GenesisCare UK is a trading name of Genesis Cancer Care UK Limited. We are a specialist, provider of cancer care diagnostic and treatment services in the UK. Our company registration is 05796994 and our registered office is Wilson House, Waterberry Drive, Waterlooville, Hampshire, PO7 7XX. GenesisCare is registered with the Information Commissioners Office, registration number Z9493925.
This privacy notice applies to anyone who asks about, buys or uses our services in any way (for example, by email, through our website, or by telephone). We take privacy seriously and we want you as our service user, to understand the information we collect about you, how we process and protect the personal information which we collect about you, from you and from third parties, so that you can be confident that the information is being used safely and in ways that are reasonably expected, and what rights you have in respect of your personal information.
When we refer to ‘we’, ‘us’ and ‘our’, means GenesisCare UK.
GenesisCare has two health-related subsidiaries: Birmingham Prostate Clinic Limited (which operates as Birmingham Prostate Clinic) and Berkshire Health Limited (which operates as The Forbury Clinic).
GenesisCare UK has put measures in place to ensure the safety of all patients and staff. Our services have been reorganised so that health and care can be provided to those in need during the pandemic.
Consultations between doctors and patients will utilise ‘telehealth’ technology and patients may be invited to join a Zoom consultation through a link or a calendar invitation sent via email.
We do not record consultations. Any notes taken during your consultation will be added to your health and care record which is held securely on our patient system. Further information relating to your personal data can be found below.
The lawful basis for this processing is legitimate interest, that is, the processing is necessary to support your health and care using video communications; providing the ability to support treating doctors in the conduct of remote appointments and calls to their patients, which facilitates the continuity of care during the Covid-19 pandemic; and to provide assurance against any increased risk of infection face to face appointments would carry as a result.
In order to safeguard our staff, doctors, patients and visitors (including all their families), you will be required to complete a test for SARS-CoV-2, which will be on-going until all government shielding and social distancing measures due to SARS-CoV-2 have been lifted. Your nasal and throat swab sample will be couriered to the laboratory for processing. We will supply the laboratory with your basic ID details (name and DOB) to allow them to process and report your swab test result. The results of the swab test will be available to relevant members of the health and care team and to your clinician, who will contact you should a positive result be received.
Innova Lateral Flow Antigen Test (LFT)
An LFT is a rapid test for Covid-19 which can be self-administered to allow to faster results which will further mitigate the risk of transmission. As a patient, you may be asked to complete an LFT before accessing certain GenesisCare services. You will be provided with a test kit on arriving at reception. All tests and results, irrespective of the outcome will be recorded by our reception team and reported to Public Health England.
Using your data and Sharing data with other health and care bodies engaged in the COVID-19 response
Our lawful basis for processing your personal data is legitimate interest as the processing is necessary during the Covid-19 pandemic to control, and wherever possible, prevent the spread of infection. We may also be legally required to share personal data under the Notice issued by the Secretary of State under Regulation 3(4) of the Health Service Control of Patient Information Regulations issued on the 1st April 2020. In relation to your special category data, the processing is necessary for the provision of health or social care or treatment or the management of health or social care systems and services.
To protect your health and care needs we may share your confidential information including health and care records with clinical and non-clinical staff internally within GenesisCare and with other health and care providers and other bodies engaged in disease surveillance for the purposes of protecting public health, providing health and care services and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by the NHS and other health and social care organisations to support the COVID-19 response can be found here.
What information do we collect and use?
We strictly control access to and the use of your health and care information and will comply with data security and protection requirements, legislation and the guidance and protocols issued by the regulating medical organisation
When you register with us we will collect information about you which can include:
- Your name and address
- Date of birth, gender and marital status
- Your contact details, including email address and home and mobile telephone numbers (see the section below)
- Your GP details
- Family details, lifestyle and social circumstances, where relevant to your care.
When you register with us we will ask for details of your email address and home and mobile telephone numbers. You can choose how we are to contact you and whether we can leave a voicemail. You can change your preferences at any time, please let us know.
It is important that you tell us immediately if your contact details have changed.
Please note that we cannot be held responsible should you change your contact number or email address and not advise us. Equally we cannot be held responsible for onwards use or transmission of a text message after you have received it.
We may use a trusted SMS messaging service to provide a patient reminder service which means you will receive a discrete text message a few days before your appointment. We may also send a text if there is an emergency, for example, if access to a Centre has been prevented. Please tell your Centre if you wish to opt-out of this service. You should not reply to these texts as they will not be responded to in real time. However, such data will be monitored and treated confidentially in accordance with our policy. This service is managed in collaboration with GenesisCare Australia colleagues with whom appropriate inter-group data protection agreements are in place.
We may use your personal data to provide a taxi service for you, at your request.
This will be someone with whom we can share information about the progress of your treatment and contact in the event of an emergency, unless you advise us not to. It is important to notify us of any change to these emergency contact details so that we can ensure they are kept up-to-date and accurate. Please ensure that your contacts are comfortable with you giving us their information and we recommend you show them this privacy notice.
If you are self –funding or need to cover costs in the event of a shortfall of funds from insurers we will ask you for your credit card details. You will receive a copy of the receipt and our Finance Department will store the merchant copy securely for one year on our servers for financial audit purposes after which our copy will be deleted.
Special category data may include information about your current or previous health, your diagnoses and medications; images you had taken in the course of care or treatment; your sex life or sexual orientation, your religion, race or ethnicity and genetic information relating to you.
It may include details of health and care services provided previously by GenesisCare UK or by other health and care providers and include details of any medication you have been prescribed.
We may ask whether or not you have a disability for which the organisation needs to make reasonable adjustments.
We may ask for information about medical or health conditions of your family.
We will collect ethnicity data and will use this data in an anonymised format to:
- Identify any risk factors for ethnic groups, as some ethnic groups are more at risk of specific diseases
- Identify any risk factors for ethnic groups, as some ethnic groups are more at risk of specific diseases
- Support the clinical management of conditions
- Provide insight into ethnicity that can be used to assist with diagnosis
- Understand any specific needs of patients from different ethnic groups
- Audit and ensure equality of access to our services
- Continually improve our services.
CCTV recording is in use at some GenesisCare UK locations; this is used to ensure the security of property and premises and for preventing and investigating crime purposes only. Areas monitored by CCTV are sign-posted. The information processed can include visual images, personal appearances and behaviour. Where necessary or required, this information is shared with you, employees and agents, services providers, police forces, security organisations and persons making an enquiry.
We will collect information received in response to any queries, concerns, compliments, complaints and/or claims.
We may collect information in relation to the quality of our services, for example, calls from/to patients may be recorded for the purposes of staff training, customer service development and quality improvement and/or you may agree to complete a survey.
Who do we collect information from?
- You use our services
- You correspond with us by letter, email or telephone or via social media, including where you reference GenesisCare UK in a public social media post
- You take part in a survey
- You take part in our marketing activities.
To provide you with the best possible care, we collect personal information about you from other providers. These can include:
- Records from other health and care providers who have previously provided treatment to you, (this can include both private organisations and the NHS)
- Records from your consultant (including those provided through their medical secretaries)
- Information from other service providers who work with us in relation to diagnostics, care and treatment provided to you
- Samples and tests provided by pathology or laboratory organisations
We may collect information about you from third parties when:
- You are referred to us for health related services
- We liaise with current or former other service and support providers
- We liaise with your emergency contact or family
- We communicate with your medical insurance policy provider
- We instruct debt collection agencies
- We communicate with government agencies such as social and welfare organisations where it is legally required for the safety of the individual concerned, for example, safeguarding.
How do we secure your data?
Depending on the circumstances we may be the controller of your data or we may be a joint controller but in all cases we have security measures to protect your personal information and everyone working at GenesisCare is subject to the Common Law Duty of Confidentiality and to data protection legislation, which means that staff have a legal duty to protect and secure your information and preserve confidentiality. This also applies to those who receive data from us.
We protect your data in many ways:
- By providing those who work at GenesisCare with robust policies, procedures and guidelines
- Ensuring our staff complete regular training
- Ensuring personal information is only accessible to and shared with individuals that have a justifiable need to access it
- Implementing physical access controls within our facilities
- Applying technical controls such as encryption (which includes configurations to conform to the O365 NHS Digital Assessment)
- Legally binding agreements and contracts between relevant parties
- Holding up-to-date registers of our information assets.
Wherever possible we will anonymise or pseudonymise your information before we share it with others, or where we no longer require the information in identifiable form.
Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place.
Pseudonymisation is the processing of information in such a way that it can no longer be attributed to you without the use of additional information and where that additional information is kept separately. This allows for a much wider use of the information for statistical or other purposes.
We provide our staff with guidelines to ensure that any transfer of personal information will be carried out securely and in line with data protection law.
If your permanent address is outside the UK, or your treatment is continuing outside the UK, we may send details of your treatment to specific individuals to promote your ongoing care.
GenesisCare UK is part of a global organisation and we (or third parties acting on our behalf) may store or process personal information within the GenesisCare group of companies for administrative and management purposes. The group companies are located in Spain and Australia and the United States. This processing is based on our own or a third party’s legitimate business interests.
As a global organisation we may engage global suppliers for the provision of services to the GenesisCare Group of companies and such suppliers may also be located outside the UK.
Where we transfer your personal data to a third country or international organisation, we will ensure adequate safeguards and measures are in place to protect your personal data from unlawful use and ensure your fundamental rights are capable of being upheld. We would normally achieve this by:
- Only transferring personal data to countries deemed capable of providing an adequate level of protection; or
- Implementing Standard Contractual Clauses; and
- Adopting technical, organisational and contractual measures, where required having undertaken a Data Transfer Impact Assessment to ensure that your rights in the country of transfer are essentially equivalent to your rights in the UK.
In certain situations, it may be possible to legitimise the transfer by relying on a derogation. For example, if:
- You have explicitly consented to the proposed transfer; or
- The transfer is necessary for the performance of a contract.
In all cases any transfer of your personal information will be compliant with applicable data protection law. If you would like further information regarding the steps we take to safeguard your personal information when making international transfers, please contact the DPO using the details at the foot of this Privacy Notice.
GenesisCare carries out Data Protection Impact Assessments prior to new or changed processing of data relating to individuals in order to identify and minimise the data protection risks of data processing activities undertaken.
What is your information used for?
We use your information for a number of purposes and to do so we must have a legal justification under data protection law.
The legal justification will depend on the type of data (personal or special category) and the purpose for which we intend using your information.
We have set out individually those purposes for which we will use your data below along with the justification.
Please note that failure to provide your information further to a contractual requirement with us or a consultant may mean that we are unable to register you as a patient or facilitate the provision of your healthcare on the GenesisCare UK’s systems.
When you come to us for care and treatment, we use your personal information, which will include special category personal data, in order to provide health related services and to fulfil our contract with you for the provision of the services.
This is necessary to enable us to provide you with health related services and treatment and to fulfil our contract with you for the provision of such care. We use your personal information to ensure our accounting and invoicing activities are accurate and up-to-date. We have an appropriate business need to use your information which does not overly prejudice you. This supports the provision of your healthcare and is necessary for us to establish, exercise or defend our legal rights.
We are accountable for ensuring safe clinical and operational practices are implemented and maintained. We undertake regular audits of compliance to ensure the delivery of standards of treatment, for quality assurance, to ensure services can meet patient needs in the future and to assess adherence to policy and procedure. We do this on the basis of a legitimate and appropriate business interest and the public interest in statistical and scientific research, and with appropriate safeguards in place. Wherever possible we use anonymised information.
Details of the organisations we share data with for clinical audit purposes can be found in the ‘Who do we Share Your Information With?
GenesisCare participates in research and training to measure the long term effectiveness of treatment, to support the development of technological innovations and to improve healthcare services and patient outcomes. We share data under a legally binding contract where anonymised or aggregated patient data would not suffice and researchers are bound by data protection legislation and confidentiality clauses.
Your information can be used monitor and improve health, to support preventative medicine and medical research, to find a cure for serious illnesses for the population or a group of patients and to help evaluate treatments and services. This may involve engaging staff in considering how they improve patient care.
We will ask for your consent to share this data when you register with us.
We may share anonymised and aggregated patient information with organisations such as the National Institute for Clinical Excellence for research or statistical purposes. You will not be identifiable in any such research unless anonymised or aggregated patient data would not otherwise be sufficient. Such researchers will be under a duty of medical confidentiality in addition to that imposed by the data protection legislation.
We will share your personal information only to the extent that it is necessary to do and as permitted by law. Some research projects and/or registries have received statutory approval and consent may not be required to use your personal data. Where appropriate we will comply with the National Data Opt-Out.
In the event that consent is required then either the research organisations themselves will obtain this from you themselves or we will obtain consent from you.
Where your consent is not required, for example, where information, including images, are fully anonymised and have no ability to identify the specific individual to whom they relate, we have a legitimate interest in helping with medical research and have put in place appropriate safeguards to protect your privacy. Information collected during treatment, including images, may be used for education, audit and research (which may be published in medical journals).
Where data is shared for statistical and scientific research purposes the use is necessary in the public interest.
You may be advised or recommended to participate in a clinical trial. Your consultant will explain how your data is shared with the organisation running the trial. Your personal data will be shared for the legitimate reason of providing you with health and care services. We would have 2 Article 9 lawful conditions for your special category data. For the treatment itself, we would process under Article 9 (2)(h) provision of health care, but for sharing with others involved in the trial, it would be Article 9 (2) (j) scientific research purposes.
We may use your information to communicate with you about the resolution of any queries, concerns or complaints you may have and we take those communications seriously. It is important that we resolve such matters properly and fully to the satisfaction of all concerned, and we will need to use your personal information to do so. We do this in order to provide you with health and care and treatment, to manage our services and we have an appropriate business interest which does not overly prejudice you. This use is also necessary for us to establish, exercise or defend our legal rights.
When you register for care or treatment, you may provide details of an emergency contact with whom we can share information about the progress of your treatment and contact in the event of an emergency, unless you have advised us not to.
We may share your information with other health and care professionals or organisations so they can provide you with safe and effective care. We have a legitimate interest in ensuring that other healthcare professionals who are routinely involved in your care have full details of your treatment. The use is necessary for reasons of substantial public interest under UK law.
GenesisCare UK has a legal obligation under the Health & Social Care Act 2015 to use your NHS number where reasonably available, and this unique identifier will be used for all data sharing associated with facilitating the care of NHS patients.
As a provider of health and care, we are subject to a wide range of legal and regulatory responsibilities. Where we are required by law or by regulators to provide personal information, the use is necessary for the provision of health and care or treatment and the management of health and care systems and we have a legal obligation to do so.
In the unlikely event that GenesisCare UK or its consultants are the subject of legal actions or complaints it is necessary to access your personal information in order to investigate and respond to those actions (limited to the extent necessary and relevant to the subject-matter) to enable us to establish, exercise or defend our legal rights.
GenesisCare UK is a quality-conscious organisation. We look to learn from you to improve the experience of future patients where possible. We will use your personal information to identify where improvements can be made, such as reviewing recorded phone calls to assess whether anything can be learnt and asking for your opinion on your experience with GenesisCare UK.
We have an appropriate business need to use your information which does not overly prejudice you. We need to use the information in order to manage the health and care services we deliver and in order to identify and carry out any necessary improvements.
We have an appropriate business need to use your information which does not overly prejudice you and the use is necessary for us to comply with our legal obligations. In the event that we use special categories information about you for this purpose, it would be because the use is necessary for the provision of health and care or treatment or the management of health and care services and systems or the use is necessary to establish, exercise or defend legal claims.
If we were to sell or transfer a Centre or part of our business to another organisation, your patient records would also transfer to the new owner. Limited information may also be shared, where required, with legal and other professional advisors involved in that transaction. Your records would be transferred to minimise the disruption to current and past patients caused by the sale or transfer and to ensure that we and a new owner were able to comply with our legal obligations regarding the retention of patients’ and other clients’ medical records and to ensure continuity of care.
We use personal data including photography (still and moving), audio or written transcript recordings in our marketing materials related to the promotion of our organisation and services, as an educational resource, within presentations or within journalistic articles or material. These materials will be published online and within printed media, used in promotional videos at events, used in advertising and broadcast and used for educational purposes. Depending on the circumstances, this may include special categories of data such as information relating to your health.
We will only use your data where there is a lawful basis to do so, for example, where filming takes place in a public area we will rely on Legitimate Interests as the lawful basis and where we are processing special categories of data for promotional, marketing, journalistic and education purposes, we will rely on explicit consent. You may withdraw your consent to further processing of your image and this is explained fully when you are asked if you wish to participate.
You may be offered a telehealth remote consultation by your doctor. If we provide this service we may record your name, telephone number and IP address.
Our legal basis for this is the legitimate interests of both GenesisCare UK and the doctors to support treatment via remote appointments and calls providing continuity of care during the Covid-19 pandemic crisis, and assurance against any increased risk of infection face to face appointments would carry as a result.
We support the continuous development of and improvement to technological functionalities in the systems we use to provide cancer care and treatment. We are sometimes asked by our third party partners to provide data to support the commercial development of these systems, for example, radiology equipment.
Where we provide sample data for these activities we ensure that robust data protection agreements are in place with our systems suppliers and our specialist IT team anonymise your data prior to sharing so that it cannot be connected to you.
Who Do We Share Your Information With?
It is important that you understand that we may share your information with others. We may share your personal information within our group of companies and with third parties.
We may share your personal information within the GenesisCare group of companies as described in the previous sections. Where we collaborate with our colleagues in Australia, Spain or the USA, there will be an inter-group data protection agreement in place and, if appropriate, those staff will be required to complete and pass UK Information Governance training and comply with UK policies and procedures which align with UK legislation.
We may offer you ancillary services connected to GenesisCare, such as the GenesisCare Exercise Clinic, counsellors and therapists. If you take up this support, we will share information with the relevant health and care professionals.
As a GenesisCare UK patient, your treatment may be provided by a medical consultant. Medical consultants who provide you with care are required by law to maintain records about your health and any treatment or care you have received. They also make decisions about what information is collected about you and may maintain their own set of medical records in relation to the treatment that they provide as well as sharing the records relating to your care and treatment that GenesisCare UK maintains. Consultants control this information which means they must individually comply with the data protection legislation and relevant guidance when handling your personal information and should therefore also make available to you their own privacy notice. In respect of your direct health care and treatment received through GenesisCare UK, GenesisCare UK jointly controls your information with your consultant. This means that as joint controllers, together we determine the means and purpose of processing your information for your care and treatment.
Consultants who work with GenesisCare UK (including their medical secretaries) are expected to handle your personal data in accordance with the principles set out within this Privacy Notice. This means that whenever they use your personal data, they will do so as set out in this Privacy Notice. In addition, GenesisCare and Consultants are required to adhere to the Joint Patient Data Sharing and Management Policy which we can provide to you upon request.
Consultants working with GenesisCare UK (including their medical secretaries) may process your personal information at a non-GenesisCare UK site.
If you want to find out more about the arrangements between GenesisCare UK and consultants for handling your information please let us know by contacting our Data Protection Officer (DPO), details at the foot of this Privacy Notice.
This is a team of medical consultants who will discuss a treatment plan for you via the GenesisCare UK eMDT platform (developed and supported by our processor, Context Health). You will be referred to consultants in your specialist reference group who will have access to your medical data, to the diagnostic images held on the radiology system (PACS) and to your Care Plan preferences. Consultants working together in the eMDT will discuss your case to achieve the best possible outcome.
All eMDT consultants sign a strict privacy agreement as a condition of participating and are bound by data protection legislation. The data will be held on the platform for one year and a day and thereafter deleted unless you are a GenesisCare patient in which case your treatment data will be saved in our patient systems in accordance with standard lawful practice. Data processed in the eMDT function is jointly controlled by GenesisCare and the clinical participants and a legal arrangement is in place between the parties. Data processed in the audit function is controlled by GenesisCare. Data processed in relation to patient outcomes is controlled jointly by the collaborating Consultants.
We may share data with an NHS Trust which has commissioned our services so that we can jointly support your health and care and treatment.
This means that we may collect, transfer, share and manage your data jointly in our systems for the purposes of health and care services and related administration under a formal joint controller arrangement. Such a joint controller arrangement will set out our respective responsibilities to you with respect to:
- Our compliance with the data protection law generally;
- Our responsibilities for dealing with your rights as data subjects; and
- Our respective duties for provision of information to you.
Where joint controller relationships exist both parties must comply with data protection standards and both are responsible for addressing your rights and freedoms.
If you want to find out more about the arrangements between GenesisCare UK and NHS Trusts for handling your information please contact our DPO.
Where the cost of your treatment and care is covered by insurance, we share your information with your insurer or the administrator of the applicable scheme of insurance. Both GenesisCare UK and your insurer are controllers of this personal information. This means that each of us individually may determine the means and the purpose of any processing of the information we hold.
Generally, we share information in order to allow each other to exercise its rights or comply with its obligations under the health and care services arrangement we have in place, and in the case of the insurer, to manage claims and administer the schemes for insured members.
Specifically, your information may be used in the following shared activities:
- The provision of clinical quality information
- The pre-authorisation of treatment on your behalf
- Invoicing for services provided
- The notification of any serious incidents
- Assisting and cooperating in the investigation of any member complaints
- Allowing your insurer to inspect and audit our facilities
You may exercise your rights against either GenesisCare UK or your insurer where we are both controllers of the same information for the same processing purpose.
Where we independently hold further information, or process information for purposes in addition to the shared purposes stated above, you should direct any communication concerning your rights to the applicable holder/processor of your information.
The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population. We will report the relevant information to local health protection team or Public Health England.
We make notifications to Public Health England and other statutory bodies in compliance with our legal obligations and where necessary to protect the vital interests of individuals.
This processing is necessary for reasons of public interest in the area of public health such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care on the basis of UK law.
National Cancer Registration and Analysis Service (NCRAS)
If you have been diagnosed with cancer, GenesisCare will provide information about you and your cancer to the National Cancer Registration Service (NCRS). The NCRS promotes research, monitoring and improvement of cancer care. If you wish to request that your details are not included on the Register or have your information removed you should contact the NCRS directly by email to firstname.lastname@example.org. Further information has been provided to you in the Public Health England leaflet ‘Cancer Registration – what it is, the benefits of being on the register and your options’.
Private Healthcare Information Network (PHIN) / NHS
We are bound in law to send identifiable data to the Private Healthcare Information Network (PHIN) about the private patients we treat with radiotherapy. PHIN collects and publishes information about the activity and performance of health and care providers and doctors providing private care. PHIN has its own privacy notice which can be accessed via its website. Whilst the information we are obliged to provide includes some of your personal data, PHIN cannot identify you from it for although your NHS number is included, PHIN does not have access to any patient systems. Any information that is published by PHIN will always be in an anonymised statistical form.
We are required to provide PHIN with information related to your treatment, including your:
- National Health Service (NHS) number, or in the case of patients from outside the UK, a suitable equivalent identifier e.g. passport number
- Your age
- Your gender
- Your ethnicity or race
- Your diagnosis (what you are receiving treatment for)
- Other data about your state of health
- The procedure you have undergone
- The date you came into hospital, and the date you left
- Your postcode.
Further information about how PHIN uses information is available at www.phin.org.uk. We will be happy to print a copy for you if you prefer.
National Radiotherapy Dataset
We are required to send a radiotherapy dataset to the NHS Trust where treatment is funded by the NHS; the Trust will then forward this data on to NHS England.
The purpose of this collection is to support consistent data and inform the planning, provision and commissioning of radiotherapy services.
Other national data collection
We may collect and share data without your consent provided that the particular audit registry or data collection has received statutory approval, or where the information will be provided in a purely anonymous form, otherwise your consent will be needed. Where your consent is required, the registry organisation may have consent processes of their own, otherwise we will obtain that consent from you.
We may also share your personal information with the third parties listed below for the purposes identified within this privacy notice:
- A doctor, nurse, carer, pharmacist, and pathology and radiology staff involved in the analysis and reporting of diagnostic tests or other healthcare professional involved in your care
- Other members of support staff involved in the delivery of your care, such as receptionists and medical secretaries
- Other private sector healthcare providers where you request us to do so
- Your GP
- Voluntary organisations providing on-going support
- Taxi providers where transport assistance for treatment is provided for insured patients
- Government bodies and local authority departments
- Our regulators, such as the Care Quality Commission
- The police and other third parties where reasonably necessary for the prevention or detection of crime
- Our insurers
- Debt collection agencies
- Third parties to the extent required by law, regulation or court orders and statutory requests for information
- Service providers we use to support our business. These processors are trusted partners that work with us and are authorised to use your personal information only as necessary to provide these services to us. We require these third parties to comply strictly with our instructions and data protection law and we ensure appropriate controls are in place. We enter into written contracts with all our processors
- Our third party service providers such as auditors, lawyers, marketing agencies and tax advisers
- Selected third parties in connection with any sale, transfer or disposal of our business. We may communicate with these third parties in a variety of ways including, but not limited to, email, post, fax and telephone.
National data opt-out programme
The national data opt-out puts into effect the opt-out model proposed by the National Data Guardian and enables patients receiving NHS funded care to choose how their confidential patient information is used for purposes beyond individual care such as research and planning, with some exceptions.
We comply with this requirement by providing a choice for all patients to opt-out of their data being used for Research and Planning on the registration form. Please note:
- The opt-out will not apply to anonymous data or data that has been de-personalised in accordance with the ICO’s managing data protection risk code of practice.
- Some exemptions will exist where there is an overriding public interest or other legal basis, which aligns with legal exemptions from the Common Law Duty of Confidentiality. For example, the opt-out will not apply to patient data that is required for validating invoices or where a court order has been obtained.
- Also exempt: Two specific registries, one collecting data on all individuals with a cancer diagnosis and one on those with a rare disease, but they will continue to operate their own opt-outs.
- Patients who have opted out can still give their consent for a specific use of data, like a specific research trial.
Further information on the national data opt-out programme can be found at https://digital.nhs.uk/services/national-data-opt-out-programme.
How long do we keep your personal information for?
We retain information in accordance with our legal obligations and national best practice. We ensure compliance through regular auditing and ensure information is securely disposed of when it has reached the end of its retention period. We implement data retention periods for different categories of personal data and/or different processing purposes, including where appropriate, archiving periods. We will only keep your personal information for as long as reasonably necessary in order to support patient care and continuity of care; support evidence-based clinical practice and to assist clinical and other audits; to support our legitimate business interests and to comply with our legal and regulatory requirements.
GenesisCare UK’s retention policy for most medical records is 30 years in line with the NHSX Records Management Code of Practice 2021.
Under data protection law you have a number of specific rights in relation to the personal information that we hold about you. These include rights to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting us using the details at the foot of this privacy notice and without adversely affecting your care.
We will not usually charge for handling a request to exercise your rights. If we cannot comply with your request to exercise your rights we will usually tell you why. Unless there are grounds for extending the statutory deadline, we will respond within one month of receipt of a Rights request.
There are some special rules about how these rights apply to health information as set out in legislation including the Data Protection Act as well as any secondary legislation which regulates the use of personal information.
If you make a large number of requests or it is clear that it is not reasonable for us to comply with a request then we do not have to respond. Alternatively, we can charge for responding.
- The right to be informed – This is fulfilled through our privacy notices.
- The right of access to your personal information – You have the right to request details and a copy of the personal data we hold about you and details about how we use it. We must confirm whether we have personal data about you, and we also need to provide you with a copy of your personal data. We will usually provide you with your personal data in writing, unless you request otherwise. If you have made the request electronically (eg by email) the personal data will be provided to you electronically where possible. In some cases we may not be able to fully comply with your request, for example if your request involves another person’s personal data and it would not be fair to that person to provide it to you.
- The right to rectification – This enables you to require that incomplete information is completed, or incorrect information is corrected. This ensures your information is accurate and up-to-date.
- The right to erasure – This is also known as the right to be forgotten. In some circumstances, you have the right to request that we delete the personal information we hold about you. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing. If we have disclosed the personal data in question to third parties, we will inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so. However there are exceptions to this right. For example, we can refuse to delete your personal data if we need to keep for tasks which are in the public interest, or for establishing, exercising or defending legal claims. If you make such a request and we comply with it, please be aware that we will retain a note of your name, the request made and the date we complied with it.
- The right to restriction of processing – In some circumstances you have a right to ‘block’ or suppress processing of personal data. When processing is restricted, we are permitted to store the personal data, but not further process it other than in relation to the establishment, exercise or defence of legal claims or for reasons of important public interest. We are able to retain just enough information about you to ensure that the restriction is respected in future.
- The right to data portability – Where you have provided the information to us, and where the processing is being carried out by automated means and based on your consent or pursuant to the performance of a contract with you, you have the right to obtain the information that GenesisCare UK processes about you and use it for your own purposes. This means you have the right to receive the personal information or where it is technically feasible, have the information transferred to an individual or organisation of your choice, and the information must be provided by us in an electronic format.
- The right to object – you have the right to object to processing based on our legitimate business interests (including profiling), direct marketing (including profiling) and processing for purposes of scientific or historical research or statistical research purposes. The objection must be on grounds relating to your particular situation.
- The right not to be subject to automated decisions – (i.e. decisions that are made about you by computer alone) that have a legal or other significant effect on you. GenesisCare UK does not carry out automated decision-making in relation to patients. In the event that our policy in this respect changes, we shall update this privacy notice.
- Your right to withdraw consent – In some cases to comply with data protection legislation we need your consent in order to use your personal information. Where we rely on this, you have the right to withdraw your consent to our continuing and further use of your personal information. You can do this by contacting our DPO whose details are at the foot off this privacy notice.
Your right to complain to the Information Commissioners Office
You can complain to the Information Commissioner’s Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations. Whilst you are not obliged to do so, we would appreciate you making us aware of any issue prior to notifying the Information Commissioner’s Office and giving us the opportunity to respond.
- the Information Governance Manager at email@example.com
or GenesisCare, 69 Alma Rd, Windsor SL4 3HD, or telephone 07795 497825
- the Data Protection Officer at DPO@genesiscare.co.uk
or GenesisCare, 69 Alma Rd, Windsor SL4 3HD, or telephone 07841 207263
You can contact the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, at firstname.lastname@example.org, or at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or telephone 0303 123 1113 (local rate call). Website: https://ico.org.uk/
Making a complaint will not affect any other legal rights or remedies that you have.
If you have any queries or would like to exercise your rights or to establish whether any rights apply to you, please speak with the GenesisCare Health Care Professional who is involved in your care.
You can also contact our Data Protection Officer:
Email: DPO@genesiscare.co.uk or write to GenesisCare, 69 Alma Rd, Windsor SL4 3HD, marking your communication “Private and Confidential – FAO GenesisCare Data Protection Officer”
Telephone: 07841 207263
Updates to this Privacy Notice
We may update this Privacy Notice from time to time to ensure that it remains accurate. In the event that these changes result in any material difference to the manner in which we process your personal data then we will provide you with an updated copy of the Policy and signpost you to the specific changes.
Revised November 2021