This notice is designed to inform you of the type of information that we collect and hold about you in the course of providing you with private medical care. It will also tell you what we do with the information we collect, how we will look after it and with whom we might share it. It covers information we collect directly from you or which we may receive from other individuals or organisations.
This Privacy Notice also sets out your rights in respect of your personal information, and how to exercise them. You can, for instance, seek access to your medical information, object to particular ways your information may be used and you can request rectification of any information which is inaccurate or the deletion of information which is no longer required (subject to certain exceptions).
This Privacy Notice does not provide exhaustive detail. However, we are happy to provide any additional information or explanation as needed. If you would like further information about any of the matters in this Privacy Notice or have any other questions about how we collect, store or use your personal information, please contact us using the details below.
If you would like this notice in another format, such as Braille, audiotape, large print or another language, please contact us, again, using the contact details on our website and correspondence.
1. Who we are and what we do
In this Privacy Notice the use of “we” “us” or “our” refers to your treating clinicians [Mr Jeevan Chandrasenan (JC Orthopaedics) and Mr Conal Quah (CQ Orthopaedics)] and will also include the actions of any Medical Secretary or other staff acting under our instruction.
Under the terms of the EU General Data Protection Regulation (GDPR), we are known as a “Data Controller” and a “Data Processor”. This means that we are legally responsible for ensuring that all personal information that we process about you is done in compliance with data protection laws. All Data Controllers must notify the Information Commissioner's Office of all personal information processing activities. Our registration number is [Mr Jeevan Chandrasenan ZA233459, Mr Conal Quah ZA108773] and our entry can be found in the Data Protection Register on the Information Commissioner's Office website.
2. How to contact us
If you have any queries or concerns about how we handle your personal information or about the content of this Privacy Notice, please contact us by:
3. How we work
We will provide your treatment from one of the following hospitals
Derby Private Health
Royal Derby Hospital
Queen's Medical Centre Campus
131 Psalter Lane
and consequently, there may be occasions when it is necessary for
Circle Nottingham, Derby Private Health or Nuffield Health Derby Hospital, One Health
to also process your personal data (for example, when admitting you to the hospital for treatment or when arranging nursing or additional care and treatment). Your information will only be processed as required by the Data Protection laws of the UK. Where this does become necessary, Circle Nottingham, Derby Private Health, Nuffield Health Derby Hospital, and One Health will become a joint Data Controller in respect of your personal information and they will provide you with a copy of their own Privacy Notice at that point, which sets out how they will manage your personal information.
4. Personal Information we hold about you
When we refer to “personal data” in this policy, this refers to information that can or has the potential to identify you as an individual. When we refer to ‘processing' your personal information, this covers any use of your personal information, including but not limited to accessing, storing and disseminating information. We may also use “special categories of personal information” about you, which could include information relating to your physical and mental health.
When you request treatment from us and become our patient, the personal information we may then need to hold about you may include the following:
- Contact details, such as postal address, email address and telephone numbers
- Financial information, such as credit card details used to pay us
- NHS Number
- Family details including next of kin
- GP and referral details
- Visual images, for example CCTV images as part of building security
- Responses to surveys or questionnaires
- Correspondence relating to a complaint or claim
- Your specific information requirements
Special categories of information relating to your medical treatment must be handled even more sensitively than your personal information. The special categories of personal information we may hold and process about you may include the following:
- Details of your current or former physical or mental health. This may include information about any healthcare you have received (both from me directly and other healthcare providers such as your GP or hospitals (private and/or NHS)) and details of medicines previously and currently taken.
- Details of other services you have received from me
- Details of your lifestyle and social circumstances
- Details of your nationality, race and/or ethnicity
- Details of your religion
- Details of any genetic data or biometric data relating to you
- Data concerning your sex life and/or sexual orientation.
5. How we collect your information
There are a number of ways in which we may collect your personal information. It may be collected directly from you when:
- You enter into a contract with us for the provision of healthcare services
- You use those services
- You correspond with us by letter, email, telephone or social media
- You complete enquiry forms on our website.
In order to provide you with the best treatment possible, we may need to collect your medical records including information about any diagnosis, clinic and hospital visits and medicines administered. This information may be provided by other individuals and organisations, including:
- Hospitals, both NHS and private
- Commissioners of healthcare services
- Other Private providers of healthcare (including their medical secretaries).
Information about you may also be provided to us from other sources as relevant to your treatment. These third parties may include:
- Your insurance policy provider
- Your current or former employer
- Your family
- External medical experts
- NHS health service bodies
- Credit reference agencies
- Debt collection agencies
- Government agencies, including the Ministry of Defence, the Home Office and HMRC.
6. How we will protect your privacy
We are committed to protecting your privacy and will only process personal information in accordance with the EU General Data Protection Regulation, the Human Rights Act 1998 and the common law duty of confidentiality.
All information that we hold about you will be held securely and confidentially. We use clear administrative and technical controls to do this. Both we and any staff working for us have undertaken appropriate levels of Information Governance training to ensure that we have the correct skills and understanding to look after any information you provide to the highest standards of confidentiality and security. Additionally, all staff at Circle Nottingham, Derby Private Health, Nuffield Health Derby Hospital and One Health any contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
We will only ever use the minimum amount of information necessary about you to provide you with treatment and healthcare. Wherever possible, we will use information that does not directly identify you, however, where it is necessary for us to know or use personal information about you, we will only do this where we have an appropriate legal justification for doing so.
Where our staff or the staff of Circle Nottingham, Derby Private Health, Nuffield Health Derby Hospital or One Health need to access your clinical record (for example, our secretary will need to see your record in the process of typing up correspondence or where medical queries are being followed up) they will only access the necessary information and will follow the strictest rules of confidentiality and data protection. Our medical secretary is required to sign a confidentiality agreement and is bound by their contract of employment which does not allow them to disclose any information about your health care to anyone unless it is with another clinical team for the purpose of your health care.
We will not divulge your record to any other patients or family members, except in the case of children under 12, where applicable, unless you give us permission to do so. Some patients do prefer a family member or friend to act on their behalf. If you wish for someone else to act on your behalf please let us know and we will make arrangements with you for this to take place. You can withdraw this consent at any time but you must let us know immediately if you no longer wish for us to discuss your health with the nominated person.
7. How we will communicate with you
We need to communicate with you in order to provide you with healthcare services. We or our secretary may contact you by telephone, SMS, email, and/or post.
In order to provide you with timely updates and reminders in relation to your healthcare, we may communicate with you by telephone, SMS and/or email (where you have provided us with your telephone number and/or email address).
To provide you with your medical information (including test results and other clinical updates) and/or invoicing information, we may communicate with you by email where you have provided your email address and where you have agreed to this form of communication for medical matters.
If you have stated a preference to be communicated with about your health care or treatment via a particular method, we will not be relying on your consent to process your data in this way. As set out in Schedule 1 below, the processing of your personal data for these purposes is justified on the basis that it is necessary to fulfill our contract with you for the provision of healthcare services.
8. With whom we share your information
In certain situations, we may share data about relevant aspects of your healthcare record within other clinicians or with third parties such as Circle Nottingham, Derby Private Health, Nuffield Health Derby Hospital or One Health and/or your Medical Insurance Provider.
Specifically, we may disclose your information to the third parties listed below for the purposes described in Schedule 1 of this Privacy Notice. They may include:
- A doctor, nurse or any other healthcare professional involved in your treatment
- Other members of Circle Nottingham, Derby Private Health, Nuffield Health Derby Hospital or One Health staff involved in the delivery of your care, such as receptionists and porters
- Emergency contacts, for example your next of kin or carer
- NHS organisations
- Other private sector healthcare providers
- Your GP
- Another private provider of medical care or treatment to you (including their medical secretaries)
- Third parties who assist in the administration of your healthcare, such as insurance companies
- The Private Healthcare Information Network (See Schedule 1 for more details on this)
- National and other professional research and audit programmes, as detailed in Schedule 1
- Government bodies, including the Ministry of Defence, the Home Office and HMRC
- Regulators of healthcare such as the Care Quality Commission
- The police and other third parties where reasonably necessary for the prevention or detection of crime
- Our insurers
- Debt collection agencies
- Credit referencing agencies
- Any third party services providers such as IT suppliers
- Selected third parties in connection with any sale, transfer or disposal of my business
- Anyone else with whom you ask us to communicate.
We will not otherwise share, sell or distribute any of your personal information to any third party without your consent, unless required by law. Data collected will not be sent to countries where the laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with the requirements of the EU General Data Protection Act.
You may wish us to share health information held about you with others for purposes other than your care. This could include with insurance companies, a medical report for a mortgage, life insurance, for immigration purposes, with a solicitor representing you in a personal injury claim. In such cases this will only be done with your signed and explicit consent. I will only share the minimum agreed information.
9. How long we will keep your personal information
We will only keep your personal information for as long as reasonably necessary to undertake your care and to comply with my legal and regulatory obligations. If you would like further information regarding the periods for which your personal information will be stored, please contact me as outlined in Section 3.
10. For what purposes we will use your information
We may 'process' your information for a number of different purposes. The law requires us to have a legal justification for processing your data. The particular justification will depend on the proposed use of your data. When the information we process is classed as “special category of personal information”, we must have a specific additional legal justification in order to process your data.
We will rely on the following legal justifications for processing your personal data:
- Taking steps at your request so that you can enter into a contract with me to receive treatment and/or healthcare services.
- For the purposes of providing you with healthcare pursuant to a contract between us.
- We have an appropriate business need to process your personal information and such business need does not cause harm to you. Under the law this is called a 'legitimate interest'.
- We have a legal or regulatory obligation to use such personal information.
- We need to use your personal information to establish, exercise or defend our legal rights.
- You have provided your consent to our use of your personal information.
You will find details of the legal justifications for each of my processing activities in Schedule 1 of this Privacy Notice.
11. What rights you have under the law with regard to your personal information
Under data protection law you have certain rights in relation to the personal information that we hold about you. These include the right to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting us as outlined in Section 3.
There will not usually be a charge for handling a request to exercise your rights. If we cannot comply with your request to exercise your rights we will usually tell you why. There are some special rules about how these rights apply to health information as set out in the relevant legislation.
If you make a large number of requests or it is clear that it is not reasonable for us to comply with a request then we do not have to respond or we can charge you for responding.
Your rights include:
- The right to access your personal information
You are entitled to a copy of the personal information we hold about you and details about how we use it. Please note that in some cases we may not be able to fully comply with your request, for example if your request involves the personal data of another person and it would not be fair to that person to provide it to you.
- The right to restriction of processing
In some circumstances, you can ask us to suspend the use of your personal data. Sometimes we won't be able to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.
- The right to data portability
You can ask us to transfer your personal information to you or to another individual or organisation. The information must be transferred in an electronic format.
- The right to object to processing
You can ask us to stop processing your information where we are relying on legitimate interests as the legal ground for processing (when we refer to ‘legitimate interests', this means that we have an appropriate business need to process your personal information and this business need does not cause harm to you).
- The right to withdraw consent
In some cases we need your consent in order to use your personal information to
comply with data protection legislation. Schedule 1 sets out instances where we will rely on your consent for the purpose of processing your personal information. You have the right to withdraw your consent at any time. You can do this by contacting me as outlined in Section 3.
- The right to complain to the Information Commissioner's Office
You can complain to the Information Commissioner's Office if you are unhappy with the way that we have managed any of your rights above, or if you think we have not complied with our legal obligations. More information can be found on the Information Commissioner's Office website: https://ico.org.uk/. Making a complaint will not affect any other legal rights or remedies that you have.
12. When this Privacy Notice will be updated
We may update this Privacy Notice from time to time to ensure that it remains accurate. If these changes result from any material difference to the manner in which we process your personal data then we will provide you with an updated copy of the Policy. This Privacy Notice was last updated on 11th March 2019.
13. How you may make a complaint or enquiry
We aim to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive very seriously. We encourage you to bring concerns to our attention if you think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. You can contact us regarding any complaints or questions as outlined in Section 3.
About the information WE collect and hold
In the table below we have set out the individual purposes for which we will process your personal information and the legal justification for doing so. In most instances, we are also required to identify an additional legal justification where we are processing special categories of personal information (eg. medical information). Beside each legal justification, we have cited the relevant article of the EU General Data Protection Regulations (GDPR).
|Purpose for processing personal information||Description||Legal justification for processing personal information||Additional legal justification for processing special categories of personal information|
|To provide you with healthcare services.||As a healthcare provider we need your personal information in order to deliver that service.||To fulfil our contract with you for the delivery of healthcare services (Article 6(b)).||Processing is necessary to protect your vital interests where you are physically or legally incapable of giving consent (Article 9 (2) (c).|
|The external monitoring of safety and quality.||The Competition and Markets Authority Private Healthcare Market Investigation Order 2014 established the Private Healthcare Information Network (“PHIN”), as an organisation who will monitor outcomes of patients who receive private treatment. We are required by law to provide PHIN with information related to your treatment, including your NHS number, the nature of your procedure, whether there were any complications such as infection or the need for admission to a NHS facility and also the feedback you provided as part of a national survey. PHIN will use your information in order to share it with the NHS, and track whether you have received any follow-up treatment.||We will only share this information with PHIN if you have provided your consent for me to do so (Article 6(a)).||We will only share this information with PHIN if you have provided your consent for me to do so (Article 9 (2)(a)).|
|Resolving patient queries or complaints.||Occasionally patients may make enquiries or complaints about the service or treatment offered. In order to investigate and resolve these matters properly, we need to access your personal information.||We have a business need, or ‘legitimate interest' to process your personal information and such business need does not cause harm to you (Article 6(f)).||The processing is necessary in order for us to establish, exercise or defend our legal rights (Article 9(2) (f)).|
|Communicating with other healthcare professionals about your treatment.||Other healthcare professionals may need to know about the treatment I have given you in order to provide you with appropriate care in the future.
We will only share a summary of your care and treatment with your GP if you consent to it on your patient registration form.
Examples of third parties who may need access to your information can be found at Section 10.
|We have a business need, or ‘legitimate interest' to process your personal information and such business need does not cause harm to you (Article 6(f)).
We will only share a summary of your care and treatment with your GP if you have provided your consent for me to do so (Article 6(a)).
|The processing is necessary for reasons of substantial public interest in the area of public health (Article 9.2(i).
The use is necessary in order for us to establish, exercise or defend our legal rights (Article 9(2)(f)).
We will only share a summary of your care and treatment with your GP if you have provided your consent for me to do so (Article 9(2)(a)).
|Sharing your personal information with your insurer.||To allow your insurer to cover the cost of your healthcare, we need to communicate with them about the treatment you receive from me.
Additionally, your insurer may require access to your medical records in order to validate and approve your treatment. Your insurer may also audit us for the purpose of validating the accuracy of our charges and assessing and assuring the quality of services provided by me.
Your personal information will only be shared for this purpose if you have provided your consent on the patient registration form.
|To fulfil our contract with you for the delivery of healthcare services (Article 6(b)).
We will only share your medical record with your insurer if you have provided your consent for us to do so (Article 6(a)).
|We will only share your medical record with your insurer if you have provided your consent for us to do so (Article 9(2) (a)).|
|Complying with legal or regulatory obligations, and defending or exercising legal rights.||
As independent practitioners, we are subject to a wide range of legal and regulatory requirements. We may be required to provide personal information of patients under these requirements, in which case we will have a legal responsibility to do so. From time to time, we may also the subject of legal actions or complaints. In order to fully investigate and respond to those actions, it may be necessary to process your personal information.
|The processing is necessary in order for me to comply with our legal obligations (Article 6(c)).||The processing is necessary for establishing, exercising or defending legal claims (Article 9(2) (f)).|
|For account settlement purposes.||We need to ensure that your account and billing information is accurate and up-to-date.||To fulfil our contract with you for the delivery of healthcare services (Article 6(b)).||The processing is necessary in order for me to establish, exercise or defend our legal rights (Article 9(2)(f)).|
|Managing our business operations.||We need to maintain accounting records, analyse financial results and receive professional business advice.||We have a business need, or ‘legitimate interest' to use your personal information and such business need does not cause harm to the patient (Article 6(f)).||No special category data will be processed under this purpose, so no additional legal justification applies.|