing that information with third parties), and we must stop using it in that way unless specific exceptions apply. This includes, for example, if it is necessary to defend a legal claim brought against us, or it is otherwise necessary for the purposes of your ongoing treatment.

You will find details of our legal grounds for each of our processing purposes below. We have set out individually those purposes for which we will use your personal information, and under each one we set out the legal justifications, or grounds, which allow us to do so. You will note that we have set out a legal ground, as well as an ‘additional’ legal ground for special categories of personal information. This is because we have to demonstrate additional legal grounds where using information which relates to a person’s healthcare, as will be the majority of the times we use your personal information.

Purpose 1: To set you up as our patient, including carrying out fraud, credit, anti-money laundering and other regulatory checks

As is common with most business, we have to carry out necessary checks in order for you to become a patient. These include standard background checks, which we cannot perform without using your personal information.

Legal ground: Taking the necessary steps so that you can enter into a contract with us for the delivery of healthcare.

Additional legal ground for special categories of personal information: The use is necessary for reasons of substantial public interest, and it is also in our legitimate interests to do so.

Purpose 2: To provide you with healthcare and related services

Clearly, the reason you come to us is to provide you with healthcare, and so we have to use your personal information for that purpose.

Legal grounds:
Providing you with healthcare and related services
Fulfilling our contract with you for the delivery of healthcare

Additional legal grounds for special categories of personal information:
We need to use the data in order to provide healthcare services to you
The use is necessary to protect your vital interests where you are physically or legally incapable of giving consent

Purpose 3: For account settlement purposes

We will use your personal information in order to ensure that your account and billing is fully accurate and up-to-date

Legal grounds:
Our providing you healthcare and other related services
Fulfilling our contract with you for the delivery of healthcare
Our having an appropriate business need to use your information which does not overly prejudice you
Your consent

Additional legal grounds for special categories of personal information:
We need to use the data in order to provide healthcare services to you
The use is necessary in order for us to establish, exercise or defend our legal rights
Your consent

Purpose 4: For medical audit/research purposes

Clinical audit

We may process your personal data for the purposes of local clinical audit – i.e. an audit carried out by ourselves for the purposes of assessing outcomes for patients and identifying improvements which could be made for the future. We are able to do so on the basis of or legitimate interest and the public interest in statistical and scientific research, and with appropriate safeguards in place. You are, however, entitled to object to us using your personal data for this purpose, and as a result of which we would need to stop doing so. If you would like to raise such an objection then please contact us using the details provided in paragraph 3 above.

We may also be asked to share information with U.K. registries for which ethical approval is not necessarily required but which form part of the National Clinical Audit programme, hosted by NHS England and who provide a list of National Clinical Audit and Clinical Outcome Review programmes and other quality improvement programmes which we should prioritise for participation. We may do so without your consent provided that the particular audit registry has received statutory approval, or where the information will be provided in a purely anonymous form, otherwise your consent will be needed and either we will seek this from you or the registry themselves will do so.

Medical research

We may also be asked to participate in medical research and share data with ethically approved third party research organisations.

We will share your personal data only to the extent that it is necessary to do so in assisting research and as permitted by law. Some research projects will have received statutory approval such that consent may not be required in order to use your personal data. In those circumstances, your personal will be shared on the basis that:

Legal grounds:
We have a legitimate interest in helping with medical research and have put appropriate safeguards in place to protect your privacy

Additional legal grounds for special categories of personal information:
The processing is necessary in the public interest for statistical and scientific research purposes

In the event that consent is required then either we will seek this from you, or the research agency will do so.

Purpose 5: Communicating with you and resolving any queries or complaints that you might have.

From time to time, patients may raise queries, or even complaints, with us and Spire Healthcare Hospital/Park BMI Hospital/Nuffield Derby and we take those communications very seriously. It is important that we are able to resolve such matters fully and properly and so we, as well as Spire Healthcare Hospital/Park BMI Hospital/Nuffield Derby will need to use your personal information in order to do so.

Legal grounds:
Providing you with healthcare and other related services
Having an appropriate business need to use your information which does not overly prejudice you

Additional legal grounds for special categories of personal information:
The use is necessary for the provision of healthcare or treatment pursuant to a contract with a health professional
The use is necessary in order for us to establish, exercise or defend our legal rights

Purpose 6: Communicating with any other individual that you ask us to update about your care and updating other healthcare professionals about your care.

In addition, other healthcare professionals or organisations may need to know about your treatment in order for them to provide you with safe and effective care, and so we may need to share your personal information with them. Further details on the third parties who may need access to your information is set out at section 58 below.

Legal grounds:
Providing you with healthcare and other related services
We have a legitimate interest in ensuring that other healthcare professionals who are routinely involved in your care have a full picture of your treatment

Additional legal ground for special categories of personal information:
We need to use the data in order to provide healthcare services to you
The use is necessary for reasons of substantial public interest under UK law
The use is necessary in order for us to establish, exercise or defend our legal rights

We also participate in initiatives to monitor safety and quality, helping to ensure that patients are getting the best possible outcomes from their treatment and care. The Competition and Markets Authority Private Healthcare Market Investigation Order 2014 established the Private Healthcare Information Network (“PHIN”), as an organisation who will monitor outcomes of patients who receive private treatment. Under Article 21 of that Order, we are required to provide PHIN with information related to your treatment, including your NHS Number in England and Wales, CHI Number in Scotland or Health and Care Number in Northern Ireland), the nature of your procedure, whether there were any complications such as infection or the need for readmission/admission to a NHS facility and also the feedback you provided as part of any PROMs surveys. PHIN will use your information in order to share it with the NHS, and track whether you have received any follow-up treatment. We will only share this information with PHIN if you have provided your consent for us to do so.

The records that we share may contain personal and medical information about patients, including you. PHIN, like us, will apply the highest standards of confidentiality to personal information in accordance with data protection laws and the duty of confidentiality. Any information that is published by PHIN will always be in anonymised statistical form and will not be shared or analysed for any purpose other than those stated. Further information about how PHIN uses information, including its Privacy Notice, is available at www.phin.org.uk.

Purpose 7: Complying with our legal or regulatory obligations, and defending or exercising our legal rights

As a provider of healthcare, we are subject to a wide range of legal and regulatory responsibilities which is not possible to list fully here. We may be required by law or by regulators to provide personal information, and in which case we will have a legal responsibility to do so. From time to time, clinicians are unfortunately also the subject of legal actions or complaints. In order to fully investigate and respond to those actions, it is necessary to access your personal information (although only to the extent that it is necessary and relevant to the subject-matter).

Legal grounds:
The use is necessary in order for us to comply with our legal obligations

Additional legal ground for special categories of personal information:
We need to use the data in order for others to provide informed healthcare services to you
The use is necessary for reasons of the provision of health or social care or treatment or the management of health or social care systems
The use is necessary for establishing, exercising or defending legal claims

We are also required by law to conduct audits of health records, including medical information, for quality assurance purposes. Your personal and medical information will be treated in accordance with guidance issued by the Care Quality Commission (England), Health Inspectorate Wales and Healthcare Improvement Scotland

Purpose 8: Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (e.g. tax or legal advice)

In order to do this, we will not need to use your special categories of personal information and so we have not identified the additional ground to use your information for this purpose.

Legal grounds:
Us having an appropriate business need to use your information which does not overly prejudice you.

As a provider of private healthcare services, we need to carry out marketing but are mindful of your rights and expectations in that regard. As a result, we will only provide you with marketing which is relevant to our business and only where you have specifically confirmed your consent to do so.

Legal grounds:
Our having an appropriate business need to use your information which does not overly prejudice you
You have provided your consent

Disclosures to third parties:

We may disclose your information to the third parties listed below for the purposes described in this Privacy Notice. This might include:

A doctor, nurse, carer or any other healthcare professional involved in your treatment
Other members of support staff involved in the delivery of your care, like receptionists and porters
Anyone that you ask us to communicate with or provide as an emergency contact, for example your next of kin or carer
NHS organisations, including NHS Resolution, NHS England, Department of Health
Other private sector healthcare providers
Your GP
Your dentist
Other clinicians (including their medical secretaries)
Third parties who assist in the administration of your healthcare, such as insurance companies
Private Healthcare Information Network
National and other professional research/audit programmes and registries, as detailed under purpose 4 above
Government bodies, including the Ministry of Defence, the Home Office and HMRC
Our regulators, like the Care Quality Commission, Health Inspectorate Wales and Healthcare Improvement Scotland
The police and other third parties where reasonably necessary for the prevention or detection of crime
Our insurers
Debt collection agencies
Credit referencing agencies
Our third party services providers such as IT suppliers, actuaries, auditors, lawyers, marketing agencies, document management providers and tax advisers
Selected third parties in connection with any sale, transfer or disposal of our business
We may also use your personal information to provide you with information about products or services which may be of interest to you where you have provided your consent for me to do so.

We may communicate with these third parties in a variety of ways including, but not limited to, email, post, fax and telephone.

What marketing activities do we carry out?

We may also use your personal information to provide you with information about products or services which may be of interest to you where you have provided your consent for us to do so.

If you no longer wish to receive marketing emails, you can click on the “unsubscribe” link that appears in all of our emails, otherwise you can always contact us using the details set out in section 3 to update your contact preferences.

If you no longer wish to receive non-website based marketing information, please contact us.

Automated Decision Making

An automated decision is a decision made by computer without any human input, and there will be no automated decision-making in relation to your treatment or other decisions which will produce legal or similarly significant effects.

How long do we keep personal information for?

We will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply with our legal and regulatory obligations.

If you would like further information regarding the periods for which your personal information will be stored, please contact us using the details outlined in section 3.

International data transfers

We (or third parties acting on my behalf) may store or process information that we collect about you in countries outside the European Economic Area (“EEA”). Where we make a transfer of your personal information outside of the EEA we will take the required steps to ensure that your personal information is protected.

We will only do so to the extent that it is relevant and necessary. Under certain circumstances, we may request your consent for such a transfer.

If you would like further information regarding the steps we take to safeguard your personal information, please contact us using the details provided in section 3 above.

Please note that we have listed above the current common transfers of personal data outside of the EEA but it may be necessary, in future, to transfer such data for other purposes. In the event that it is necessary to do so, we will update this Privacy Notice.

Your rights

Under data protection law you have certain rights in relation to the personal information that we hold about you. These include rights to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting us using the details provided at section 3 above.

There will not usually be a charge for handling a request to exercise your rights.

If we cannot comply with your request to exercise your rights we will usually tell you why.

There are some special rules about how these rights apply to health information as set out in legislation including the Data Protection Act (current and future), the General Data Protection Regulation as well as any secondary legislation which regulates the use of personal information.

If you make a large number of requests or it is clear that it is not reasonable for us to comply with a request then we do not have to respond. Alternatively, we can charge for responding.

Your rights include:

The right to access your personal information

You are usually entitled to a copy of the personal information we hold about you and details about how I use it.

Your information will usually be provided to you in writing, unless otherwise requested. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.

Please note that in some cases we may not be able to fully comply with your request, for example if your request involves the personal data of another person and it would not be fair to that person to provide it to you.

You are entitled to the following under data protection law.
Under Article 15(1) of the GDPR we must usually confirm whether we have personal information about you. If we do hold personal information about you we usually need to explain to you:
The purposes for which we use your personal information
The types of personal information we hold about you
Who your personal information has been or will be shared with, including in particular organisations based outside the EEA.
If your personal information leaves the EU, how we will make sure that it is protected
Where possible, the length of time we expect to hold your personal information. If that is not possible, the criteria we use to determine how long we hold your information for
If the personal data we hold about you was not provided by you, details of the source of the information
Whether we make any decisions about you solely by computer and if so details of how those decision are made and the impact they may have on you
Your right to ask us to amend or delete your personal information
Your right to ask us to restrict how your personal information is used or to object to our use of your personal information
Your right to complain to the Information Commissioner’s Office

We also need to provide you with a copy of your personal data, provided specific exceptions and exemptions do not apply.

The right to rectification

We take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it.

The right to erasure (also known as the right to be forgotten)

We may update this Privacy Notice from time to time to ensure that it remains accurate, and the most up-to-date version can always be found at www.neurologymidlands.co.uk. In the event that there are any material changes to the manner in which your personal information is to be used then we will provide you with an updated copy of this Privacy Notice.

In some circumstances, you have the right to request that we delete the personal information we hold about you. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercising or defending legal claims.

The right to restriction of processing

In some circumstances, we must “pause” our use of your personal data if you ask us to do so, although we do not have to comply with all requests to restrict our use of your personal information. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.

The right to data portability

In some circumstances, we must transfer personal information that you have provided to us or (if this is technically feasible) another individual/ organisation of your choice. The information must be transferred in an electronic format.

The right to object to marketing

You can ask me to stop sending you marketing messages at any time and we must comply with your request. You can do this by contacting us using the details provided at section 3 above.

The right to withdraw consent
In some cases we may need your consent in order for us use of your personal information to comply with data protection legislation. Where we do this, you have the right to withdraw your consent to further use of your personal information. You can do this by contacting us using the details provided at section 3 above.

The right to complain to the Information Commissioner’s Office

You can complain to the Information Commissioner’s Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations.

More information can be found on the Information Commissioner’s Office website: https://ico.org.uk/

Making a complaint will not affect any other legal rights or remedies that you have.

National Data Opt-Out Programme

NHS Digital is currently developing a national programme which will go live on 25 May 2018, pursuant to which all patients will be able to log their preferences as to sharing of their personal information. All health and care organisations will be required to uphold patient choices, but only from March 2020. In the meantime you should make us aware directly of any uses of your data to which you object.

Updates to this Privacy Notice

We may update this Privacy Notice from time to time to ensure that it remains accurate. In the event that these changes result in any material difference to the manner in which we process your personal data then we will provide you with an updated copy of the Policy.

This Privacy Notice was last updated on 5 May 2018.