Privacy Policy | Patients | Ramsay Health

Privacy notices for patients

Key points:

  • Why do we use your personal data? We typically use your personal information for purposes related to your health and to provide you with health care services.
  • We use your sensitive data: In performing our obligations, Ramsay may use information about your health, racial and ethnic origin, and sexual orientation.
  • Sharing data: We may share your data with third parties, including third-party service providers and other entities in the group and regulators if legally required.
  • Security: We respect the security of your personal information and treat it in accordance with the law.
  • International transfer: We may transfer your personal information outside the EU and, if we do, you can expect a similar degree of protection in respect of your personal information.

What is the purpose of this privacy notice?

  • As a health care service provider in the UK, Ramsay is subject to legal obligations when processing your personal information, which are contained in the Data Protection Act 2018, the General Data Protection Regulation 2016/679, and any local or European laws on data protection, as amended from time to time (“Data Protection Laws”).
  • The purpose of this privacy notice is to explain why we collect your personal information, how we intend to use that information, whether we will share your information with anyone else, as well as your right with regard to the information that Ramsay holds about you.
  • It is important that you read this statement so that you know how and why we use information about you. It is also important that you inform Ramsay of any changes to your personal information during the provision of health care services to you by Ramsay so that the information which we hold is accurate and current.
  • This statement applies to all current and former patients of Ramsay.
  • We keep our privacy notice under regular review. Any changes we may make to our privacy policy in the future will be posted on this page.

Who are we?

  • We are Ramsay Health Care UK Operations Limited, a company registered in England and Wales under company number 1532937 and with our registered office at Tower 42, Level 18, 25 Old Broad Street, London, EC2N 1HQ (“Ramsay”).
  • Ramsay is registered as a Data Controller, as defined in the Data Protection Laws, with the Information Commissioner’s Office “ICO”

Our Data Protection Officer

  • Our Data Protection Officer is responsible for auditing our compliance with Data Protection Laws.
  • If you have any concerns or questions about our use of your personal data, you can contact our Data Protection Officer by writing at DataProtectionOfficer@ramsayhealth.co.uk or alternatively by writing at the following address:

Data Protection Officer
Ramsay Health Care UK Operations Ltd
Level 18 Tower 42 25 Old Broad Street
London
EC2N 1HQ

Who has access to my personal information?

The following Ramsay’s legal entities and health care providers may process your personal information if necessary for a specified legal purpose and subject to the necessary safeguards being in place:

  • Ramsay;
  • The Westbourne Centre Birmingham Limited, with registered address Level 18, Tower 42, 25 Old Broad Street, London, United Kingdom, EC2N 1HQ, and with registration number 06558306;
  • Independent British Health Care (Doncaster) Limited, with registered address Level 18, Tower 42, 25 Old Broad Street, London, United Kingdom, EC2N 1HQ, and with registration number 03043168;
  • Clifton Park Hospital Limited, with registered address Level 18, Tower 42, 25 Old Broad Street, London, United Kingdom, EC2N 1HQ, and with registration number 11140716;
  • Heath care providers providing health care services to Ramsay’s patients in our hospitals through services agreements. Those services include physiotherapy services, cosmetic surgery services, ophthalmology services, MRI services, and X-ray services;
  • The National Health Services (“NHS”).

What type information do we hold about you?

The personal information we may hold about you may include the following:

  • Name
  • Contact details, such as postal address, email address and telephone number
  • Financial information, such as debut and credit card details used to pay us
  • Occupation
  • Emergency contact details, including next of kin
  • Background referral details

We may also process the following more sensitive category of personal data:

  • Details of your current or former physical or mental health. This may include information about any healthcare you have received (both from Ramsay directly and other healthcare providers such as GPs, dentists or hospitals (private and/or NHS)) or need, including about clinic and hospital visits and medicines administered.
  • Details of services you have received from us
  • Details of your nationality, race and/or ethnicity
  • Details of your religion
  • Details of any genetic data or biometric data relating to you
  • Data concerning your sex life and/or sexual orientation

How we collect your personal information

We may collect your personal information including sensitive personal information in a number of different ways, including:

Directly from you

  • When you complete an enquiry form on the Ramsay website
  • When you submit a query to us either through our website, by email or by social media
  • When you correspond with us by letter, email, telephone or social media, including where you reference Ramsay in a public social media post
  • When you use our healthcare services and agree to treatment

Other healthcare providers

We may collect medical records from the persons and bodies below for the purpose of your direct care. These records may include diagnosis, treatment, hospital visits and medication administered information.

  • Your general practitioner
  • Your dentist
  • Other hospitals or treatment facilities you may have been treated at, both NHS and Private
  • Consultants working for Ramsay or third parties, or their medical secretaries
  • Commissioners of healthcare services and regulators

Other third parties

  • Family members or next of kin, with your consent
  • Credit reference agencies
  • Debt collection agencies
  • Your private medical insurance policy provider
  • NHS health service providers
  • Government agencies and regulatory bodies, including HMRC, Ministry of defence and The Home Office

The purpose for which we process your personal information

We may 'process' your personal information for a number of different purposes and each time we use your information we must have a legal justification to do so.

Ramsay may process your personal information only if it can rely on one of the grounds listed in column a.

In order to ensure an additional safeguard, Ramsay may process your “sensitive” personal information if it can rely on one of the grounds listed in column a, and one of the “additional grounds to process your sensitive personal data” (column b) only.

 

Reason:Why we need to process your personal information

 

 

  1. Legal Grounds

     

     

  • Our ground to process your personal information Lawful Basis:

     

     

  • Additional ground to Additional lawful basis (Special category data):process your sensitive personal data

     

     

  • Provide marketing information to you

     

    Your consent

     

    n/a

     

    Contacting you following an enquiry from you by email, through our phone line, our social media pages or our website.

     

    Necessary steps for us to enter into a contract with you

     

    For the provision of health care and/or treatment in pursuant to a contract with us.

     

    Establishing a patient record

     

    Necessary steps for us to enter into a contract with you.

     

    For the provision of health care and/or treatment in pursuant to a contract with us.

     

    To provide you with healthcare , treatment and related services.

     

    Fulfilling our contract with you for the provision of health care and/or treatment

    To protect your vital interest of the vital interests of another person where you are physically or legally incapable of giving consent

     

     

    Providing you with healthcare.

    To protect your vital interest of the vital interests of another person where you are physically or legally incapable of giving consent

     

    To ensure that your account and billing is fully accurate and up-to-date

     

    Fulfilling our contract with you for the provision of health care and/or treatment

     

    Appropriate business need to use your information which does not overly prejudice your rights

     

    We need the use of your data to provide healthcare services to you

     

    The use is necessary in order for us to establish, exercise or defend our rights

     

    Providing improved quality, training including conducting post treatment surveys, but excluding marketing .

     

     

    Appropriate business need to use your information which does not overly prejudice your rights

     

    We need to use the data in order to manage the healthcare services we deliver, including carrying out surveys in order to identify and carry out any necessary improvements

     

     

    Maintaining accounting and financial records, internal audit requirements,

     

    Appropriate business need to use your information which does not overly prejudice your rights

    For compliance with legal obligations

     

    n/a

     

    Disclose information to regulatory bodies (see exception with PHIN below)

     

    To comply with a legal or regulatory obligation

     

    Necessary for reasons of substantial public interest

     

    Necessary to protect against serious cross-border threats

     

    Under the Competition and Markets Authority Private Healthcare Market Investigation Order 2014, we are required to provide the Private Health Care Information Network” (PHIN) with information related to your treatment, including your NHS Number the nature of your procedure, whether there were any complications.

     

     

    Your consent.

     

     

    Necessary for reasons of substantial public interest

     

    Necessary to ensure high standards of quality and safety of health care

     

    To answer any complaint or legal claim from you

     

    To establish, exercise or defend our legal rights

     

     

    Necessary for the establishment, exercise, or defence of legal claims

     

    Communicating with third party, share updates about your care (e.g. insurance companies) and updating other healthcare professionals about your care (e.g. NHS) .

     

    Fulfilling our contract with you for the provision of health care and/or treatment

    Appropriate business need to use your information which does not overly prejudice your rights

     

     

    Necessary for the provision of health care or treatment or the management of health care systems pursuant to contract with a health professional

     

    Necessary for reasons of public interests in the area of public health and ensuring high standards of quality and safety of health care

     

    Using your information held on our systems, such as Electronic Patient Record, Finance System to test these applications

     

    Appropriate business need to use your information which does not overly prejudice your rights

     

    To manage health care services, including carrying out surveys (which are not a form of marketing) in order to identify and carry out any necessary improvements

     

    Use of closed-circuit television (CCTV) throughout Ramsay sites for security purposes

     

    Appropriate business need based on safety and security to use your information which does not overly prejudice your rights

     

    n/a

     

    We may need to share your information, in pseudonymised form, with our IT service desk to resolve system issues

     

    Appropriate business need based on the functioning, maintenance and functioning of Ramsay’s IT system

     

    n/a

     

    Please note that failure to provide us with your personal information (including your sensitive information) may mean that we are unable to set you up as a patient, or provide you with the required treatment, or facilitate the provision of your healthcare on Ramsay’s systems, or

    How we communicate with you

    When you get in contact with us or register as a patient with us we will ask you to complete a registration form and/or a ‘How we communicate with you’ form, which can be downloaded here: How we communicate with you

    We will communicate with you by your preferred method (by telephone, SMS, email, and/or post). If we contact you using the telephone number(s) which you have provided, and you are not available which results in the call being directed to a voicemail and/or answering service, we may leave a voice message

    In accordance with the preferences you have communicated to us, We may need to contact you to:

    • ensure that we provide you with updates and/or reminders regarding your appointment
    • provide you with your medical information (including test results and other clinical updates) and/or invoicing information;
    • respond to email enquiries;
    • respond to telephone enquiries;

    How long do we keep your personal information and where it is stored

    Our retention policy is in line with the Records Management Code of Practice for Health and Social Care 2016, and applicable laws as amended from time to time.

    All non-medical records we hold about you will be kept in compliance with applicable legal obligations.

    The information we collect and hold about you is held securely within the United Kingdom and stored in either paper format or held on our secure servers.
    Records that have completed the specified retention period will be destroyed in line with the British Standard Code of Practice for the Secure Destruction of Confidential Material (BS EN 15713:2009).

    Sharing of your personal information with third parties

    We will share your personal information with third parties when it is appropriate and necessary to do so only, including the following:

    • Your consultant (including their medical secretaries),
    • nurse, carer or any other healthcare professional involved in your treatment
    • Receptionists and, porters
    • Your emergency contact, for example your next of kin or carer
    • NHS organisations and the Department of Health
    • Other private sector healthcare providers
    • Your general practitioner
    • Your Dentist
    • Third parties who assist in the administration of your healthcare, such as insurance companies
    • Private Healthcare Information Network (“PHIN”)
    • National and other professional research/audit programmes and registries
    • Government bodies, including the Ministry of Defence, the Home Office and HMRC
    • Regulators, including the Care Quality Commission, Health Inspectorate Wales and Healthcare Improvement Scotland, Medicines and Healthcare products Regulatory Agency
    • The police and other third parties where reasonably necessary for the prevention or detection of crime
    • Private medical insurers
    • Debt collection agencies
    • Credit referencing agencies
    • Suppliers of medical devices
    • Third party service providers such as IT suppliers , auditors, lawyers, marketing agencies, document management providers and tax advisers
    • Selected third parties in connection with any sale, transfer or disposal of our business

    In the interests of training and continually improving our services, enquiry calls to Ramsay Hospitals may be monitored or recorded. Enquiry calls recorded will be held for a period of 90 days by our third party call tracking supplier, Infinity Tracking Ltd. Private calls to and from patients in our hospitals are not recorded. Enquiry calls will also be tracked for analytical purposes to monitor the marketing source of the call such as Search Engine, Pay Per Click Advertising or Print Advertisements.

    Third parties we contract with are under an obligation to comply with Data Protection Laws at all times.

    Transfers to third parties outside EEA

    Your personal information may be held outside of the European Economic Area (“EEA”) where the organisation paying for your treatment is based outside the EEA. You will in that case be subject to the privacy policy of that third party.

    We may have a legitimate interest to send your personal information to a supplier based outside of the EEA, subject to reasonable steps to ensure the security of your personal information in accordance with Data Protection Laws.

    External websites

    Your consultant will have its own privacy notice in place to which you will be subject. We would therefore recommend that you consult their policy before or when starting your treatment with them.

    Your rights regarding your personal information

    You have certain rights in relation to the personal information that we hold about you under Data Protection Laws. You may exercise these rights at any time by contacting us using the details set out at the beginning of this privacy notice.

    Reasonable requests are free of charge. Requests will usually be processed within one calendar month of receipt, unless it is a complex request. We may reasonably need more information from you to answer your request or to identify you and we will wait until we have the necessary information before dealing with your request.

    If we cannot comply with your request to exercise your rights we will usually tell you why. Ramsay, as a health care provider, is subject to legal and regulatory obligations which may limit or restrict the enforcement of your rights on some occasions, as stated below.

    Your rights include:

    The right to request access your personal information (also known as ‘Subject Access Request’)

    Ramsay is committed to facilitate the exercise of your rights as data subjects. You can find out if we hold any of your personal information by making a ‘Subject Access Request’ (“SAR”). You can make a SAR either verbally or in writing. It is recommended that you make your request in writing directly to the Hospital/facility holding your records and clearly set out what data you wish to access. Please include the following information when making your request:

    • Your name and preferred contact details
    • Your hospital number and/or your DOB
    • Any details relating to your request (type of document requested, and timeframe covered (e.g. in the case of X ray, date you had the appointment))

    Alternatively you can download our Access to Health Records Guidance, complete the attached form and send back to the Hospital where you were treated, addressed to the Data Protection Lead.

    You may also make a request directly to our Data Protection Officer (contact details provided at the beginning of this privacy notice).

    The right to rectification

    You may ask us to rectify any personal information we hold about you if your circumstances have changed or the information is no longer valid.

    The right to erasure (also known as the right to be forgotten)

    You may ask us to delete some personal information we hold about you but this will be subject to any legal obligations we need to comply with in terms of retention period, public interest, public health, or for the purposes of establishing, exercise or defending legal claims.

    The right to restriction of processing

    We may amend the scope of the processing of your personal information upon your request, unless we need to keep your personal information in order to perform tasks which are in the public interest, including but not limited to public health, or for the purposes of establishing, exercise or defending legal claims.

    The right to data portability

    You may ask us to transfer personal information that you have provided to us to you or (if this is technically feasible) another individual / organisation of your choice.

    The right to object

    This includes the right to object to Ramsay using your personal information in a particular way (such as sharing that information with third parties), and we must stop using it in that way unless specific we need to retain that information to defend a legal claim brought against us, or is otherwise necessary for the purposes of your ongoing treatment.

    If you wish to be removed from our marketing emails, you can do this by either contacting the Data Protection Officer, (contact details provided at the beginning of this privacy notice). If you receive marketing information by email you may click on the ‘unsubscribe’ link embedded within the email sent to you.

    The right not to be subject to automatic decisions (ie decisions that are made about you by computer alone)

    We do not use profiling and/or make decisions about you based on wholly automated processing of your personal information.

    The right to withdraw consent

    When we rely on your consent to process your personal information, you have the right to withdraw your consent to further use of your personal information. You can do this by contacting our Data Protection Officer.

    The right to complain to the Information Commissioner's Office

    You may complain to the Information Commissioner's Office (“ICO”) if you have any questions about the way that we have dealt with a request from you to exercise any of these rights, or if you think we are not compliant with Data Protection Laws. Making a complaint will not affect any other legal rights or remedies that you have.

    You may contact the ICO here https://ico.org.uk/make-a-complaint/

    Data Security measures

    Ramsay is committed to ensuring the privacy and confidentiality of your personal information within its control. We use technologies and processes such as access control procedures, network firewalls, encryption and physical security to protect the privacy of information. Although the transmission of information via the internet is never completely secure, we will use our best endeavours to protect your information from loss, misuse or alteration when it is within our control in compliance with all applicable and Data Protection Laws.