Privacy notice: Members of the Public, Suppliers and Third Parties using our site facilities.
This notice applies to members of the public visiting our sites, our suppliers and other third parties contracted to use our site facilities. This privacy notice does not apply to patients of Ramsay Healthcare UK, employees or contractors providing services under a contract of services or healthcare professionals with practice privileges. Please refer to the relevant privacy notice on our website: https://www.ramsayhealth.co.uk/privacy-policy.
What is the purpose of this document?
We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way and we review this regularly.
Please read this privacy notice (‘Privacy Notice’) carefully, as it contains important information about how we use your personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act (2018)
We are Ramsay Health Care UK. Our Head Office is located at Tower 42, Level 18, 25 Old Broad Street, London, EC2N 1HQ (“Ramsay”). We are a ‘Data Controller’. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
This notice does not form part of any contract with you. We may update this notice at any time but if we do so, an updated copy of this notice will be available on our website.
It is important that you read and retain this notice, together with any other data privacy information we may provide on specific occasions, when we are collecting or processing personal information about you. This is to ensure you are aware of how and why we are using such information and what your rights are under the data protection legislation.
Data protection principles
We will comply with data protection law. This says that the personal information we hold about you must be:
1. Used lawfully, fairly and in a transparent way.
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
3. Relevant to the purposes we have told you about and limited only to those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes we have told you about.
6. Kept securely.
7. We are accountable for our data processing activities.
Our Data Protection Officer
- Our Data Protection Officer is responsible for monitoring our compliance with data protection legislation.
- If you have any concerns or questions about our use of your personal information or how your individual rights are honoured, you can contact our Data Protection Officer by email at DataProtectionOfficer@ramsayhealth.co.uk or alternatively by writing to the following address:
Data Protection Officer
Ramsay Health Care UK Operations Ltd
Level 18 Tower 42 25 Old Broad Street
The kind of information we hold about you and why
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect and hold personal information relevant to the purpose of your relationship with us. This may include your name and contact details (postal and email addresses, phone numbers), photo ID, and swipe card entry data, voice recordings on telephone systems as well any relevant information necessary as outlined in relevant supplier contracts.
For visitors to our sites, including members of the public, visitor logs including information such as: name, vehicle registration, contact details and other relevant information) and CCTV images. For visitors where regulations require, we may require further safeguarding and/public health information i.e: Covid-19 status, DBS checks, qualifications and registration status etc.
Typically, we obtain information from you, but depending on your relationship with us, we may also receive information from an employer or a third party credentialing service.
How will we use the information about you?
We may 'process' or collect, store, use and share your personal information for a number of purposes. To do this, we must have a lawful basis that we rely on to be compliant with data protection legislation:
The primary lawful basis that we rely on to collect, store, use, and share your personal information for under Data Protection Legislation are as follows:
1. Legitimate interests: Article 6 (1) (f)
Where processing is necessary for the purposes of our legitimate interests or a third party and your interests and fundamental rights do not override those interests.
We may also use your personal information in the following situations:
2. For Suppliers
a. NHS Suppliers: The performance of a task carried out in the public interest or in the exercise of official authority…’ Article 6(1)(e) ‘
Where NHS England commission health services under the NHS Act 2006 or NHS Clinical Commissioning Groups (CCGs) with devolved powers from NHS England to commission health services under the Health and Social Care Act in 2012. This includes the services or treatments provided and any associated billing, audit or necessary reporting
2.b. Contract: To deliver contractual services to an individual Article 6 (1) (b) where an individual had contracted directly with us to provide a service
3.Vital Interests: Article 6 (1) (d)
There may be occasions where we rely on the lawful basis of Vital Interests in the event that we need to process personal data to protect an individual’s life.
4. Legal Obligation: Article 6 (1) (c)
Sometimes we are required by law to obtain and share your information. Examples of this may include: compliance to regulations to safeguard children or vulnerable adults, where it is in the wider public interest (including public health), detection or prevention of a serious crime, to defend a legal claim, reporting to DVLA, or where required by court order.
5. Consent: Article: 6 (1) (a)
Your consent will be sought in certain instances, where we do not rely on another lawful basis to process your information. For example, if you wish to sign up to receive marketing information from us, or to release your information to a third party (who we do not have a lawful basis to share your information with). Where consent is given as the lawful basis for processing your information, your consent can be withdrawn at any time for any ongoing processing.
Some of the above grounds for our processing will overlap and there may be several grounds which justify our use of your personal information.
The necessary safeguards will be put in place at all times when handling any of your personal information.
If you fail to provide personal information
Failure to provide us with your personal information may, dependant on what is withheld, result in our inability to fulfil our legitimate, contractual and other legal obligations. Therefore, depending on the purpose of the data requested, we would be unable to proceed.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Who We May Share Your Information to and Why
Your personal information will only be shared in accordance with data protection legislation and your rights under these laws.
We use third party service providers to assist us in the delivery of our business needs. Third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies and contracts with them. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions. Those specified purposes will be relevant to why we are lawfully using the data and include such services as
Security, including door entry data, CCTV, telephone recording
Financial services, including audit
We may also may share your personal information with an external organisation in order to meet our legal obligations, regulatory requirements and to prevent a crime or to pursue or defend a legal claim.
If we restructure or sell our business or its assets, or we are involved in mergers or acquisitions of other organisations;
- It will be necessary to share your data with the new organisation or receive your data from the previous organisation in order for the continuation of services. The transfer of data (this could include your personal data – name, business contact details. This will be managed in secure manner in accordance with appropriate technical and organisational measures. Our aim is to ensure we are able to fully comply with our legal obligations regarding the retention and security of you data, while also ensuring continuity of services.
How we communicate with you
We may contact you using your contact details, for the purpose(s) they were provided to us for
if you have indicated a preferred method of communication, we will endeavour to use this. You can change your preferences at any time by letting us know.
Please note that in the event we need to send you confidential or sensitive information, we will use encrypted email, which means that no one can see or tamper with the data while it is being transferred across the network or internet to you. Your own emails to may not be encrypted, so you will need to consider this for any information you are emailing to us.
In accordance with the preferences you have communicated to us, we may contact you to:
- Communicate with you about contract/supplier management related activities
- respond to email enquiries;
- respond to telephone enquiries;
- respond to website enquires;
- provide marketing materials where you have indicated you wish to receive them
- Advise you to any changes to the services we offer
How Long Do We Keep Your Information?
In line with our internal record management policies, we will retain/store your health record for as long as necessary to provide the services set out in this Privacy Notice. We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
The information we collect and hold about you is held securely within the United Kingdom and stored in either paper format or held on our secure electronic servers.
This is to ensure that information is properly managed and is available when there is a justified need for that information, including to support the delivery and management for our legitimate interests, and to meet legal requirements.
Records that have completed the specified retention period will be reviewed and if retention no longer needed, will be securely destroyed in line with our policies. If we will no longer be offering services, you will be notified of this change and you will be provided further information on the secure transfer of your record to a new provider.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
The Law gives you certain rights about the personal data that we hold about you. Some of these rights are not absolute and will depend on the lawful basis we rely on for the processing of that data. We will comply with your request, where the law allows. Where we are unable to comply with your request will inform you of this.
We typically have one calendar month to reply and give you the information that you require or explain why we are unable to fulfil your request. If you have made a number of requests or your request is complex, we may need extra time to consider your request and can take up to an extra two months to respond. If we are going to apply an extension, we let you know within one month that we need more time and why. You can make a request via electronic means, verbally or in writing but we will need to verify who you are and may need to clarify the request with you to ensure we have understood correctly.
If we provide you with a form to complete, this is not mandatory, but may assist in our understanding your request and preventing any delays. If we have any questions we will contact, you.
Under certain circumstances and depending on the lawful basis used to process your data you have the right to:
Subject Access Requests (SAR)
You have the right to see what information we hold about you and to request a copy of this information. Under data protection legislation, certain exemptions may apply and for this reason, some information may be withheld. Sometimes information about third parties may be recorded on your records. We are under an obligation to make sure we also protect the third party’s rights and to ensure that references to them which may breach their rights to confidentiality, are removed before disclosing any information to a third party including yourself. Third parties’ information can include, but not limited to: spouses, partners, other family members etc.
We will provide this information free of charge however, we may apply a reasonable administrative charge for any extra copies or repetitive requests. If applicable, we will discuss this with you at the time of your request.
If you have consented to a third party representative to request a SAR on your behalf (friend, relative, solicitor), we require the third party to supply us with evidence of your permission to act on your behalf, if we have any concerns about the requestor’s authority to act on your behalf, we may contact you to review and confirm the request prior to proceeding.
Right to Restriction of Processing
You have the right to request we restrict processing your information while the accuracy, lawful basis, or the legitimate use of the information is being reviewed.
Right to Rectification/Correction
We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is very important that you make sure you tell us if your contact details, including your email address or mobile phone number has changed.
Right to be Forgotten
If there are instances of a specific processing activity where you believe the right to be forgotten could be applied to the information we hold about you, please contact us to review your request.
Right to Object
This right applies to the processing of your personal information where we are relying on certain lawful basis.
You have the right to object at any time where we are processing your personal information for direct marketing purposes.
If there are instances of a specific processing activity where you believe the right to object could be applied to the information we hold about you, please contact us to review your request.
Please note that there may be times where there are legal grounds that override the objection of an individual i.e.: a lawful basis that does not allow the right to object.
Right to Portability
The right to request portability is only available where the processing is based on the lawful basis of consent or contract, it was data provided by the individual directly, and the processing is automated. If there are instances of a specific processing activity where you believe the lawful basis allows the right to portability, please contact us to review your request.
The right to withdraw consent
Generally, we will only ask for your consent for processing your information under a UK GDPR and DPA 2018 lawful basis, when no other legal grounds apply. For example, for direct marketing communications. In these circumstances, we aim to be clear and transparent about why we need your consent. Where we rely on your consent to process your personal information, you have the right to withdraw your consent by contacting us and we will stop the processing for which consent was obtained.
Right to be informed of automated decision making including profiling
Currently we do not use automated decision making as part of our processing activities.
Transfers to third parties outside EEA
Your personal information will typically be held within the UK or at times, by our contracted processors in the European Economic Area (“EEA”).
may have a legitimate reason to send your personal information to a supplier based outside of the EEA, subject to reasonable steps to ensure the security and protection of your individual privacy rights in accordance with data protection legislation. Where we are sending your data outside the EEA, we will ensure appropriate safeguards are in place prior to such transfers so that a similar level of data protection is applied.
The only website this Privacy Notice applies to is our website. If you use a link to any other website from ours, then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.
The purpose for processing the information is for quality, security and safety reasons. The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when it’s necessary for the purposes of our legitimate interests where rights and interests are fully considered and protected.
CCTV is in operation in our facilities. It has been installed solely for the safety and security of our patients and staff; to prevent and deter crime.
Images are recorded 24 hours a day and stored on the hard drives of the recording devices that are situated in secure areas. Only those with authorised permissions will have access to the system. The CCTV only records images and does not record audio. CCTV recordings are typically stored on our recording devices for 30 days before being deleted. There are signs in our facilities to inform that CCTV is in place. We will only ever share information with the relevant internal personnel/law enforcement authorities in connection with the safety and security of patients, staff and property and will not share with any other third parties.
The purpose for processing the information is for security, prevention and detection of crime and safety reasons.
B. Door Entry Cards
If a supplier or individual has been issued with a door entry card to gain access to areas of our facilities, then the data on that card and its use will be the property of Ramsay Healthcare UK and the purpose of processing this information will be for security, prevention and detection of crime and safety reasons.
C. Telephone Recordings
We may record both incoming and outgoing telephone calls. All telephone recordings are stored on our recording devices for a specified time in line with our policies. We will only ever share information with the relevant personnel/ authorities in connection with the safety and security of patients and staff and will not share with any other third parties.
The purpose for processing the information is for quality, security and safety reasons.
D. Visitor Logs We may record visitor information to our sites, the data collected will vary depending on the purpose it is required. You may be provided with further information by the specific site.
The purpose for processing the information is for security, prevention of crime and safety reasons which may include public health.
Data will be held only for as long as necessary and in line with our internal policies.
Data Security measures
We have put in place measures to protect the security of your information. Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
Ramsay Healthcare UK is committed to ensuring the privacy and confidentiality of your personal information within its control. We use technologies and processes such as access control procedures, network firewalls, encryption and physical security to protect the privacy of information. Although the transmission of information via the internet is never completely secure, we will use our best endeavours to protect your information from loss, misuse or alteration when it is within our control and in compliance with all applicable and data protection Legislation.
Right to Complain to the Information Commissioner's Office (ICO)
You may complain to the Information Commissioner's Office (“ICO”) if you have any concerns about the way we are handling your personal information or requests under your individual rights.
Information on raising a concern with the ICO can be found here.
Telephone: 0303 123 1113 or
Changes to this Privacy Notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
You may find a copy of this Privacy Notice in our reception, on our website, or a copy may be provided on request.
Content Last Reviewed: 23.05.22