Privacy notice for patients
Please view in conjunction with our COVID-19 Privacy Statement
What is the purpose of this document?
We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way and we review this regularly.
Please read this privacy notice carefully, as it contains important information about how we process your personal and health related information we collect and use, both during and after your care and treatment with us in accordance with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act (2018)
A leaflet of how we handle your data is available also here: leaflet information.
Children accessing our services can follow the link to the Children’s Policy here.
We are Ramsay Health Care UK. Our Head Office is located at Tower 42, Level 18, 25 Old Broad Street, London, EC2N 1HQ (“Ramsay”). We are a ‘Data Controller’. This means that we are responsible for deciding how we hold and use information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
This notice applies to prospective, current and former patients.
This notice does not form part of any contract to provide services. We may update this notice at any time and if we do so, an updated copy of this notice will be available on our website.
It is important that you read and retain this notice, together with any other data privacy information we may provide on specific occasions, when we are collecting or processing information about you. This is to ensure you are aware of how and why we are using such information and what your rights are under the data protection legislation.
Data protection principles
We will comply with data protection law. This says that the personal information we hold about you must be:
1. Used lawfully, fairly and in a transparent way
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
3. Relevant to the purposes we have told you about and limited only to those purposes
4. Accurate and kept up to date
5. Kept only as long as necessary for the purposes we have told you about
6. Kept securely
7. We are accountable for our data processing activities
Our Data Protection Officer
- Our Data Protection Officer is responsible for monitoring our compliance with data protection legislation.
- If you have any concerns or questions about our use of your personal information or how your individual rights are honoured, you can contact our Data Protection Officer by email at DataProtectionOfficer@ramsayhealth.co.uk or alternatively by writing to the following address:
Data Protection Officer
Ramsay Health Care UK Operations Ltd
Level 18 Tower 42 25 Old Broad Street
The kind of information we hold about you and why ?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed and cannot be re identified (anonymous data).
There are certain types of more sensitive personal data which requires a higher level of protection, such as information about a person's health. We have appropriate safeguards and in place to protect this data.
In order to provide healthcare services to you, we need collect, store, and use information about you. We may receive information from you, your referring healthcare provider or health care professionals involved in your care. We may also receive information from third parties such as your insurance provider (as applicable), social care services or other relevant third parties. The collection of data will depend on your relationship with us, but may include data such as:
- name, title, addresses, telephone numbers, and personal email addresses
- marital status, date of birth and gender
- next of kin, emergency contact or carers as applicable (where it is expected you have informed them of your providing their details to us)
- your GP
- NHS Number
- your communication preferences
- payment methods for self-pay
- private medical insurance details including contact information
- CCTV images (when you visit our sites)
Special Category or Sensitive Data (as defined in data protection legislation) that we may collect for the purpose of providing healthcare services to you requires a higher level of protection. We have lawful basis and safeguards in place to protect the processing of this data:
- racial or ethnic origin
- religious or philosophical beliefs
- sex life or sexual orientation
- genetic data
- health data
- contact we have had with you, such as appointments and services
- health related information related to services provided or to be provided, including but not limited to: full medical history which may include past and current illnesses, health conditions, mental health, medications, previous surgeries, allergies
- notes and reports related to your health to support your care and treatment
- details and records about your treatment and care
- results of diagnostic tests. For example: x-rays, laboratory tests, scans
- vaccination history and status
The information collected from you and others is collectively known as your patient record. Your patient record may be held in hand written format (manual record) or on a computer system (electronic). Information held within your patient record is used for your direct care purposes and to check and review the quality of care you have received (called clinical audit and clinical governance). Financial/payment records will also be held for the management of payment either NHS funded, self-funded, or via Private Medical Insurance for services provided under a contract. Data not part of your patient or financial record, for example CCTV images will be held on those systems.
Your care providers will endeavour to ensure that your patient records are kept up-to-date, accurate, secure and appropriately accessible to those involved in the provision of your care and treatment. Please ensure you update us on any changes to your contact information or any other relevant details so we can update your record accordingly.
How will we use the information about you?
We may 'process' or collect, store, use and share your personal information for a number of purposes. To do this, we must have a lawful basis that we rely on to be compliant with data protection legislation:.
1.The primary lawful basis that we rely on to collect, store, use, and share your personal and health information for direct care, the administration of direct care services (prevention, investigation and treatment), and the planning of healthcare services under Data Protection Legislation are as follows:
For NHS Referred patients:
The performance of a task carried out in the public interest or in the exercise of official authority…’ Article 6(1)(e) ‘
Where NHS England commission health services under the NHS Act 2006 or NHS Clinical Commissioning Groups (CCGs) with devolved powers from NHS England to commission health services under the Health and Social Care Act in 2012. This includes the services or treatments provided and any associated billing, audit or necessary reporting.
For Self Pay and Private Medical Insurance patients:
Contract: To deliver contractual services to an individual Article 6 (1) (b)
This is necessary to enable us to carry out our obligations to you arising from any contract in the process of or being entered into between us and you. This includes the services or treatments provided by us to you and the associated billing, accounting, audit and payment verification, and any necessary reporting.
For Personal data concerning health and other special categories of personal data:
Article 9(2) (h) ‘…for the medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
We may also use your personal information in the following situations:
2. Vital Interests: Article 6 (1) (d)
There may be occasions where we rely on the lawful basis of Vital Interests in the event that we need to process personal data to protect an individual’s life.
3. Legal Obligation: Article 6 (1) (c)
Sometimes we are required by law to collect and/share your information. Examples of this may include: to safeguard children or vulnerable adults, where it is in the wider public interest (including public health), detection or prevention of a serious crime, to defend a legal claim, reporting to DVLA, or where required by court order.
4. Legitimate interests: Article 6 (1) (f)
Where processing is necessary for the purposes of our legitimate interests or a third party and your interests and fundamental rights do not override those interests.
5. Consent: Article 6 (1) (a)
Consent under data protection legislation will not be the basis for providing you with healthcare services. However, your consent will be sought in certain instances, where we do not rely on another lawful basis to process your information. For example, if you wish to sign up to receive marketing information from us, or to release your information to a third party (who we do not have a lawful basis to share your information with). Where consent is given as the lawful basis for processing your information, your consent can be withdrawn at any time.
Some of the above grounds for our processing will overlap and there may be several grounds which justify our use of your personal information.
If you fail to provide personal information
Failure to provide us with your personal information (including your health related information) may, dependant on what is withheld, result in our inability to fulfil our contractual and other legal obligations. Therefore, we would be unable to register you as a patient, provide you with the required treatment, or facilitate the provision of your ongoing healthcare needs.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Direct Care Services and Who We May Share Your Information to and Why
Safe and effective care is dependent upon relevant information being shared between all those involved in caring for a patient. When an individual agrees to being treated by the wider care team, it creates a direct care relationship between the individual patient, the health and social care professional and team. All health and adult social care providers are subject to the statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for the purpose of their direct care. This duty is subject to the Common Law Duty of Confidentiality, the UK General Data Protection Regulation (UK GDPR) and Data Protection Act (DPA) 2018. Your personal information will only be shared in accordance with your rights under these laws.
You have the right to raise an objection to your health information being shared for your direct care, but in some circumstances this may delay or affect the care you receive. Always consult your relevant health professional before deciding to opt out of sharing your information, as they will be able to advise you on the possible outcomes of this decision.
We may share your information with individuals or organisations involved in your direct care where there is a legitimate reason to do so i.e.: they require relevant information to assist them in the effective provision of your direct healthcare needs. The type of individuals and organisations we may share your information with for your direct care includes, but not limited to:
a. Consultant with practicing privileges: A consultant may make decisions about what information is collected and held on our shared records about you, and may maintain their own set of medical records in relation to the treatment that they provide. They are a Data Controller in respect of your personal information which they hold within their records, meaning that they must comply with the data protection legislation when handling your personal information. Your consultant may also contract with their own service providers i.e. external medical secretaries, or external parties that provide billing services. They will remain responsible for your personal information obtained in respect of those services.
b. People and Organisations involved in your care: Health and social care professionals, including support personnel (including but not limited to: consultants, medical secretaries, receptionists, nurses, allied health professionals, porters, volunteers, and other members of the direct care support team). Personal and payment information will be shared with the relevant finance department for the purposes of appropriate billing of services provided.
c. Diagnostic and medical devices suppliers: Diagnostic testing organisations are provided with relevant information to provide diagnostic tests or allow contact with you to book a test/procedure. Medical device suppliers are provided with your information to support in the development and or supply of medical devices for you.
d. Pharmacies: Pharmacists are provided with relevant information to fulfil a prescription or to allow contact with you and to provide relevant prescriptions and supporting advice.
e. Referrals such as hospital appointments/specialists/dentists/GPs for ongoing care/continuing health care services/community services (including mental health and social services) and CCG approvals for certain NHS health services: When referrals are made for patients to a NHS or private health or social care provider, a record of the patient’s health history is typically included to assist the receiving healthcare professional make a holistic assessment and/decision. This is important, because removal of areas of the history that could be considered relevant, may affect the outcome of referrals and treatment. If there are areas of your healthcare history that you do not want shared, please raise this with your healthcare professional who holds that data.
Electronic patient record sharing Regional health and social care initiatives that promotes the safe, transparent sharing of your healthcare records for the purpose of your direct care needs. To ensure partner organisations involved comply with the law and to protect the use of your information, robust data sharing agreements and arrangements are in place to ensure your data is always protected and used for the intended purpose of your direct care needs.
f. Video and telephone consultations are an alternative to face to face appointments. There may be instances where we offer you an appointment via telephone or video consultation. By accepting the invitation and entering the consultation you are agreeing to this. Your personal/confidential patient information shared on the consultation will be safeguarded in the same way it would with any other consultation with relevant information added to your patient record.
Video or audio consultations/appointments are not typically recorded, but if they are, your permission will be sought as to the purpose and use of the recording i.e.: for direct care purposes: diagnosis, treatment or care. If, as part of the consultation, still images or photographs are taken/obtained and are to be kept, they will be securely stored as part of your patient record. Saved recording or images will be stored as part of your patient record in line with our policies.
If the recording/images are to be used for any other reason than what the original permission was obtained for, then further permission from you would be required prior to that use.
If recordings or still images obtained are no longer needed (i.e.: adequately described in the clinical notes) then the recording/ images will be confidentially and securely destroyed as per our policies.
g. Third party data processors We use data processors who are third parties, to provide technical, administrative and support services to assist us with the delivery of health care services to you. We have robust contracts and agreements in place and will only disclose personal information that is necessary to provide the service that they are undertaking on our behalf. They cannot do anything with your personal information unless we have instructed them to. They will not share your personal information with any organisation apart from us unless they have an overriding legal obligation to do so. They will hold it securely and retain it for the period we instruct. This includes such services as: clinical systems, system support services, document storage and destruction services, telephony system suppliers, digital scanning and dictations services.
h. Depending on how you are funded:
For NHS patients: We provide information to the NHS funding organisation about your treatment and associated clinical requirements. We only provide relevant information to which they are entitled. Contacts and agreements are in place for this purpose.
For Private Medical Insured patients: We provide information about your treatment, clinical requirements and cost. We only provide relevant information to which they are entitled. Contacts and agreements are in place for this purpose.
Debt collection agencies. If a debt remains outstanding after the specified timeframe for payment, where no payment plan is in place, or an agreed payment plan is not being adhered to, we may initiate proceedings to recover the unpaid amount. As a result, we will share your relevant personal contact details and amount owed for the service(s) agreed with our appointed recovery specialists for the purpose of debt recovery. Contacts and agreements are in place for this purpose.
Non Direct Care Where Your Information May Be Used and Shared
Whenever you use a health or care service, such as hospital appointments and admissions, GP appointments, Accident & Emergency, or using community care services, important information about you is collected to help ensure you get the best possible care and treatment. In addition, this information may also be used by us and other approved organisations for non-direct care purposes, where there is a lawful basis to help with: planning services, improving care, research into developing new treatments, and preventing illness. All of this helps in providing better care to you and your family and future generations. Anonymised information (where you cannot be identified) will be used for non-direct care purposes whenever possible. Confidential information about your health and care is only used in this way where the law allows and shared in alignment with the National Data Opt-Out Policy.
We are legally obliged to share information in some circumstances. For example, to comply with a statutory obligation, a court order or where a regulatory body has requested access to certain information under their statutory powers as part of their duties to investigate complaints, accidents or health professionals’ fitness to practise.
In any event, we will ensure that we have a lawful basis on which to share the information.
We may use your information beyond your direct care, where we have a lawful basis and compliance with data protection legislation. Wherever possible data is anonymised or pseudonymised so you cannot be identified directly from the data. We may use data for the following types of non-direct care purposes:
- Audit our accounts and services
- Investigate complaints, legal claims or untoward incidents
- Make sure our services meet the needs of our patients in the future
- Prepare statistics on our performance
- Review the care we provide to ensure it is of the highest standard
- Teach and train healthcare professionals Conduct health research and development
- Review cost of services where applicable
We may share your information with organisations beyond your direct care where there is a legal and legitimate reason to do so:
a. National Data Opt-Out The national data opt-out is a service which enables patients receiving NHS funded care to opt-out from the use of their data beyond their individual care or treatment (for example research or planning purposes), unless there are overriding legal exemptions that apply. All healthcare providers are required to be compliant with the national data opt-out programme by 31 March 2022.
We will comply with this requirement by applying opt-outs to data requests that are in scope of the National Data Opt-out. This means that if there is a data request that is in scope of the National Data Opt-out, and you have provided your NHS number to us and registered your choice with the National Data Opt-out programme, your data would not be shared by us.
To find out more or to register your choice to opt out, please visit here or by calling 0300 303 5678 Your individual care will not be affected if you have applied the National Data Opt-out.
b. Private Healthcare Information Network (“PHIN”) is the independent government mandated source of information on privately funded care in the UK. As the official ‘information organisation’ under the Competition & Markets Authority (CMA) Private Healthcare Market Investigation Order 2014 (as amended). Data provided cannot directly identify you; it is pseudonymised, where personal identifiers are replaced with a key-code. PHIN do, however, recognise that the data they hold is still considered personal and confidential under data protection legislation and apply appropriate safeguards to this. Please see PHIN privacy notice for more information https://www.phin.org.uk/about/our-privacy-policy
c. Professional Regulatory Body Investigations
Have the legal powers to request information that would assist them in their regulatory functions in relation to fitness to practise investigations of regulated medical, nursing, pharmaceutical, allied health and social care professionals. Only relevant information is provided and where possible, data will be anonymised.
d. Care Quality Commission Access to Health Records
CQC has powers under the Health and Social Care Act 2008 to access and use your health information where it is necessary to carry out their functions as a regulator. This means that inspectors may ask to look at certain records to decide whether we are providing safe, good quality care.
e. Medicines and Healthcare Products Regulatory Agency (“MHRA”) Parameters for sharing information that are justified are in place. The MHRA cannot disclose information if it would breach data protection legislation and can only be disclosed where it is considered necessary and proportionate.
f. NHS Digital, NHS England, Public Health England and the Department of Health and Social Care: Certain directives are in place from the Secretary of State for Health and Social Care to provide confidential information. This is a mandated under specific directions. Typically, the data provided is pseudonymised, meaning it cannot directly identify you, as personal identifiers are replaced with a key-code. As this data could be re-identified by those authorised to do so, this data is still considered identifiable and as such, robust safeguards to protect data are put in place.
g. National and other professional research/audit programmes and registries Health and social care research, audits and registries may be conducted and managed by organisations commissioned by the NHS, other health and social care organisations, universities, or commercial research and audit partners for such purposes as developing new treatments and improving healthcare outcomes. We always ensure that data protection and confidentiality laws are followed to protect your data, this includes compliance with the National Data Opt-Out Policy where applicable.
h. The courts, DVLA, police, other third party law enforcement agencies. Examples include The Ministry of Defence, The Home Office Where legally required by court order or as written in law, or where reasonably necessary for the prevention or detection of crime. We always confirm the lawful basis, proportionality of the data requested and comply with our data protection obligations.
i. Third party organisations who provide elements of services to us for the planning, management and auditing of healthcare services and to support us in defending a legal claim. Wherever possible and depending on purpose, de- identified or anonymised data will be shared. We have contracts and agreements in place for these services.
Where suppliers are engaged as our processors, they will only process data as instructed by us. We only share data that is proportionate and relevant to the service and where there is a lawful basis for the processing. They will not share your personal information with any organisation apart from us unless there is an overriding legal obligation to do so. We have contracts and agreements in place for these services.
j. Private Medical Insurers funding audits. Where you have received private medical insurance funding for a service provided by us, the insurer may conduct audits for the purpose of reviewing specific services and billing provisions as outlined in contracts and agreements. Data is anonymised or pseudonymised wherever possible.
k. Third party representative (family, friend, solicitor or Power of Attorney (PoA)T who you have given your consent, or who has PoA granted, to view or receive your record, or part of your record under your Right of Access. Please note, if you give another person consent to access your record we may need to contact you to verify/clarify your consent and request before we release the record. It is important to us that you are clear and understand how much information and what aspects of your record will be released to another individual on your behalf.
l. Third party organisations who you have given your consent to view or receive your record, or part of your record. We may also need to clarify with you and the requesting organisation the purpose of the data sharing request, to ensure we to meet our data protection obligations and to justify the disclosure.
In any data sharing scenario, we will have a lawful basis on which to share the information prior to doing so.
We will not sell or share your information for direct marketing.
How we communicate with you
In order to provide you with accurate and timely information about your appointments and treatment with us, we will need to contact you. Ensuring we use the best method of communication is vital. We may contact you using text messaging for appointment and other services on the mobile number you have provided and where you have given us permission to do so. You are able to ‘opt out’ of this service by following the instructions on your message or contacting us to change this preference.
We may also use your email address you have provided to inform you about the services you requested information about or are scheduled to receive (if you have indicated this as a preferred method of communication). You can change your mind at any time by letting us know.
Please note that we will use encrypted emails which means that no one can see or tamper with the data while it is being transferred across the network or internet to you. Your own emails to may not be encrypted, so you will need to consider this for any information you are emailing to us. All other communication channels will be available, and you will be asked to provide your preferences, most likely during your first attendance or via our online registration tool.
In accordance with the preferences you have communicated to us, we may contact you to:
- ensure that we provide you with updates and/or reminders regarding your appointment
- provide you with your medical information (including test results and other clinical updates) and/or invoicing information;
- Communicate with you about any concerns you have raised
- respond to email enquiries;
- respond to telephone enquiries;
- respond to website enquires
- provide marketing materials where you have indicated you wish to receive them
How Long Do We Keep Your Information?
In line with our internal record management policies, we will retain/store your health record for as long as necessary to provide the services set out in this Privacy Notice. We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Please contact us for further details.
The information we collect and hold about you is held securely within the United Kingdom and stored in either paper format or held on our secure electronic servers.
This is to ensure that information is properly managed and is available when there is a justified need for that information, including to support the delivery and management of patient care and clinical audits, as well as our legitimate interests, and to meet legal requirements.
Records that have completed the specified retention period will be reviewed and if retention no longer needed, will be securely destroyed in line with our policies.
If we will no longer be offering services, you will be notified of this change and you will be provided further information on the secure transfer of your record to a new provider.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
The Law gives you certain rights about the personal and healthcare information that we hold about you. Some of these rights are not absolute and will depend on the lawful basis we rely on for the processing of that data. We will comply with your request, where the law allows. Where we are unable to comply with your request will inform you of this.
We typically have one calendar month to reply and give you the information that you require or explain why we are unable to fulfil your request. If you have made a number of requests or your request is complex, we may need extra time to consider your request and can take up to an extra two months to respond. If we are going to apply an extension, we let you know within one month that we need more time and why.
You can make a request via electronic means, verbally or in writing but we will need to verify who you are and may need to clarify the request with you to ensure we have understood correctly.
If we provide you with a form to complete, this is not mandatory, but may assist in our understanding your request and preventing any delays. If we have any questions we will contact, you.
Under certain circumstances, depending on the lawful basis we are processing your data, you have the right to:
Subject Access Requests (SAR)
You have the right to see what information we hold about you and to request a copy of this information. Under data protection legislation, certain exemptions may apply and for this reason, some information may be withheld.
Sometimes information about third parties may be recorded on your records. We are under an obligation to make sure we also protect the third party’s rights and to ensure that references to them which may breach their rights to confidentiality, are removed before disclosing any information to a third party, including yourself. Third parties’ information can include, but not limited to: spouses, partners, other family members etc.
We will provide this information free of charge however, we may apply a reasonable administrative fee for any extra copies or repetitive requests. If applicable, we will discuss this with you at the time of your request.
If you have consented to a third party representative to request a SAR on your behalf (friend, relative, solicitor), we require the third party to supply us with evidence of your permission to act on your behalf. Due to the confidentiality and sensitivity of health related information, if we are unsure about the permission provided or think you may not be aware of the extent of what would be disclosed in the request, we may contact you to review and confirm the request prior to proceeding.
Right to Restriction of Processing
You have the right to request we restrict processing your information while the accuracy, lawful basis, or the legitimate use of the information is being reviewed.
Right to Rectification/Correction
We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is very important that you make sure you tell us if your contact details, including your email address or mobile phone number has changed. You have the right to have any mistakes or errors corrected and we will do so in line with record management procedures. However, we are not aware of any circumstances in which you will have the right to delete health related information from your records that is deemed accurate, including the opinion of the health care professional, in the provision of healthcare services. Please contact us if you hold a different view.
Right to be Forgotten
This right typically would not apply if the processing is necessary for health purposes, ensuring high standards of quality and safety of health, preventative or occupational medicine; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services.
If there are instances of a specific processing activity where you believe the right to be forgotten could be applied to the information we hold about you, please contact us to review your request.
Right to Object
This right applies to the processing of your personal information where we are relying on certain lawful basis (public task or legitimate interest).
You have the right to object at any time where we are processing your personal information for direct marketing purposes.
If there are instances of a specific processing activity where you believe the right to object could be applied to the information we request or hold about you, please contact us to review your request.
Please note that there may be times where there are reasons or legal grounds that override the objection of an individual.
Right to Portability
The right to request portability is only available where the processing is based on the lawful basis of consent or contract, where information was provided by the individual directly, and the processing is automated. If there are instances of a specific processing activity where you believe the lawful basis allows the right to portability, please contact us to review your request.
The right to withdraw consent
Generally, we will only ask for your consent for processing your information under a UK GDPR and DPA 2018 lawful basis, when no other legal grounds apply. For example, for direct marketing communications or to release your information where there is not an alternative lawful basis to do so. In these circumstances, we aim to be clear and transparent about why we need your consent. Where we rely on your consent to process your personal information, you have the right to withdraw your consent by contacting us and we will stop the processing for which the consent was obtained.
Right to be informed of automated decision making including profiling
Currently we do not use automated decision making as part of our processing activities.
Transfers to third parties outside EEA
Your personal information will typically be held within the UK or at times, by our contracted processors or suppliers in the European Economic Area (“EEA”). We may have a legitimate reason to send your personal information to a supplier based outside of the EEA, subject to reasonable steps to ensure the security and protection of your individual privacy rights in accordance with data protection legislation. Where we are sending your data outside the EEA, we will ensure appropriate safeguards are in place prior to such transfers so that a similar level of data protection is applied.
The only website this Privacy Notice applies to is our website. If you use a link to any other website from ours, then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.
The purpose for processing the information is for quality, security and safety reasons. The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when it’s necessary for the purposes of our legitimate interests where rights and interests are fully considered and protected.
CCTV is in operation in our facilities. It has been installed solely for the safety and security of our patients, staff, visitors and our property; to prevent and deter crime. Images are recorded 24 hours a day and stored on the hard drives of the recording devices that are situated in secure areas. Only those with authorised permissions will have access to the system. The CCTV only records images and does not record audio. All CCTV recordings are typically stored on our recording devices for 30 days before being deleted. There are signs in and around our facility premises to inform that CCTV is in use. We will only ever share information with the relevant internal personnel/law enforcement authorities in connection with the safety and security of patients, staff, visitors and our property. Will not share with any other third parties.
The purpose for processing the information is for security, prevention and detection of crime and safety reasons.
Any CCTV used in our London office is not operated by us, so we are not the controller. It will be under the control of the relevant building landlord.
B. Telephone Recordings
Please note: this section does not apply to Telephone Consultations. Please see Section: Video and telephone consultations for information about how we collect, use and store telephone consultation data. We may record both incoming and outgoing telephone calls for monitoring and quality purposes. If recordings are in place, there are messages on our phone lines indicating the use of voice recording, or we will inform you before a recording commences. Where recordings are made, they will be stored and retained as per our internal policies.
We will only ever share information with the relevant personnel/ authorities in connection with the safety and security of patients, public and staff and will not share with any other third parties.
The purpose for processing the information is for quality, security and safety reasons.
Data Security measures
We have put in place measures to protect the security of your information. Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
Ramsay Healthcare UK is committed to ensuring the privacy and confidentiality of your personal information within its control. We use technologies and processes such as access control procedures, network firewalls, encryption and physical security to protect the privacy of information. Although the transmission of information via the internet is never completely secure, we will use our best endeavours to protect your information from loss, misuse or alteration when it is within our control and in compliance with all applicable and data protection Legislation.
Right to Complain to the Information Commissioner's Office (ICO)
You may complain to the Information Commissioner's Office (“ICO”) if you have concerns about the way we are handling your personal information or requests under your individual rights.
Information on raising a concern with the ICO can be found here.
Telephone: 0303 123 1113 or
Changes to this Privacy Notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
You may find a copy of this Privacy Notice on our website, or a copy may be provided on request.
Content Last Reviewed: 29.11.2021