GenesisCare UK has updated its privacy notice to reflect compliance with data protection law (current and future) and any secondary legislation and guidance implemented or issued as a result of these.

About GenesisCare UK

 
GenesisCare UK is a trading name of Genesis Cancer Care UK Limited. We are a specialist, provider of cancer care diagnostic and treatment services in the UK. Our company registration is 05796994 and our registered office is Wilson House, Waterberry Drive, Waterlooville, Hampshire, PO7 7XX. GenesisCare is registered with the Information Commissioners Office, registration number Z9493925.
This privacy notice applies to anyone who asks about, buys or uses our services in any way (for example, by email, through our website, or by telephone). We take privacy seriously and we want you as our service user, to understand the information we collect about you, how we process and protect the personal information which we collect about you, from you and from third parties, so that you can be confident that the information is being used safely and in ways that are reasonably expected, and what rights you have in respect of your personal information.
When we refer to ‘we’, ‘us’ and ‘our’, means GenesisCare UK.

What information do we collect and use?

 
We will collect personal information which can include:

  • your name,
  • date of birth,
  • your contact details
  • your GP details
  • financial information, such as credit card details used to pay us
  • emergency contact details
  • family details, lifestyle and social circumstances, where relevant to your care
  • information recorded on CCTV (Closed circuit TV)

Your contact details we collect are; telephone contact details, in order that we can call you, text or leave a message, postal and email addresses, so that we can send you invoicing information where relevant and which we may use to send confidential health information unless you have told us not to.

We will ask that you to provide your payment card details in order to fund your treatment where you are self –funding or to cover costs in the event of a shortfall of funds from insurers.

We will ask you for details of an emergency contact, with whom we can share information about the progress of your treatment and contact in the event of an emergency. By providing emergency contact details, you are giving us permission to keep him or her informed. It is your responsibility to notify us of any change to these emergency contact details so that we can ensure they are kept up-to-date and accurate. Where you provide us with information about other people, you must make sure that they have seen a copy of this privacy notice and are comfortable with you giving us their information.

CCTV recording is in use at some GenesisCare UK locations, this is used to ensure the security of property and premises and for preventing and investigating crime purposes only. Areas monitored by CCTV are sign-posted. The information processed can include visual images, personal appearances and behaviour. Where necessary or required, this information is shared with you, employees and agents, services providers, police forces, security organisations and persons making an enquiry.

We may also collect more sensitive information about you such as about your current or previous health, your sex life or sexual orientation, your religion, race or ethnicity and genetic information relating to you. This may also include details of healthcare services provided previously by GenesisCare UK or by other healthcare providers and include details of any medication you have been prescribed. In this Privacy Notice, we refer to this sort of information as special categories information.

GenesisCare UK collects ethnicity data about you upon registration with us. We use this data in an anonymised format to:
Identify any risk factors for ethnic groups, as some ethnic groups are more at risk of specific diseases;

  • Support the clinical management of conditions
  • Provide insight into ethnicity that can be used to assist with diagnosis
  • Understand any specific needs of patients from different ethnic groups;
  • Audit and ensure equality of access to our services
  • Continually improvement of our services.

Access to and use of information concerning your physical or mental health is strictly controlled in order to ensure compliance with applicable data protection law and adherence to medical confidentiality guidance issued from time to time.

In many cases we pseudonymise or anonymise your information before we share it with others, or where we no longer require the information in identifiable form.

Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place.

Pseudonymisation is the processing of information in such a way that it can no longer be attributed to you without the use of additional information and where that additional information is kept separately. This allows for a much wider use of the information for statistical or other purposes.

Who do we collect information from?

Directly from you

Information may be collected directly from you to support your direct care and treatment, this information can be collected when:

You register for your provision of healthcare with GenesisCare UK
You use our services
You complete enquiry forms on GenesisCare UK websites
You submit a query to us including through our website, by email or by social media
You correspond with us by letter, email, telephone (calls from/to patients may be recorded for the purposes of staff training, customer service development and quality improvement) or social media, including where you reference GenesisCare UK in a public social media post
You take part in our marketing activities
From other healthcare providers

In order to provide you with the best possible care, we collect personal information about you from other providers. These can include:

Records from your GP
Records from other healthcare providers who have previously provided treatment to you, (this can include both private organisations and the NHS)
Records from your consultant (including those provided through their medical secretaries)
Information from other service providers who work with us in relation to diagnostics, care and treatment provided to you
From other third parties

We may collect information about you from third parties when:

You are referred to us for healthcare services
We liaise with current or former other service and support providers
We liaise with your emergency contact or family
We communicate with your medical insurance policy provider
We instruct debt collection agencies
We communicate with government agencies such as social and welfare organisations where it is legally required for the safety of the individual concerned, for example safeguarding

What is your information used for?

We use your information for a number of purposes. Whenever we use your information, we must have a legal justification under data protection law for its use. The legal justification will depend on the purpose for which we intend using your information.

Our legal justification for processing your Personal Data generally falls into the below categories below:

Necessary for you to receive healthcare services

Necessary to fulfil our contract with you for the provision of care and treatment
Necessary to comply with the law – This applies where we have a legal or regulatory obligation to use your personal information
Necessary for our Legitimate Interests – This means where our business interests justify us using your information and that business need does not impact unjustly on your rights as an individual
Necessary to establish, exercise or defend legal claims
You have provided your consent to our use of your personal information

You will find details of our legal justification for each of our processing purposes below. We have set out individually those purposes for which we will use your personal information, and under each one we set out the legal justifications which allow us to do so. As well as setting out a legal justification, we also explain an additional lawful condition for use of special categories of personal information.

Failure to provide your information further to a contractual requirement with us or a consultant may mean that we are unable to set you up as a patient or facilitate the provision of your healthcare on GenesisCare UK’s systems.

Purpose 1: The provision of healthcare and related services and the fulfilment of a contract with you for the provision of these services;
When you come to us for care and treatment, we have to use your personal information in order to provide this.

Purpose 2: Payment and accounting purposes;
This is necessary to enable us to provide you with healthcare and treatment and to fulfil our contract with you for the provision of such care. We use your personal information to ensure our accounting and invoicing activities are accurate and up-to-date. We have an appropriate business need to use your information which does not overly prejudice you. This supports the provision of your healthcare and is necessary for us to establish, exercise or defend our legal rights.

Purpose 3: Clinical audit, research and clinical trials purposes
Clinical Audit
We are accountable for ensuring safe clinical and operational practices are implemented and maintained. We undertake regular audits of compliance to ensure the delivery of standards of treatment, for quality assurance, to ensure services can meet patient needs in the future and to assess adherence to policy and procedure. We do this on the basis of a legitimate and appropriate business interest and the public interest in statistical and scientific research, and with appropriate safeguards in place.

One of the national programmes we are legally obliged to participate in is operated by the Private Healthcare Information Network (PHIN). PHIN collects and publishes information about the activity and performance of healthcare providers and doctors providing private care. PHIN has its own privacy notice which can be accessed via its website. Whilst the information we are obliged to provide includes some of your personal data, PHIN cannot identify you from it. Any information that is published by PHIN will always be in an anonymised statistical form and will not identify you.

We may also be asked to share information with UK registries for which ethical approval is not necessarily required but which form part of the National Clinical Audit programme. GenesisCare UK provides information to the National Cancer Registration and Analysis Service (NCRAS) which promotes research, monitoring and the improvement of cancer care. This will remain an opt-out scenario, and to opt out you will need to contact the NCRAS; a leaflet is provided in your welcome pack with the contact details.
We will collect your data to support national data collections and Information Standards such as the National Radiotherapy Dataset. The purpose of this collection is to support consistent data and inform the planning, provision and commissioning of radiotherapy services

We may do so without your consent provided that the particular audit registry or data collection has received statutory approval, or where the information will be provided in a purely anonymous form, otherwise your consent will be needed. Where your consent is required, the registry organisation may have consent processes of their own, otherwise we will obtain that consent from you.

Research
GenesisCare UK also participates in medical research and shares data with ethically approved third party research organisations.
We will share your personal information only to the extent that it is necessary to do so in assisting research and as permitted by law. Some research projects and/or registries have received statutory approval such that consent may not be required in order to use your personal data.
In the event that consent is required then either the research organisations themselves will obtain this from you themselves or we will obtain consent from you.
Where you consent is not required, we have a legitimate interest in helping with medical research and have put in place appropriate safeguards to protect your privacy. The use is necessary in the public interest for statistical and scientific research purposes.
GenesisCare UK works with other organisations to support the development of technological innovations for patient treatment and to monitor the patient and organisational outcomes. We will share your personal information only to the extent that it is necessary to do so, and only where adequate safeguards are in place.

Clinical Trials
You may be advised or recommended to participate in a clinical trial, your consultant will explain how your data is shared with the organisation running the trial and as part of the sign up to the trail you will be asked to consent to this data sharing.

Purpose 4: Communicating with you and the resolution of queries, concerns or complaints you may have
You may raise queries, concerns, or even make complaints with GenesisCare UK and we take those communications seriously. It is important that we resolve such matters properly and fully to the satisfaction of all concerned, and we will need to use your personal information to do so. We do this in order to provide you with healthcare and treatment, manage our services and we have an appropriate business interest which does not overly prejudice you. This use is also necessary for us to establish, exercise or defend our legal rights.

Purpose 5: Communicating with individuals that you authorise us to keep informed about your care and updating other healthcare professionals about your care.
When registering you for care or treatment, we will ask you for details of an emergency contact, with whom we can share information about the progress of your treatment and contact in the event of an emergency. By providing emergency contact details, you are giving us permission (consenting) to keep him or her informed.
Other healthcare professionals or organisations may need to know about your treatment in order for them to provide you with safe and effective care, and so we may need to share your personal information with them. We have a legitimate interest in ensuring that other healthcare professionals who are routinely involved in your care have full details of your treatment. The use is necessary for reasons of substantial public interest under UK law. This use is also necessary for us to establish, exercise and defend our legal rights.

Further details on the third parties who may need access to your information is set out below.
GenesisCare UK has a legal obligation under the Health & Social Care Act 2015 to use your NHS number where reasonably available, and this unique identifier will be used for all data sharing associated with facilitating the care of NHS patients.

Purpose 6: Compliance with legal and regulatory requirements and the establishment, exercise or defence of legal claims.
As a provider of healthcare, we are subject to a wide range of legal and regulatory responsibilities. Where we are required by law or by regulators to provide personal information, the use is necessary for the provision of healthcare or treatment and the management of healthcare systems and we have a legal obligation to do so. In the unlikely event that GenesisCare UK or its consultants are the subject of legal actions or complaints it is necessary to access your personal information in order to investigate and respond to those actions (limited to the extent necessary and relevant to the subject-matter) to enable us to establish, exercise or defend our legal rights.

Purpose 7: Quality, training and security (for example, with respect to recorded or monitored phone calls to our contact numbers) including conducting post treatment surveys
GenesisCare UK is a quality-conscious organisation. We look to learn from you to improve the experience of future patients where possible. We will use your personal information to identify where improvements can be made, such as reviewing recorded phone calls to assess whether anything can be learnt and asking for your opinion on your experience with GenesisCare UK. We have an appropriate business need to use your information which does not overly prejudice you. We need to use the information in order to manage the healthcare services we deliver and in order to identify and carry out any necessary improvements.

Purpose 8: Management of our business operations, such as maintaining accounting records, analysis of financial results, internal audits, seeking and obtaining professional advice (eg tax or legal advice). We have an appropriate business need to use your information which does not overly prejudice you and the use is necessary for us to comply with our legal obligations. In the event that we use special categories information about you for this purpose, it would be because the use is necessary for the provision of healthcare or treatment or the management of healthcare services and systems or the use is necessary to establish, exercise or defend legal claims.

Purpose 9: Transferring your records in connection with any sale, transfer or disposal of our business. If we were to sell or transfer a centre or part of our business to another organisation, your patient records would also transfer to the new owner. Limited information may also be shared, where required, with legal and other professional advisors involved in that transaction. Your records would be transferred to minimise the disruption to current and past patients caused by the sale or transfer and to ensure that we and a new owner were able to comply with our legal obligations regarding the retention of patients’ and other clients’ medical records and to ensure continuity of care.

Who Do We Share Your Information With?

It is important that you understand that we may share your information with others. We may share your personal information within our group of companies and with third parties.

Sharing within the GenesisCare group
We may share your personal information within the GenesisCare group of companies.

Sharing with your medical consultant
As a GenesisCare UK patient, your treatment may be provided by a medical consultant. Medical consultants who provide you with care are required by law to maintain records about your health and any treatment or care you have received. They also make decisions about what information is collected about you, and may maintain their own set of medical records in relation to the treatment that they provide as well as sharing the records relating to your care and treatment that GenesisCare UK maintains. Consultants control this information which means they must individually comply with the data protection legislation and relevant guidance when handling your personal information and should therefore also make available to you their own privacy notice. In respect of your direct health care and treatment received through GenesisCare UK, GenesisCare UK jointly controls your information with your consultant. This means that as joint controllers, together we determine the means and purpose of processing your information for your care and treatment.

Consultants who work with GenesisCare UK (including their medical secretaries) are expected to handle your personal data in accordance with the principles set out within this Privacy Notice. This means that whenever they use your personal data, they will do so as set out in this Privacy Notice. In addition, GenesisCare and Consultants are required to adhere to the Joint Patient Data Sharing and Management Policy which we can provide to you upon request.

Consultants working with GenesisCare UK (including their medical secretaries) may process your personal information at a non-GenesisCare UK site.

If you want to find out more about the arrangements between GenesisCare UK and consultants for handling your information please let us know by contacting our DPO.

Sharing with your private medical insurer
Where the cost of your treatment and care is covered by insurance, we share your information with your insurer or the administrator of the applicable scheme of insurance. Both GenesisCare UK and your insurer are controllers of this personal information. This means that each of us individually may determine the means and the purpose of any processing of the information we hold.
Generally, we share information in order to allow each other to exercise its rights or comply with its obligations under the healthcare services arrangement we have in place, and in the case of the insurer, to manage claims and administer the schemes for insured members.
Specifically, your information may be used in the following shared activities:

The provision of clinical quality information
The pre-authorisation of treatment on your behalf
Invoicing for services provided
The notification of any serious incidents
Assisting and cooperating in the investigation of any member complaints
Allowing your insurer to inspect and audit our facilities
You may exercise your rights against either GenesisCare UK or your insurer where we are both controllers of the same information for the same processing purpose. Where we independently hold further information, or process information for purposes in addition to the shared purposes stated above, you should direct any communication concerning your rights to the applicable holder/processor.

Sharing with third parties
We may share your personal information with the third parties listed below for the purposes identified within this privacy notice:
A doctor, nurse, carer, pharmacist, and pathology and radiology staff involved in the analysis and reporting of diagnostic tests or any other healthcare professional involved in your treatment
Other members of support staff involved in the delivery of your care, like receptionists and medical secretaries
Anyone that you ask us to communicate with or provide as an emergency contact
NHS organisations
Other private sector healthcare providers
Your GP
Voluntary organisations providing on-going support
Ancillary service and support providers where you opt to accept those services, such as the GenesisCare Exercise Clinic, counsellors and therapists
Taxi providers where transport assistance for treatment is provided for insured patients
National and other professional research/audit programmes and registries, as identified under Purpose 3 above
Government bodies and local authority departments
Our regulators, like the Care Quality Commission
The police and other third parties where reasonably necessary for the prevention or detection of crime
Our insurers
Debt collection agencies
Third parties to the extent required by law, regulation or court orders and statutory requests for information
Service providers we use to support our business. These processors are trusted partners that work with us and are authorised to use your personal information only as necessary to provide these services to us. We require these third parties to comply strictly with our instructions and data protection law and we ensure appropriate controls are in place. We enter into written contracts with all our processors
Our third party service providers such as auditors, lawyers, marketing agencies and tax advisers
Selected third parties in connection with any sale, transfer or disposal of our business. We may communicate with these third parties in a variety of ways including, but not limited to, email, post, fax and telephone.

How long do we keep your personal information for?

We retain information in accordance with our legal obligations and national best practice. We ensure compliance through regular auditing and ensure information is securely disposed of when it has reached the end of its retention period. We implement data retention periods for different categories of personal data and/or different processing purposes, including where appropriate, archiving periods. We will only keep your personal information for as long as reasonably necessary in order to support patient care and continuity of care; support evidence-based clinical practice and to assist clinical and other audits; to support our legitimate business interests and to comply with our legal and regulatory requirements.

GenesisCare UK’s retention policy for most medical records is 30 years. A copy of the policy can be provided upon request.

International transfers of your personal information

GenesisCare UK is part of a global organisation. We (or third parties acting on our behalf) may store or process information that we collect about you in countries outside the UK. Information may be transferred, processed and stored outside the country where your information is collected, including to countries where the level of data protection may not be deemed adequate by the local legal or regulatory authority in the country of origin of the data. Where we make a transfer of your personal information outside of the UK we will take the required steps to ensure that your personal information is protected.
Generally: e.g. If your permanent address is outside the UK, or your treatment is continuing outside the UK, we may send details of your treatment to individuals specifically to promote your ongoing care.

We also process personal information within the GenesisCare group of companies for administrative and management purposes. The group companies are located in Spain and Australia. This processing is based on our own or a third party’s legitimate business interests and the following safeguards are in place to ensure that the data is securely protected:

the country to which we send the personal information may be approved by the European Commission, or
the recipient may have signed a data sharing agreement or contract based on “model contractual clauses” approved by the European Commission, obliging them to protect your personal information.
In other circumstances, the law may permit us to otherwise transfer your personal information outside the EEA. In all cases, however, any transfer of your personal information will be compliant with applicable data protection law. If you would like further information regarding the steps we take to safeguard your personal information when making international transfers, please contact the DPO using the details at the foot of this Privacy Notice.

Your Rights and Your Personal Information

Under data protection law you have a number of specific rights in relation to the personal information that we hold about you. These include rights to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting us using the details set out at the top of this privacy notice and without adversely affecting your care.

We will not usually charge for handling a request to exercise your rights.
If we cannot comply with your request to exercise your rights we will usually tell you why.

There are some special rules about how these rights apply to health information as set out in legislation including the Data Protection Act as well as any secondary legislation which regulates the use of personal information.

If you make a large number of requests or it is clear that it is not reasonable for us to comply with a request then we do not have to respond. Alternatively, we can charge for responding.
1. The right to be informed – This is fulfilled through our privacy notices.
2. The right of access to your personal information – This includes details of the information we hold about you. You are usually entitled to a copy of the personal information we hold about you and details about how we use it. Your information will usually be provided to you in writing, unless otherwise requested. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible. Please note that in some cases we may not be able to fully comply with your request, for example if your request involves the personal data of another person and it would not be fair to that person to provide it to you. The information will normally be provided free of charge and, unless there are grounds for extending the statutory deadline, the information will be provided to you within one month of receipt of your request. Please note we will generally also ask for confirmation of your identity and may need further information from you in order to locate the information, in which case the time period starts for providing the information to you starts from the date we have that detail.
3. The right to rectification – This enables you to require that incomplete information is completed, or incorrect information is corrected. This ensures your information is accurate and up-to-date. Unless there are grounds for extending the statutory deadline, we will respond within one month of receipt of a rectification request.
4. The right to erasure – This is also known as the right to be forgotten. In some circumstances, you have the right to request that we delete the personal information we hold about you. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing. If we have disclosed the personal data in question to third parties, we will inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question.
For example, we do not have to comply with your request if:

it is necessary to keep your information for reasons of public interest, including public health,
for the purposes of establishing, exercising or defending legal claims,
where we have overriding legitimate business interests for processing the information,
where the processing is necessary for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services and where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (e.g. a health professional), or
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes where the right is likely to render impossible or seriously impair the achievement of the research objectives.

If you make such a request and we comply with it, please be aware that we will retain a note of your name, the request made and the date we complied with it.
5. The right to restriction of processing – In some circumstances you have a right to ‘block’ or suppress processing of personal data. When processing is restricted, we are permitted to store the personal data, but not further process it other than in relation to the establishment, exercise or defence of legal claims or for reasons of important public interest. We are able to retain just enough information about you to ensure that the restriction is respected in future.
6. The right to data portability – Where you have provided the information to us, and where the processing is being carried out by automated means and based on your consent or pursuant to the performance of a contract with you, you have the right to obtain the information that GenesisCare UK processes about you and use it for your own purposes. This means you have the right to receive the personal information or where it is technically feasible, have the information transferred to an individual or organisation of your choice, and the information must be provided by us in an electronic format.
7. The right to object – you have the right to object to processing based on our legitimate business interests (including profiling), direct marketing (including profiling) and processing for purposes of scientific or historical research or statistical research purposes. The objection must be on grounds relating to your particular situation.
8. The right not to be subject to automated decisions – (i.e. decisions that are made about you by computer alone) that have a legal or other significant effect on you. GenesisCare UK does not carry out automated decision-making in relation to patients.. In the event that our policy in this respect changes, we shall update this privacy notice.
9. Your right to withdraw consent – In some cases to comply with data protection legislation we need your consent in order to use your personal information.
Where we rely on this, you have the right to withdraw your consent to our continuing and further use of your personal information. You can do this by contacting our DPO whose details are at the foot off this privacy notice.
10. Your right to complain to the Information Commissioners Office – You can complain to the Information Commissioner’s Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations. Whilst you are not obliged to do so, we would appreciate you making us aware of any issue prior to notifying the Information Commissioner’s Office and giving us the opportunity to respond. You can contact either the Information Governance Manager or the Data Protection Officer using the postal address at the top of this Privacy Notice.
More information can be obtained at:
Website: https://ico.org.uk/
Telephone: 0303 123 1113
Making a complaint will not affect any other legal rights or remedies that you have.

Securing your data

We have implemented appropriate technical and organisational security to protect your personal information. This includes;

  • Ensuring our staff complete regular training
  • Ensuring personal information is only accessible and shared with individuals that have a need to access it
  • Implementing physical access controls within our facilities and technical controls such as encryption
  • Using information about you that does not uniquely identify you, where appropriate
  • Where personal information is transferred outside of the UK, we will ensure there are appropriate security measures in place to protect the data in accordance with UK Data Protection Laws.
  • All of our employees are bound by the Common Law of Confidentiality. This means they have a legal duty to keep your information confidential and secure.

Please contact us if you require further information about how we secure your data.

Queries

If you have any queries or would like to exercise your rights or to establish whether any rights apply to you, please speak with the GenesisCare Health Care Professional who is involved in your care.
You can also contact our Data Protection officer:
Email: DPO@genesiscare.co.uk or by writing to the address at the top of this privacy notice, marking your communication “Private and Confidential – FAO GenesisCare Data Protection Officer”
Telephone: 0808 1569 565

Updates to this Privacy Notice
We may update this Privacy Notice from time to time to ensure that it remains accurate. In the event that these changes result in any material difference to the manner in which we process your personal data then we will provide you with an updated copy of the Policy and signpost you to the specific changes.


Data Protection Impact Assessments

Data Protection Impact Assessments are a process which help organisations to identify and minimise the data protection risks of data processing activities undertaken.

GenesisCare has completed Data Protection Impact Assessments for the following initiatives;

 

Initiative

Patient management and electronic prescribing platform.

Cloud-based service application for human resources management

Accounting software for processing financial data relating to sales, purchases, assets, debtors etc

Storage, sharing and collaboration tools for use amongst individuals working for and on behalf of GenesisCare

Occupational health services for GenesisCare employees

Software as a Service event management solution

 

Date approved

February 2018

February 2018

September 2018
 
 
September 2018
 
September 2018

September 2018