Privacy notice for patients


What is the purpose of this document?

We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way and we review this regularly.

Please read this privacy notice carefully, as it contains important information about how we process your personal and health related information that we collect and use, both during and after your care and treatment with us, in accordance with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act (2018).

A leaflet of how we handle your data is available also here: leaflet information.

Children accessing our services can follow the link to the Children’s Policy here.

We are Ramsay Health Care UK. Our Head Office is located at Tower 42, Level 18, 25 Old Broad Street, London, EC2N 1HQ (“Ramsay”). We are a ‘Data Controller’. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

This notice applies to prospective, current and former patients.

This notice does not form part of any contract to provide services. We may update this notice at any time and if we do so, an updated copy of this notice will be available on our website.

It is important that you read and retain this notice, together with any other data privacy information we may provide on specific occasions, when we are collecting or processing information about you. This is to ensure that you are aware of how and why we may use such information and what your rights are under the data protection legislation.

Data protection principles

We will comply with data protection law. Accordingly, the personal information we hold about you must be:

1. Used lawfully, fairly and in a transparent way
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
3. Relevant to the purposes we have told you about and limited only to those purposes
4. Accurate and kept up to date
5. Kept only as long as necessary for the purposes we have told you about
6. Kept securely
7. We are accountable for our data processing activities

 

Our Data Protection Officer


Data Protection Officer
Ramsay Health Care UK Operations Ltd
Level 18 Tower 42 25 Old Broad Street
London
EC2N 1HQ

 

The kind of information we hold about you and why?

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed and cannot be re identified (anonymous data).

There are certain types of more sensitive personal data which requires a higher level of protection, such as information about a person's health, sexual orientation or information about criminal convictions. We have appropriate safeguards and in place to protect this data.

In order to provide healthcare services to you, we need collect, store, and use information about you. We may receive information from you, from your referring healthcare provider or health care professionals involved in your care. We may also receive information from third parties, such as your insurance provider (as applicable), social care services or other relevant third parties. The collection of data will depend on your relationship with us, but may include data such as


Special Category or Sensitive Data (as defined in data protection legislation) that we may collect for the purpose of providing healthcare services to you requires a higher level of protection. We have lawful basis and safeguards in place to protect the processing of this data:

How is your person information collected?

The information collected from you and others is collectively known as your patient record. Your patient record may be held in hand written format (manual record) or on a computer system (electronic). Information held within your patient record is used for your direct care purposes and to check and review the quality of care you have received (called clinical audit and clinical governance). Financial/payment records will also be held for the management of payment either NHS funded, self-funded, or via Private Medical Insurance for services provided under a contract. Data not part of your patient or financial record, for example CCTV images will be held on those systems.

Your care providers will endeavour to ensure that your patient records are kept up-to-date, accurate, secure and appropriately accessible to those involved in the provision of your care and treatment. Please ensure you update us on any changes to your contact information or any other relevant details so we can update your record accordingly.

 

How will we use the information about you?

We may 'process' or collect, store, use and share your personal information for a number of purposes. To do this, we must have a lawful basis that we rely on to be compliant with data protection legislation:

1. The primary lawful basis that we rely on to collect, store, use, and share your personal and health information for direct care, the administration of direct care services (prevention, investigation and treatment), and the planning of healthcare services under Data Protection Legislation are as follows:

For NHS Referred patients:

The performance of a task carried out in the public interest or in the exercise of official authority…’ Article 6(1)(e) ‘

Where NHS England commission health services via Integrated Care Boards (ICB) under the Health and Social Care Act or NHS providers directly contract with us. This includes the services or treatments provided and any associated billing, audit or necessary reporting.

For Self pay and private medical insurance patients:

Contract: To deliver contractual services to an individual Article 6 (1) (b)

This is necessary to enable us to carry out our obligations to you arising from any contract that is in the process of, or has been entered into, between us and you. This includes any services or treatments provided by us to you and the associated billing, accounting, audit and payment verification, and any necessary reporting.

And

For Personal data concerning health and other special categories of personal data:

Article 9(2) (h) ‘…for the medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

We may also use your personal information in the following situations:

2. Vital Interests: Article 6 (1) (d)

There may be occasions where we rely on the lawful basis of Vital Interests in the event that we need to process personal data to protect an individual’s life.

3. Legal Obligation: Article 6 (1) (c)

Sometimes we are required by law to collect and/share your information. Examples of this may include: to safeguard children or vulnerable adults, where it is in the wider public interest (including public health), detection or prevention of a serious crime, to defend a legal claim, reporting to DVLA, or where required by court order.

4. Legitimate interests: Article 6 (1) (f)

Where processing is necessary for the purposes of our legitimate interests or a third party and your interests and fundamental rights do not override those interests.

5. Consent: Article 6 (1) (a)

Consent under data protection legislation will not be the basis for providing you with healthcare services. However, your consent will be sought in certain instances, where we do not rely on another lawful basis to process your information. For example, if you wish to sign up to receive marketing information from us, or to release your information to a third party (who we do not have a lawful basis to share your information with). Where consent is given as the lawful basis for processing your information, your consent can be withdrawn at any time.

Some of the above grounds for our processing will overlap and there may be several grounds which justify our use of your personal information.

 

If you fail to provide personal information

Failure to provide us with your personal information (including your health related information) may, dependant on what is withheld, result in our inability to fulfil our contractual and other legal obligations. Therefore, we would be unable to register you as a patient, provide you with the required treatment, or facilitate the provision of your ongoing healthcare needs.

 

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

 

Direct care services and who we may receive and share your information with and why

Safe and effective care is dependent upon relevant information being shared between all those involved in the direct and ongoing care of a patient. All health and adult social care providers are subject to the statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for the purpose of their direct care. This duty is subject to the Common Law Duty of Confidentiality, the UK General Data Protection Regulation (UK GDPR) and Data Protection Act (DPA) 2018. Your personal information will only be shared in accordance with your rights under these laws.

You have the right to raise an objection to your health information being shared with other health care providers for your direct care, but in some circumstances this may delay or affect the care you receive. If you wish to object, it is important that you raise and discuss this directly with your main health care professional (i.e. consultant), to ensure you receive advice on the possible outcomes of this decision. Please note that this is not an absolute right. Health care professionals may, in some circumstances, override this decision based on legal requirements or professional duty.

We may share your information with individuals or organisations involved in your direct care where there is a legitimate reason to do so i.e.: they require relevant information to assist them in the effective provision of your direct healthcare needs. The type of individuals and organisations we may share your information with for your direct care includes, but not limited to:

a. Consultant with practicing privileges: A consultant may make decisions about what information is collected and held on our shared records about you, and may maintain their own set of medical records in relation to the treatment that they provide. They are a Data Controller in respect of your personal information which they hold within their records, meaning that they must comply with the data protection legislation when handling your personal information. Your consultant may also contract with their own service providers i.e. external medical secretaries, or external parties that provide billing services. They will remain responsible for your personal information obtained in respect of those services.

b. People and Organisations involved in your care: Health and social care professionals, including support personnel (including but not limited to: consultants, medical secretaries, receptionists, nurses, allied health professionals, porters, volunteers, and other members of the direct care support team). Personal and payment information will be shared with the relevant finance department for the purposes of appropriate billing of services provided.

c. Diagnostic and medical devices suppliers: Diagnostic testing organisations are provided with relevant information to provide diagnostic tests or allow contact with you to book a test/procedure. Medical device suppliers are provided with your information to support in the development and or supply of medical devices for you.

d. Pharmacies: Pharmacists are provided with relevant information to fulfil a prescription or to allow contact with you and to provide relevant prescriptions and supporting advice.

e. Referrals such as hospital appointments/specialists/dentists/GPs for ongoing care/continuing health care services/community services (including mental health and social services) and CCG approvals for certain NHS health services: When referrals are made for patients to a NHS or private health or social care provider, a record of the patient’s health history is typically included to assist the receiving healthcare professional make a holistic assessment and/decision. This is important, because removal of areas of the history that could be considered relevant, may affect the outcome of referrals and treatment. Following the referral, discharge summaries are typically provided back to the referring health care professional to support your ongoing care needs. If there are areas of your healthcare history that you do not want to be shared, please raise this directly with your healthcare professional who holds that data. 

Electronic patient record sharing: Regional health and social care initiatives that promotes the safe, transparent sharing of your healthcare records for the purpose of your direct care needs. To ensure partner organisations comply with the law and to protect the use of your information, robust data sharing agreements and arrangements are in place to ensure your data is always protected and used for the intended purpose of your direct care needs.

NHS Digital’s National Care Records Service (NCRS): We use NHS Digital’s National Care Records Service (NCRS) to support safe and effective care. The service provides a quick and secure way for clinicians involved in your care to access important summarised information, such as your current medications and allergies. If access is required, a Ramsay member of staff who is working as a registered healthcare professional (nurse or pharmacist), will ask for your permission (over the telephone or face to face), to access this information.)They will discuss any concerns, and if you object, will respect your decision. Robust access controls are in place to monitor legitimate access for direct care purposes.

f. Patient Reported Outcome Measures (PROMs) an NHS England led programme to measure health gain in patients undergoing hip replacement, knee replacement in England, based on responses to questionnaires before and after surgery. Responses are voluntary and used for your direct care pathway, as well as shared under strict agreements with Private Healthcare Independent Network and NHS England for analysis for improving patient outcomes. Further information can be found in the PROMs leaflet provided by your consultant or on the following link https://digital.nhs.uk/data-and-information/data-tools-and-services/data-services/patient-reported-outcome-measures-proms

g. Video and telephone consultations are an alternative to face to face appointments. There may be instances where we offer you an appointment via telephone or video consultation. By accepting the invitation and entering the consultation you are agreeing to this. Your personal/confidential patient information shared on the consultation will be safeguarded in the same way as it would with any other consultation, and relevant information added to your patient record.

Video or audio consultations/appointments are not typically recorded, but if they are, your permission will be sought as to the purpose and use of the recording i.e.: for direct care purposes: diagnosis, treatment or care. If, as part of the consultation, still images or photographs are taken/obtained and are to be kept, they will be securely stored as part of your patient record. Saved recording or images will be stored as part of your patient record in line with our policies.

If the recording/images are to be used for any other reason than what the original permission was obtained for, then further permission from you would be required prior to that use.

If recordings or still images obtained are no longer needed (i.e.: are adequately described in the clinical notes) then the recording/images will be confidentially and securely destroyed as per our policies.

h. Third party data processors: We use “Data Processors” who are third parties, to provide technical, administrative and support services to assist us with the delivery of health care services to you. We have robust contracts and agreements in place and will only disclose personal information that is necessary to provide the service that they are undertaking on our behalf. They cannot do anything with your personal information unless we have instructed them to. They will not share your personal information with any organisation apart from us, unless they have an overriding legal obligation to do so. They will hold it securely and retain it for the period we instruct. This includes services such as: clinical systems, system support services, document storage and destruction services, telephony system suppliers, digital scanning and dictations services.

i. Depending on how you are funded:

For NHS patients: We provide information to the NHS funding organisation about your treatment and associated clinical requirements. We only provide relevant information to which they are entitled. Contracts and agreements are in place for this purpose.

For private medica linsured patients: We only provide relevant information to which they are entitled to support payment for the treatment and services. Contracts and agreements are in place for this purpose.

Debt collection agencies: If a debt remains outstanding after the specified timeframe for payment, where no payment plan is in place, or an agreed payment plan is not being adhered to, we may initiate proceedings to recover the unpaid amount. As a result, we will share your relevant personal contact details and amount owed for the service(s) agreed with our appointed recovery specialists for the purpose of debt recovery. Contracts and agreements are in place for this purpose.

If we restructure or sell our business or its assets, or we are involved in mergers or acquisitions of other organisations: It will be necessary to share your data with the new organisation or receive your data from the previous organisation in order for the continuation of services. The transfer of data (this could include your personal data – name, address, contact details, along with health data (i.e. appointment bookings, medical notes and medical imaging etc.), will be managed in secure manner in accordance with appropriate technical and organisational measures. Our aim is to ensure we are able to fully comply with our legal obligations regarding the retention and security of you data, while also ensuring continuity of your care.

 

Non-direct care where your information may be used and shared

Whenever you use a health or care service, such as for hospital appointments and admissions, GP appointments, Accident & Emergency, or using community care services, important information about you is collected to help ensure you get the best possible care and treatment. This information may also be used by us and other approved organisations for non-direct care purposes where there is a lawful basis to help with: planning services, improving care, research into developing new treatments, and preventing illness. All of this helps in providing better care to you and your family and future generations. Anonymised information (where you cannot be identified) will be used for non-direct care purposes whenever possible. Confidential information about your health and care is only used in this way where the law allows and is shared in alignment with the National Data Opt-Out Policy.

We are legally obliged to share information in some circumstances. For example, to comply with a statutory obligation, a court order or where a regulatory body has requested access to certain information under their statutory powers, as part of their duties to investigate complaints, accidents or health professionals’ fitness to practice.

In any event, we will ensure that we have a lawful basis on which to share the information.

We may use your information beyond your direct care, where we have a lawful basis and in accordance with data protection legislation. Wherever possible, data is anonymised or pseudonymised so you cannot be identified directly from the data. We may use data for the following types of non-direct care purposes:


We may share your information with organisations beyond your direct care where there is a legal and legitimate reason to do so:

a. National Data Opt-Out The national data opt-out is a service which enables patients receiving NHS funded care to opt-out from the use of their data beyond their individual care or treatment (for example research or planning purposes), unless there are overriding legal exemptions that apply. All healthcare providers are required to be compliant with the national data opt-out programme by 31 March 2022.

We will comply with this requirement by applying opt-outs to data requests that are in scope of the National Data Opt-out. This means that if there is a data request that is in scope of the National Data Opt-out, and you have provided your NHS number to us and registered your choice with the National Data Opt-out programme, your data would not be shared by us.

To find out more or to register your choice to opt out, please visit here or by calling 0300 303 5678 Your individual care will not be affected if you have applied the National Data Opt-out.

b. Private Healthcare Information Network (“PHIN”) is the independent government mandated source of information on privately funded care in the UK. PHIN is the official ‘information organisation’ under the Competition & Markets Authority (CMA) Private Healthcare Market Investigation Order 2014 (as amended). As such, Ramsay Health Care is legally required to provide hospital performance data to PHIN.

PHIN’s goal is to help patients make more informed choices about where to go for treatment. Publishing anonymised information on the quality and safety of care for private hospital facilities offers a number of potential public interest benefits:


We will not supply your name, date of birth, or full address to PHIN. PHIN is only concerned with understanding the treatment that hospitals and doctors provide, whether that treatment was safe and effective, and whether there were any complications. To do this effectively, PHIN require NHS Number and postcode alongside treatment data.

You can withhold your personal information submitted to PHIN, by informing us upon arrival for your hospital admission.  In which case, we will only share anonymised treatment data.

Please see PHIN privacy notice for more information https://www.phin.org.uk/about/our-privacy-policy.

c. Professional Regulatory Body Investigations have the legal powers to request information that would assist them in their regulatory functions in relation to fitness to practise investigations of regulated medical, nursing, pharmaceutical, allied health and social care professionals. Only relevant information is provided and where possible, you will be notified or data anonymised.

d. Care Quality Commission Access to Health Records: CQC has powers under the Health and Social Care Act 2008 to access and use your health information where it is necessary to carry out their functions as a regulator. This means that inspectors may ask to look at certain records to decide whether we are providing safe, good quality care.

e. Medicines and Healthcare Products Regulatory Agency (“MHRA”) Parameters for sharing information that are justified are in place. The MHRA cannot disclose information if it would breach data protection legislation and can only be disclosed where it is considered necessary and proportionate.

f. NHS Digital, NHS England, Public Health England and the Department of Health and Social Care: Certain directives are in place from the Secretary of State for Health and Social Care to provide confidential information. This is a mandated under specific directions. Typically, the data provided is pseudonymised, meaning it cannot directly identify you, as personal identifiers are replaced with a key-code. As this data could be re-identified by those authorised to do so, this data is still considered identifiable and as such, robust safeguards to protect data are put in place.

g. National and other professional research/audit programmes and registries Health and social care research, audits and registries may be conducted and managed by organisations commissioned by the NHS, other health and social care organisations, universities, or commercial research and audit partners for such purposes as developing new treatments and improving healthcare outcomes. We always ensure that data protection and confidentiality laws are followed to protect your data, this includes compliance with the National Data Opt-Out Policy where applicable.

h. The courts, DVLA, police, other third party law enforcement agencies. Examples include The Ministry of Defence, The Home Office: Where legally required by court order or as written in law, or where reasonably necessary for the prevention or detection of crime. We always confirm the lawful basis, proportionality of the data requested and comply with our data protection obligations.

i. Third party organisations who provide elements of services to us for the planning, management and auditing of healthcare services and to support us in defending a legal claim. Wherever possible and depending on purpose, de-identified or anonymised data will be shared. We have contracts and agreements in place for these services.

Where suppliers are engaged as our processors, they will only process data as instructed by us. We only share data that is proportionate and relevant to the service and where there is a lawful basis for the processing. They will not share your personal information with any organisation apart from us unless there is an overriding legal obligation to do so. We have contracts and agreements in place for these services.

j. Private Medical Insurers funding audits. Where you have received private medical insurance funding for a service provided by us, the insurer may conduct audits for the purpose of reviewing specific services and billing provisions as outlined in contracts and agreements. Data is anonymised or pseudonymised wherever possible.

k. Third party representative (family, friend, solicitor or Power of Attorney (PoA) to whom you have given your consent, or who has PoA granted, to view or receive your record, or part of your record under your Right of Access. Please note, if you give another person consent to access your record we may need to contact you to verify/clarify your request and consent before we release the record. It is important to us that you are clear and understand how much information and what aspects of your record will be released to another individual on your behalf.

l. Third party organisations who you have given your consent to view or receive your record, or part of your record. We may also need to clarify with you, and the requesting organisation, the purpose of the data sharing request, to ensure we meet our data protection obligations and to justify the disclosure.

In any data sharing scenario, we will have a lawful basis on which to share the information prior to doing so.

We will not sell or share your information for direct marketing.

 

How we communicate with you

In order to provide you with accurate and timely information about your appointments, relevant information relating to your episodes of care, or other enquires, we will need to contact you. Where telephone contact is made, we use call display to assist you in identifying and returning calls to us.

While we will use our best endeavours to contact you using any expressed preferred method of contact, this may not always be possible and will be determined by the reason for our contact.

Reasons for contact includes, but are not limited to:


Text Messaging
To provide you with an enhanced patient experience, we have engaged a third-party supplier Text Local, so that we may contact you via text message regarding the delivery of your care.  This may be to confirm an appointment/admission; to remind of an upcoming appointment/admission; or to inform of an action that is required to process your treatment pathway.

You are able to opt out of this service by informing us via your registration/communication form that can be found at https://www.ramsayhealth.co.uk/patients/your-details; by informing a member of the team during a visit; or by responding to the text message

Emails
We may use your email address you have provided to inform you about the services you requested information about or are scheduled to receive. You can request changes about receiving non direct care related emails at any time by letting us know.

Please note that we will use encrypted emails which means that no one can see or tamper with the data while it is being transferred across the network or internet to you. Your own emails to us may not be encrypted, so you will need to consider this for any information you are emailing to us. 

 

Transfers to third parties outside EEA

Your personal information will typically be held within the UK or at times, by our contracted processors or suppliers in the European Economic Area (“EEA”). We may have a legitimate reason to send your personal information to a supplier based outside of the EEA, subject to reasonable steps to ensure the security and protection of your individual privacy rights in accordance with data protection legislation. Where we are sending your data outside the EEA, we will ensure appropriate safeguards are in place prior to such transfers so that a similar level of data protection is applied.

 

Data security measures

We have put in place measures to protect the security of your information. Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

Ramsay Health Care UK is committed to ensuring the privacy and confidentiality of your personal information within its control. We use technologies and processes such as access control procedures, network firewalls, encryption and physical security to protect the privacy of information. Although the transmission of information via the internet is never completely secure, we will use our best endeavours to protect your information from loss, misuse or alteration when it is within our control and in compliance with all applicable and data protection Legislation.

 

How long do we keep your information?

In line with our internal record management policies, we will retain/store your health record for as long as necessary to provide the services set out in this Privacy Notice. We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Please contact us for further details.

The information we collect and hold about you is held securely within the United Kingdom and stored in either paper format or held on our secure electronic servers.

This is to ensure that information is properly managed and is available when there is a justified need for that information, including to support the delivery and management of patient care and clinical audits, as well as our legitimate interests, and to meet legal requirements.

Records that have completed the specified retention period will be reviewed and if retention no longer needed, will be securely destroyed in line with our policies.

If we will no longer be offering services, you will be notified of this change and you will be provided further information on the secure transfer of your record to a new provider.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

 

Your individual rights

The Law gives you certain rights about the personal and healthcare information that we hold about you. Some of these rights are not absolute and will depend on the lawful basis we rely on for the processing of that data. We will comply with your request, where the law allows. Where we are unable to comply with your request will inform you of this.

We typically have one calendar month to reply and give you the information that you require or explain why we are unable to fulfil your request. If you have made a number of requests or your request is complex, we may need extra time to consider your request and can take up to an extra two months to respond. If we are going to apply an extension, we let you know within one month that we need more time and why.

You can make a request via electronic means, verbally or in writing but we will need to verify who you are and may need to clarify the request with you to ensure we have understood correctly.

Requests can be made by contacting the relevant site/department directly, or using our online form and your request will be directed to the correct department for review.

If we provide you with a form to complete, this is not mandatory, but may assist in our understanding your request and preventing any delays. If we have any questions we will contact, you.

Under certain circumstances, depending on the lawful basis we are processing your data, you have the right to:

 

Subject Access Requests (SAR)

You have the right to see what information we hold about you and to request a copy of this information. Under data protection legislation, certain exemptions may apply and for this reason, some information may be withheld.

Sometimes information about third parties may be recorded on your records. We are under an obligation to make sure we also protect the third party’s rights and to ensure that references to them which may breach their rights to confidentiality, are removed before disclosing any information to a third party, including yourself. Third parties’ information can include, but not limited to: spouses, partners, other family members etc.

We will provide this information free of charge however, we may apply a reasonable administrative fee for any extra copies or repetitive requests. If applicable, we will discuss this with you at the time of your request.

If you have consented to a third party representative to request a SAR on your behalf (friend, relative, solicitor), we require the third party to supply us with evidence of your permission to act on your behalf. Due to the confidentiality and sensitivity of health related information, if we are unsure about the permission provided or think you may not be aware of the extent of what would be disclosed in the request, we may contact you to review and confirm the request prior to proceeding.

 

Right to Restriction of Processing

You have the right to request we restrict processing your information while the accuracy, lawful basis, or the legitimate use of the information is being reviewed.

 

Right to Rectification/Correction

We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is very important that you make sure you tell us if your contact details, including your email address or mobile phone number has changed. You have the right to have any mistakes or errors corrected and we will do so in line with record management procedures. However, we are not aware of any circumstances in which you will have the right to delete health related information from your records that is deemed accurate, including the opinion of the health care professional, in the provision of healthcare services. Please contact us if you hold a different view.

 

Right to be Forgotten

This right typically would not apply if the processing is necessary for health purposes, ensuring high standards of quality and safety of health, preventative or occupational medicine; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services.

If there are instances of a specific processing activity where you believe the right to be forgotten could be applied to the information we hold about you, please contact us to review your request.

 

Right to Object

This right applies to the processing of your personal information where we are relying on certain lawful basis (public task or legitimate interest).

You have the right to object at any time where we are processing your personal information for direct marketing purposes.

If there are instances of a specific processing activity where you believe the right to object could be applied to the information we request or hold about you, please contact us to review your request.

Please note that there may be times where there are reasons or legal grounds that override the objection of an individual.

 

Right to Portability

The right to request portability is only available where the processing is based on the lawful basis of consent or contract, where information was provided by the individual directly, and the processing is automated. If there are instances of a specific processing activity where you believe the lawful basis allows the right to portability, please contact us to review your request.

 

The right to withdraw consent

Generally, we will only ask for your consent for processing your information under a UK GDPR and DPA 2018 lawful basis, when no other legal grounds apply. For example, for direct marketing communications or to release your information where there is not an alternative lawful basis to do so. In these circumstances, we aim to be clear and transparent about why we need your consent. Where we rely on your consent to process your personal information, you have the right to withdraw your consent by contacting us and we will stop the processing for which the consent was obtained.

 

Right to be informed of automated decision making including profiling

Currently we do not use automated decision making as part of our processing activities.

 

Our Website

The only website this Privacy Notice applies to is our website. If you use a link to any other website from ours, then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.

Cookies: Our website uses cookies. For more information on which cookies we use and how we use them, please see our Cookies Policy here.

 

Organisational Security

The purpose for processing the information is for quality, security and safety reasons. The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when it’s necessary for the purposes of our legitimate interests where rights and interests are fully considered and protected.

A. CCTV

CCTV is in operation in our facilities. It has been installed solely for the safety and security of our patients, staff, visitors and our property; to prevent and deter crime. Images are recorded 24 hours a day and stored on the hard drives of the recording devices that are situated in secure areas. Only those with authorised permissions will have access to the system. The CCTV only records images and does not record audio. All CCTV recordings are typically stored on our recording devices for 30 days before being deleted. There are signs in and around our facility premises to inform that CCTV is in use. We will only ever share information with the relevant internal personnel/law enforcement authorities in connection with the safety and security of patients, staff, visitors and our property. Will not share with any other third parties.

The purpose for processing the information is for security, prevention and detection of crime and safety reasons.

Any CCTV used in our London office is not operated by us, so we are not the controller. It will be under the control of the relevant building landlord.

B. Telephone Recordings

Please note: this section does not apply to telephone consultations. Please see Section: Video and telephone consultations for information about how we collect, use and store telephone consultation data.

We may record both incoming and outgoing telephone calls for monitoring and quality purposes. If recordings are in place, there are messages on our phone lines indicating the use of voice recording, or we will inform you before a recording commences. Where recordings are made, they will be stored and retained as per our internal policies.

We will only ever share information with the relevant personnel/authorities in connection with the safety and security of patients, public and staff and will not share with any other third parties.

The purpose for processing the information is for quality, security and safety reasons.

 

Right to Complain to the Information Commissioner's Office (ICO)

You may complain to the Information Commissioner's Office (“ICO”) if you have concerns about the way we are handling your personal information or requests under your individual rights.

Information on raising a concern with the ICO can be found here.

Contact details:

Telephone: 0303 123 1113 or

Live chat: https://ico.org.uk/global/contact-us/live-chat/

 

Changes to this Privacy Notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

You may find a copy of this Privacy Notice on our website, or a copy may be provided on request.

If you have any questions about this privacy notice, please contact Ramsay's DPO at dataprotection.officer@ramsayhealth.co.uk

 

Content Last Reviewed: 09.02.2024

Ramsay Health Care UK Operations Limited
Registered in England No.1532937

Registered office: Level 18, Tower 42,
25 Old Broad Street, London, EC2N 1HQ