Privacy notice for GenesisCare patients

GenesisCare UK

GenesisCare UK is a trading name of Genesis Cancer Care UK Limited.  For the purposes of this privacy notice reference to GenesisCare UK includes the GenesisCare UK subsidiaries.

The registered office for GenesisCare and its subsidiaries is Wilson House, Waterberry Drive, Waterlooville, Hampshire, PO7 7XX. Other registration detail is as follows:

Company name Company registration number Information Comissioners Office registration number 
GenesisCare UK05796994Z9493925
Berkshire Health Limited (BHL)07238700Z274620
Birmingham Prostate Clinic (BPC)05509497ZA441424

This Privacy Notice

This privacy notice applies to anyone who asks about, buys or uses our services in any way (for example, by email, through our website, or by telephone). We take privacy seriously and we want you as our service user, to understand the information we collect about you, how we process and protect the personal data which we collect about you, from you and from third parties, so that you can be confident that the information is being used safely and in ways that are reasonably expected, and what rights you have in respect of your personal data.

When we refer to ‘we’, ‘us’ and ‘our’, means GenesisCare UK.

What information do we collect and use?

We strictly control access to and the use of your health and care information and will comply with data security and protection requirements, legislation and the guidance and protocols issued by the regulating medical organisations.

Types of data

Types Explanation 
Personal DataPersonal data means any information relating to an identifiable person who can be directly or indirectly identified for example by a name, an identification number, location data, date of birth, etc.
Special Category Personal Data This data has extra safeguards apply to its processing.  It is data about an individual’s racial or ethnic origin; political opinion; religious or philosophical beliefs; trade union membership; sex life or sexual orientation; health, including genetic and biometric data where processed to uniquely identify an individual.
Pseudonymised DataThis is where data has been masked so that it can no longer be attributed to a specific data subject without the use of additional information (‘the key’) which is kept separately and securely. This data type is processed as personal data.
Anonymised DataIf data has been turned into a form which does not identify individuals, and where the risk of re-identification is extremely low, data protection legislation does not apply.
Aggregate Data

Anonymised data which has been grouped together to provide statistics.

Who do we collect information from?

What is your information used for?

We use your information for a number of purposes and to do so we must have a legal justification under data protection law. The legal justification will depend on the type of data (personal or special category) and the purpose for which we intend using your information.

We have set out individually those purposes for which we will use your data below along with the lawful basis.

National data opt-out programme

The national data opt-out puts into effect the opt-out model proposed by the National Data Guardian and enables patients receiving NHS funded care to choose how their confidential patient information is used for purposes beyond individual care such as research and planning, with some exceptions.

Further information, including the scope of the national data opt-out programme can be found at https://digital.nhs.uk/services/national-data-opt-out-programme.

Who do we share your information with?

It is important that you understand that we may share your information with others. We may share your personal data within our group of companies and with third parties.

How do we secure your data?

Depending on the circumstances we may be the controller of your data or we may be a joint controller but in all cases we have security measures to protect your personal data and everyone working at GenesisCare is subject to the Common Law Duty of Confidentiality and to data protection legislation, which means that staff have a legal duty to protect and secure your information and preserve confidentiality. This also applies to those who receive data from us. 

We will hold your data in an electronic format, either on a patient administration system or on our secure servers (for example, if we need to save a copy of your data in order to send it onto another service provider), and on paper (for example, where your Centre holds a print-out for clinical safety and business continuity purposes).

We protect your data in many ways:

How long do we keep your personal data for?

We retain information in accordance with our legal obligations and national best practice. We ensure compliance through regular auditing and ensure information is securely disposed of when it has reached the end of its retention period. This also applies to interim paper copies held for clinical safety and business continuity purposes.

We implement data retention periods for different categories of personal data and/or different processing purposes, including where appropriate, archiving periods. We will only keep your personal data for as long as reasonably necessary in order to support patient care and continuity of care; support evidence-based clinical practice and to assist clinical and other audits; to support our legitimate business interests and to comply with our legal and regulatory requirements.

GenesisCare UK’s retention policy for most medical records is 30 years from diagnosis in line with the NHSX Records Management Code of Practice 2021. The following are other examples:

Record Type Retention StartRentention Period
Visitor sheets held in Reception; clinic print-outs; interim paper copiesDate of visitAs long as reasonably required, this may be until the following day or longer if necessary
IncidentsClosure of incident

Incidents (serious) – 20 years

Incidents (not serious) -10 years

Complaints / investigation case fileClosure of complaint / investigation10 years
Subject Access Request (SAR) and disclosureClosure of SAR3 years; 6 years where there has been an appeal
Log of incoming telephone callsDates of entry3 months
Telephone recordingsDate of recording51 days

Your Rights

Under data protection law you have a number of specific rights in relation to the personal data that we hold about you. These include rights to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting us using the details at the foot of this privacy notice and without adversely affecting your care.

We will not usually charge for handling a request to exercise your rights. If we cannot comply with your request to exercise your rights we will usually tell you why.  Unless there are grounds for extending the statutory deadline, we will respond within one month of receipt of a Rights request.

There are some special rules about how these rights apply to health information as set out in legislation including the Data Protection Act as well as any secondary legislation which regulates the use of personal data.

If you make a large number of requests or it is clear that it is not reasonable for us to comply with a request then we do not have to respond. Alternatively, we can charge for responding.

1. The right to be informed – This is fulfilled through our privacy notices.

2. The right of access to your personal data – You have the right to request details and a copy of the personal data we hold about you and details about how we use it. We must confirm whether we have personal data about you, and we also need to provide you with a copy of your personal data.  We will usually provide you with your personal data in writing, unless you request otherwise. If you have made the request electronically (e.g. by email) the personal data will be provided to you electronically where possible. In some cases we may not be able to fully comply with your request, for example if your request involves another person’s personal data and it would not be fair to that person to provide it to you.

3. The right to rectification – This enables you to require that incomplete information is completed, or incorrect information is corrected. This ensures your information is accurate and up-to-date.

4. The right to erasure – This is also known as the right to be forgotten. Where either consent or legitimate interests is the lawful basis you have the right to request that we delete the personal data we hold about you. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing. If we have disclosed the personal data in question to third parties, we will inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so. However there are exceptions to this right.  For example, we can refuse to delete your personal data if we need to keep for tasks which are in the public interest, or for establishing, exercising or defending legal claims. If you make such a request and we comply with it, please be aware that we will retain a note of your name, the request made and the date we complied with it.

5. The right to restriction of processing – In some circumstances you have a right to ‘block’ or suppress processing of personal data. When processing is restricted, we are permitted to store the personal data, but not further process it other than in relation to the establishment, exercise or defence of legal claims or for reasons of important public interest. We are able to retain just enough information about you to ensure that the restriction is respected in future.

6. The right to data portability – Where you have provided the information to us, and where the processing is being carried out by automated means and based on your consent or pursuant to the performance of a contract with you, you have the right to obtain the information that GenesisCare UK processes about you and use it for your own purposes. This means you have the right to receive the personal data or where it is technically feasible, have the information transferred to an individual or organisation of your choice, and the information must be provided by us in an electronic format.

7. The right to object – you have the right to object to processing where the lawful basis is legitimate interests or a task in the public interest.  This includes based on direct marketing (including profiling) and processing for purposes of scientific or historical research or statistical research purposes. The objection must be on grounds relating to your particular situation.

8. The right not to be subject to automated decisions – (i.e. decisions that are made about you by computer alone) that have a legal or other significant effect on you. GenesisCare UK does not carry out automated decision-making in relation to patients. If our policy in this respect changes, we shall update this privacy notice.

9. Your right to withdraw consent – In some cases to comply with data protection legislation we need your consent in order to use your personal data.  Where we rely on this, you have the right to withdraw your consent to our continuing and further use of your personal data. You can do this by getting in touch with the relevant contact at GenesisCare UK or our DPO whose details are at the foot of this privacy notice.

Your right to complain to the Information Commissioners Office

You can complain to the Information Commissioner’s Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations. Whilst you are not obliged to do so, we would appreciate you making us aware of any issue prior to notifying the Information Commissioner’s Office and giving us the opportunity to respond. 

Please contact:

  • The Information Governance Manager at infogov@genesiscare.co.uk
    or write to GenesisCare, 69 Alma Rd, Windsor SL4 3HD or telephone 07795 497825 

or

  • The Data Protection Officer at DPO@genesiscare.co.uk
    or write to GenesisCare, 69 Alma Rd, Windsor SL4 3HD or telephone 07841 207263.

You can contact the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, at casework@ico.org.uk, or at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or telephone 0303 123 1113 (local rate call).  Website: ico.org.uk

Making a complaint will not affect any other legal rights or remedies that you have.

Queries

If you have any queries or would like to exercise your rights or to establish whether any rights apply to you, please speak with the GenesisCare Health Care Professional who is involved in your care.

You can also contact our Data Protection Officer: Email: DPO@genesiscare.co.uk or write to GenesisCare, 69 Alma Rd, Windsor SL4 3HD, marking your communication “Private and Confidential – FAO GenesisCare Data Protection Officer” or telephone 07841 207263

Updates to this Privacy Notice

We may update this Privacy Notice from time to time to ensure that it remains accurate. If these changes result in any material difference to the manner in which we process your personal data then we will provide an updated copy of the Policy and signpost you to the specific changes.

Revised November 2023