Privacy notice for GenesisCare patients

GenesisCare UK

GenesisCare UK is a trading name of Genesis Cancer Care UK Limited. For the purposes of this privacy notice reference to GenesisCare UK includes the GenesisCare UK subsidiaries.

The registered office for GenesisCare and its subsidiaries is Wilson House, Waterberry Drive, Waterlooville, Hampshire, PO7 7XX. Other registration detail is as follows:

Company name Company registration number Information Comissioners Office registration number 
GenesisCare UK05796994Z9493925
Berkshire Health Limited (BHL)07238700Z274620
Birmingham Prostate Clinic (BPC)05509497ZA441424

This Privacy Notice

This privacy notice applies to anyone who asks about, buys or uses our services in any way (for example, by email, through our website, or by telephone). We take privacy seriously and we want you as our service user, to understand the information we collect about you, how we process and protect the personal information which we collect about you, from you and from third parties, so that you can be confident that the information is being used safely and in ways that are reasonably expected, and what rights you have in respect of your personal information.

When we refer to ‘we’, ‘us’ and ‘our’, means GenesisCare UK.

What information do we collect and use?

We strictly control access to and the use of your health and care information and will comply with data security and protection requirements, legislation and the guidance and protocols issued by the regulating medical organisations.

When you register with us we will collect information about you which can include:

Who do we collect information from?

How do we secure your data?

Depending on the circumstances we may be the controller of your data or we may be a joint controller but in all cases we have security measures to protect your personal information and everyone working at GenesisCare is subject to the Common Law Duty of Confidentiality and to data protection legislation, which means that staff have a legal duty to protect and secure your information and preserve confidentiality. This also applies to those who receive data from us.

We will hold your data in an electronic format, either on a patient administration system or on our secure servers (for example, if we need to save a copy of your data in order to send it onto another service provider), and on paper (for example, where your Centre holds a print-out for clinical safety and business continuity purposes).

We protect your data in many ways:

What is your information used for?

We use your information for a number of purposes and to do so we must have a legal justification under data protection law.

The legal justification will depend on the type of data (personal or special category) and the purpose for which we intend using your information.

We have set out individually those purposes for which we will use your data below along with the justification.

Please note that failure to provide your information further to a contractual requirement with us or a consultant may mean that we are unable to register you as a patient or facilitate the provision of your healthcare on the GenesisCare UK’s systems.

Who Do We Share Your Information With?

It is important that you understand that we may share your information with others. We may share your personal information within our group of companies and with third parties.

 

National data opt-out programme

The national data opt-out puts into effect the opt-out model proposed by the National Data Guardian and enables patients receiving NHS funded care to choose how their confidential patient information is used for purposes beyond individual care such as research and planning, with some exceptions.

Further information, including the scope of the national data opt-out programme can be found at https://digital.nhs.uk/services/national-data-opt-out-programme.

How long do we keep your personal information for?

We retain information in accordance with our legal obligations and national best practice. We ensure compliance through regular auditing and ensure information is securely disposed of when it has reached the end of its retention period. This also applies to interim paper copies held for clinical safety and business continuity purposes.

We implement data retention periods for different categories of personal data and/or different processing purposes, including where appropriate, archiving periods. We will only keep your personal information for as long as reasonably necessary in order to support patient care and continuity of care; support evidence-based clinical practice and to assist clinical and other audits; to support our legitimate business interests and to comply with our legal and regulatory requirements.

GenesisCare UK’s retention policy for most medical records is 30 years from diagnosis in line with the NHSX Records Management Code of Practice 2021. The following are other examples:

Record Type Retention StartRentention Period
Visitor sheets held in Reception; clinic print-outs; interim paper copiesDate of visitAs long as reasonably required, this may be until the following day or longer if necessary
IncidentsClosure of incident

Incidents (serious) – 20 years

Incidents (not serious) -10 years

Complaints / investigation case fileClosure of complaint / investigation10 years
Subject Access Request (SAR) and disclosureClosure of SAR3 years; 6 years where there has been an appeal
Log of incoming telephone callsDates of entry3 months
Telephone recordingsDate of recording51 days

Your Rights

Under data protection law you have a number of specific rights in relation to the personal information that we hold about you. These include rights to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting us using the details at the foot of this privacy notice and without adversely affecting your care.

We will not usually charge for handling a request to exercise your rights. If we cannot comply with your request to exercise your rights we will usually tell you why.  Unless there are grounds for extending the statutory deadline, we will respond within one month of receipt of a Rights request.

There are some special rules about how these rights apply to health information as set out in legislation including the Data Protection Act as well as any secondary legislation which regulates the use of personal information.

If you make a large number of requests or it is clear that it is not reasonable for us to comply with a request then we do not have to respond. Alternatively, we can charge for responding.

1. The right to be informed – This is fulfilled through our privacy notices.

2. The right of access to your personal information – You have the right to request details and a copy of the personal data we hold about you and details about how we use it. We must confirm whether we have personal data about you, and we also need to provide you with a copy of your personal data. We will usually provide you with your personal data in writing, unless you request otherwise. If you have made the request electronically (e.g. by email) the personal data will be provided to you electronically where possible. In some cases we may not be able to fully comply with your request, for example if your request involves another person’s personal data and it would not be fair to that person to provide it to you.

3. The right to rectification – This enables you to require that incomplete information is completed, or incorrect information is corrected. This ensures your information is accurate and up-to-date.

4. The right to erasure – This is also known as the right to be forgotten. In some circumstances, you have the right to request that we delete the personal information we hold about you. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing. If we have disclosed the personal data in question to third parties, we will inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so. However there are exceptions to this right. For example, we can refuse to delete your personal data if we need to keep for tasks which are in the public interest, or for establishing, exercising or defending legal claims. If you make such a request and we comply with it, please be aware that we will retain a note of your name, the request made and the date we complied with it.

5. The right to restriction of processing – In some circumstances you have a right to ‘block’ or suppress processing of personal data. When processing is restricted, we are permitted to store the personal data, but not further process it other than in relation to the establishment, exercise or defence of legal claims or for reasons of important public interest. We are able to retain just enough information about you to ensure that the restriction is respected in future.

6. The right to data portability – Where you have provided the information to us, and where the processing is being carried out by automated means and based on your consent or pursuant to the performance of a contract with you, you have the right to obtain the information that GenesisCare UK processes about you and use it for your own purposes. This means you have the right to receive the personal information or where it is technically feasible, have the information transferred to an individual or organisation of your choice, and the information must be provided by us in an electronic format.

7. The right to object – you have the right to object to processing based on our legitimate business interests (including profiling), direct marketing (including profiling) and processing for purposes of scientific or historical research or statistical research purposes. The objection must be on grounds relating to your particular situation.

8. The right not to be subject to automated decisions – (i.e. decisions that are made about you by computer alone) that have a legal or other significant effect on you. GenesisCare UK does not carry out automated decision-making in relation to patients. In the event that our policy in this respect changes, we shall update this privacy notice.

9. Your right to withdraw consent – In some cases to comply with data protection legislation we need your consent in order to use your personal information. Where we rely on this, you have the right to withdraw your consent to our continuing and further use of your personal information. You can do this by contacting our DPO whose details are at the foot of this privacy notice.

Your right to complain to the Information Commissioners Office

 

You can complain to the Information Commissioner’s Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations. Whilst you are not obliged to do so, we would appreciate you making us aware of any issue prior to notifying the Information Commissioner’s Office and giving us the opportunity to respond.

Please contact:

You can contact the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, at casework@ico.org.uk, or at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or telephone 0303 123 1113 (local rate call).  Website: https://ico.org.uk/

Making a complaint will not affect any other legal rights or remedies that you have.

Queries

If you have any queries or would like to exercise your rights or to establish whether any rights apply to you, please speak with the GenesisCare Health Care Professional who is involved in your care.

You can also contact our Data Protection Officer:
Email: DPO@genesiscare.co.uk or write to GenesisCare, 69 Alma Rd, Windsor SL4 3HD, marking your communication “Private and Confidential – FAO GenesisCare Data Protection Officer”

Telephone: 07841 207263

Updates to this Privacy Notice

We may update this Privacy Notice from time to time to ensure that it remains accurate. In the event that these changes result in any material difference to the manner in which we process your personal data then we will provide you with an updated copy of the Policy and signpost you to the specific changes.

Revised May 2023