GenesisCare UK is a trading name of Genesis Cancer Care UK Limited. For the purposes of this privacy notice reference to GenesisCare UK includes the GenesisCare UK subsidiaries.
The registered office for GenesisCare UK and its subsidiaries is Wilson House, Waterberry Drive, Waterlooville, Hampshire, PO7 7XX. Other registration detail is as follows:
|Company name||Company registration number||Information Comissioners Office registration number|
|Berkshire Health Limited (BHL)||07238700||Z274620|
|Birmingham Prostate Clinic (BPC)||05509497||ZA441424|
This Privacy Notice
The following privacy notice sets out what information about you GenesisCare UK collects, how that information may be used, the lawful basis for processing and who it will be shared with. We also explain for how long it will be retained, how we will secure it, and your legal rights.
This Privacy Notice applies to the following groups of individuals:
- Consultants who have applied for, currently hold or have held Practising Privileges with GenesisCare UK
- External Individuals such as Oncologists, Surgeons, GPs, etc. who do not hold Practising Privileges with GenesisCare but have expressed an interest in or refer into GenesisCare UK
- Medical Secretaries and Health and Care Professionals and Workers who are not employed by GenesisCare (we will only collect minimal information for this group, relevant to the business relationship).
The information we collect and use
We are committed to respecting and protecting your privacy whenever we use your data.
Types of data
|Personal Data||Personal data means any information relating to an identifiable person who can be directly or indirectly identified for example by a name, an identification number, location data, date of birth, etc.|
|Special Category Personal Data||This data has extra safeguards apply to its processing. It is data about an individual’s racial or ethnic origin; political opinion; religious or philosophical beliefs; trade union membership; sex life or sexual orientation; health, including genetic and biometric data where processed to uniquely identify an individual.|
|Pseudonymised Data||This is where data has been masked so that it can no longer be attributed to a specific data subject without the use of additional information (‘the key’) which is kept separately and securely. This data type is processed as personal data.|
|Anonymised Data||If data has been turned into a form which does not identify individuals, and where the risk of re-identification is extremely low, data protection legislation does not apply.|
Anonymised data which has been grouped together to provide statistics.
Lawful basis for processing your data under GDPR UK
|Lawful processing of personal data||Article|
|You have given clear consent for the processing of your personal data for a specific purpose||6(1)(a)|
|Processing is necessary for the performance of a contract we have with you, or because specific steps are required before entering into a contract||6(1)(b)|
|Processing is necessary for us to comply with a legal obligation||6(1)(c)|
|Processing is necessary to protect someone’s life||6(1)(d)|
|Processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law||6(1)(e)|
|Processing is necessary for our legitimate interests or the legitimate interests of a third party and our interests are not overridden by your interests or fundamental rights and freedoms||6(1)(f)|
|Lawful processing of special categories of personal data||Article|
|You have given explicit consent to the processing of your personal data for one or more specified purposes|
|Processing is necessary in the context of employment law, or laws relating to social security and social protection|
|Processing is to protect the vital interests of an individual where consent is physically or legally incapable of being given|
|Processing is carried out in the course of the legitimate activities of a charity or not-for-profit body|
|Processing relates to personal data which you have made public|
|Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity|
|Processing is necessary for reasons of substantial public interest, proportionate to the aim pursued and protecting the rights of individuals|
|Processing is required for the purpose of medical treatment undertaken by health professionals, including assessing the working capacity of employees and the management of health or social care systems and services|
|Processing is necessary for reasons of public interest in the area of public health|
|Processing is necessary for archiving purposes in the public interest, subject to appropriate safeguards|
The table below describes the data we handle and what we need it for. It also explains the basis we can rely on to request and retain data about you as well as who it will be shared with.
Sometimes, we may be required to share personal data to comply with a statutory obligation, a court order or for the prevention or detection of a crime or apprehension of an offender.
How we obtain your information
We obtain your personal data either directly from you or through a third party whom you have nominated to provide us with information, such as a referee.
GenesisCare UK works closely with Consultants and External Individuals to support the delivery of our services and we will look to identify potential compatible business opportunities. We do this by collecting information, for example:
- Directly from you i.e. if you apply for practising privileges or would like to work with GenesisCare
- Where available in the public domain such as Consultant Finders, professional profiles, social media channels
- Through recommendations and third party service providers such as Wilmington Healthcare
- On CCTV images
International transfers of your personal data
GenesisCare UK is part of a global organisation and we (or third parties acting on our behalf) may store or process personal data within the GenesisCare group of companies for administrative and management purposes. This processing is based on our own or a third party’s legitimate business interests.
As a global organisation we may engage global suppliers for the provision of services to the GenesisCare Group of companies and such suppliers may also be located outside the UK.
Where we transfer your personal data to a third country or international organisation, we will ensure adequate safeguards and measures are in place to protect your personal data from unlawful use and ensure your fundamental rights are capable of being upheld. We would normally achieve this by:
- Only transferring personal data to countries deemed capable of providing an adequate level of protection; or
- Implementing Standard Contractual Clauses; and
- Adopting technical, organisational and contractual measures, where required, having undertaken a Data Transfer Impact Assessment to ensure that your rights in the country of transfer are essentially equivalent to your rights in the UK.
In certain situations, it may be possible to legitimise the transfer by relying on a derogation. For example, if:
- You have explicitly consented to the proposed transfer; or
- The transfer is necessary for the performance of a contract.
In all cases any transfer of your personal data will be compliant with applicable data protection law. If you would like further information regarding the steps we take to safeguard your personal data when making international transfers, please contact the DPO, details at the end of this Privacy Notice.
Data Protection Designation
The data protection designation (e.g., controller, joint controller, processor) will depend on the circumstances and may change if relationships alter. Please seek further information from the Data Protection Officer (DPO) if required, details at the end of this privacy notice.
The controller of your personal data will generally be GenesisCare UK or its applicable subsidiary.
Where we share information with third party suppliers working under our instructions (i.e., suppliers who act as processors of the data we share for the purposes outlined in the table), we ensure that strict contractual arrangements and safeguards are in place. These companies have no right to use your information except on our behalf for the specified purposes or when required to do so by law.
In certain circumstances GenesisCare and a third party will be a joint controller of your data. This is where GenesisCare and a third party will jointly determine the means and purposes of the processing. Examples of where joint controllership may occur are where your data is used for:
- Education and conferences
- Where you have agreed to take part in a publication or website article, e.g. patient
- Digital marketing activities
- Other healthcare organisations
- Social media and professional networking organisations
- eMDT activities
- Research activities where GenesisCare UK has determined the means and the purposes
- Management of our subsidiary and affiliated entities and related activities (e.g. provision of systems, services and support).
We will secure your information by:
- Establishing a network of individuals across the organisation who are accountable and responsible for information risk management
- Existence of various organisational measures including policies and procedures, providing regular training in handling personal data lawfully and conducting regular compliance checks
- Technical measures including lockable rooms, cabinets, individual log in credentials, encryption and secure disposal of confidential waste
- Ensuring only appropriate individuals have access to relevant and proportionate information about you
- Carrying out checks on third parties who process personal data on our behalf.
We retain records in accordance with our Records Lifecycle and Retention Procedure which is based on legal and best practice requirements. When the retention period expires the record will be securely destroyed. The following are examples:
Rights of access, correction, erasure, and restriction
Under data protection law you have a number of specific rights in relation to the personal data that we hold about you. These include rights to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting the DPO, details at the end of this privacy notice, without adversely affecting you.
We will not usually charge for handling a request to exercise your rights. If we cannot comply with your request to exercise your rights we will usually tell you why. Unless there are grounds for extending the statutory deadline we will respond within one month of receipt of a Rights request. If the data relates to health we may be required to apply special rules to comply with data protection legislation.
1. The right to be informed – This is fulfilled through our privacy notices.
2. The right of access to your personal data – You have the right to request details and a copy of the personal data we hold about you and details about how we use it. We must confirm whether we have personal data about you, and we also need to provide you with a copy of your personal data. We will usually provide you with your personal data in writing unless you request otherwise. If you have made the request electronically (e.g. by email) the personal data will be provided to you electronically where possible. In some cases we may not be able to fully comply with your request, for example if your request involves another person’s personal data and it would not be fair to that person to provide it to you.
3. The right to rectification – You can require that incomplete information is completed, or incorrect information is corrected. This ensures your information is accurate and up-to-date.
4. The right to erasure – This is also known as the right to be forgotten. In some circumstances, you have the right to request that we delete the personal data we hold about you. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing. If we have disclosed the personal data in question to third parties, we will inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so. However there are exceptions to this right. For example, we can refuse to delete your personal data if we need to keep for tasks which are in the public interest, or for establishing, exercising or defending legal claims. If you make such a request and we comply with it, please be aware that we will retain a note of your name, the request made and the date we complied with it.
5. The right to restriction of processing – In some circumstances you have a right to ‘block’ or suppress processing of personal data. When processing is restricted, we are permitted to store the personal data, but not further process it other than in relation to the establishment, exercise or defence of legal claims or for reasons of important public interest. We are able to retain just enough information about you to ensure that the restriction is respected in future.
6. The right to data portability – Where you have provided the information to us, and where the processing is being carried out by automated means and based on your consent or pursuant to the performance of a contract with you, you have the right to obtain the information that GenesisCare UK processes about you and use it for your own purposes. This means you have the right to receive the personal data or where it is technically feasible, have the information transferred to an individual or organisation of your choice, and the information must be provided by us in an electronic format.
7. The right to object – You have the right to object to processing based on our legitimate business interests (including profiling), direct marketing (including profiling) and processing for purposes of scientific or historical research or statistical research purposes. The objection must be on grounds relating to your particular situation.
8. The right not to be subject to automated decisions – This relates to decisions that are made about you by computer alone that have a legal or other significant effect on you. GenesisCare UK does not carry out automated decision-making in relation to the processing of your data. In the event that our policy in this respect changes, we shall update this privacy notice.
9. Your right to withdraw consent – In some cases to comply with data protection legislation we need your consent in order to use your personal data. Where we rely on this, you have the right to withdraw your consent to our continuing and further use of your personal data. You can do this by contacting the DPO, details below.
Information Commissioners Office
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, for example if you are unhappy with the way that we have dealt with a request from you to exercise your rights, or if you think we have not complied with our legal obligations.
Whilst you are not obliged to do so, we would appreciate you making us aware of any issue prior to notifying the ICO and giving us the opportunity to respond. Please contact the DPO, details below.
Making a complaint will not affect any other legal rights or remedies that you have.
Questions and queries
If you have any queries or would like to exercise your rights or to establish whether any rights apply to you, please contact: the GenesisCare Information Governance Manager at firstname.lastname@example.org, or at GenesisCare, 69 Alma Rd, Windsor SL4 3HD. Telephone 01753 418444.
If you have any questions about this privacy notice or how we handle your personal data please contact the relevant DPO:
Revised September 2023