Data Privacy Notice and Consent Form for Patients
Privacy notice and consent form The Breast Clinic Ltd. V2.0 2024
The Breast Clinic Ltd.(“We”, “Us”, “Our”) is committed to protecting information through appropriate controls, being transparent about what data we hold and how we use it, and about respecting Your privacy. “You” (“Your”) are Our patient to whom We provide services, or are considering entering into an agreement with us for the provision of Our services.
The rules on processing of personal data are set out in the General Data Protection Regulation (“GDPR”). The terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Processing” and “Appropriate Technical and Organisational Measures” used below shall be interpreted in accordance with the GDPR.
This policy sets out the basis on which any Personal Data we collect from You, or that You provide to Us, will be processed by Us.
The Breast Clinic Ltd. is a company registered in England under number 07185228 whose registered office is 47 Park Rd. TW121HX.
The Personal Data we collect from you includes but is not limited to the following:
When you enquire about our services, We will request Personal Data such as your name, date of birth, email address and telephone numbers and information about you to help Us to register you to see a doctor and to contact You with further information such as results of tests and investigations. When you register with the Practice we will request detailed medical information relevant to you. This information is stored on Semble Practice Management Software which provides secure and GDPR compliant storage of your medical records. We will only collect the minimum amount of data from you needed to contact you and communicate with you (Name, date of birth, contact email and number) and not information that can be used to market or sell to you in any way.
Semble processes relevant to your data and privacy include:
- Encrypted emails – Encrypt emails and attachments in transit and at rest, and add multi-factor authentication and policy controls for additional security.
- Data subject access requests – Investigate and manage all data access requests and export patient notes to ensure that any data subject access requests can easily be completed within the 1-month mandatory timeline.
- Data auditing – Reporting functionality to assess, monitor and report on how, when and where your data is accessed.
- Digital consent capturing – Capture and record patient consent for the collection, use and sharing of their personal data within Semble Practice Management Software
Any medically sensitive, patient identifiable information, such as letters of correspondence, test results or any direct email communication with you will be using a secure encrypted service offered by Semble Practice Management Software or via Egress Switch. This will require you to register one time to be able to view and respond to emails in this fashion. Further details on Egress Switch can be found at www.switch.egress.com.
If you visit our website and make enquiries through this portal, Your usage may be tracked by using “cookies” and other similar technologies to help us make improvements to the websites and to the services we make available. Please see the Cookies section below for more information.
When we receive or make phone calls on your behalf, We will collect call data records including the calling line Identity passed, the call date and time, the number dialled and the duration of the call, the names of the parties to the call, and any message or other information given during the call.
Where we receive or send emails on your behalf, we may collect the names and email addresses of the third parties and any information contained therein.
If we receive or send paper documents or other forms of communication on Your behalf, We may collect the names and addresses of the third parties and any information contained therein. When you access our web portal, We will collect information you enter into the portal and the IP addresses from which you access the portal. When you correspond
with us by phone, email or otherwise, We will collect all information provided by you and
Where we provide relevant services to you, such as referral to specialists or referral to allied health practitioners, we will provide you with these in encrypted format.
We will NOT at any time share any of your information with any third party for the purposes of marketing, advertising, website testimonials without specific consent.
In compliance with GDPR Article 6 (“processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract”), We will use the Personal Data or purposes that include but are not limited to:
- Processing any enquiries you have about our services;
- verifying your identity when you use Our services or contact Us;
- understanding, processing and executing instructions You give Us in relation to the delivery of our services;
- delivering our services to you;
- notifying you about changes to our websites, services or terms and conditions or anything else We may be required or reasonably expected to notify you of
- providing You with accurate and detailed billing for using Our services;
- and collecting payment, and recovering any monies you may owe to us or use of our services.
In compliance with GDPR Article 6 (“processing is necessary for compliance with a legal obligation to which the controller is subject”), We will use the Personal Data for purposes that include but are not limited to:
- maintaining our business records and accounts;
- meeting our obligations to HMRC;
- preventing or detecting a crime, fraud or misuse of our services, and investigating where we believe any of these have or may have occurred;
- meeting our obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and the London Local Authorities Act 2007;
- meeting Our obligations under the Data Retention (EC Directive) Regulations 2009; and
- providing phone number portability under Ofcom’s General Conditions.
In compliance with GDPR Article 6 (“the Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes”), if You have given and not withdrawn consent We may use the Personal Data for these purposes:
- to provide you with information about our other services, offers or products that you may be interested in; and
- to provide you with information about third party services, offers or products that you may be interested in.
Whilst storing your data we will use Appropriate Technical and Organisational Measures to keep Personal Data secure and to prevent it being accidently lost, accessed or used in an unauthorised way, altered or disclosed. We will make reasonable efforts to ensure the data is accurate and up-to-date and will undertake to rectify any inaccuracies of which We become aware without delay. All Personal Data we store is stored in the European Economic Area.
We may monitor and record Your phone conversations with Us and use this information for training and quality purposes, to ensure any verbal instructions You give Us are properly understood, to enable Us to investigate complaints, and to meet Our legal and regulatory obligations. All recordings are encrypted and securely stored shortly after completion of the phone call and access to recordings is controlled and monitored.
We may share information with third parties:
- In response to properly made requests from law enforcement agencies for the prevention and/or detection of a crime, for the purpose of safeguarding national security or when the law requires us to, such as in response to a court order or other lawful demand or powers contained in legislation;
- in response to properly made requests from regulatory bodies such as the Information Commissioner’s Office and Ofcom;
- as part of the process of selling our business;
- as part of current or future legal proceedings; and
- with a company who is assisting Us in providing services to You or who provides services to Us which enable Us to provide our services to you, examples of such services being billing and financial systems, telecommunications services and customer management systems. Where we share information with other Data Privacy Notice for clients . We will have contracts in place with them to ensure that they must comply with the requirements of the GDPR and any other relevant legislation to protect your information and keep it secure.
Some of the organisations with whom we may share information may be outside the European Economic Area in countries that do not always have the same data protection laws as the UK. However, we will have contracts in place with them to ensure that your information is adequately protected and we will remain bound by our obligations even when your personal information is processed outside the European Economic Area.
Where any data breach is identIfied that affects the information that We hold about or have processed from you, we will take urgent action in accordance with the GDPR and guidance issued from the Information Commissioner’s Office. If you identify any data breach that affects data we have passed to you, You must notify us in writing immediately and provide full information about the data affected by this reach.
The time period that we will keep information for will vary depending on what the information is used for. Unless there is a specific legal requirement to the contrary, We will keep information in a form which permits identification of Data Subjects only for as long as it is necessary for the purposes for which we process it. Once the requirement to hold the data is complete, appropriate measures will be taken to delete the data in line with the terms of the GDPR. Any physical paper documents which enter Our possession and are no longer required will be destroyed by an ISO 27001 and NAID accredited data destruction organisation.
Automated decision making based on Personal Data is not used in Our business.
Cookies are tiny files of letters and numbers that are stored by your web browser, either temporarily within your device’s memory or more permanently on Your device’s storage. We use analytical and tracking cookies on Our main website www.thebreastclinic.co.uk as a result of using services supplied by Bing and Google. These cookies contain data including but not limited to: details of the operating system, browser and IP address of the device used to visit the website, the time and duration of the visit and which parts of Our website were visited. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. These cookies are stored on Your device’s storage or varying durations, typically around a month. When visiting Our main website You can choose to decline Our use of cookies by clicking on the “Decline” button which appears at the top of Your browser window. We use a security cookie on Our web portal. This cookie is required for the operation of our web portal, and contains only a session security token without any Personal Data. This cookie only exists for the duration of Your web browser session in Your device’s memory. Use of this cookie is a requirement of using Our web portal. We will not attempt to personally identify visitors from their IP addresses unless required as a matter of law or regulation or in order to protect Our or Our other customers’ rights.
Data subject access request
Under the GDPR, a Data Subject has the right to request a record of the data held about him/her. To do this a request should be submitted in writing to the Practice Manager The Breast Clinic Ltd. Cromwell Hospital 164-178 Cromwell rd. SW5 0TU. We may ask the Data Subject to provide Us with proof of identity to make sure We are giving information to the right person.
Other rights of Data Subject
The GDPR gives Data Subjects a number of other rights including the right to request the correction or erasure of Personal Data, the right to request the restriction of processing of Personal Data, the right to request the transfer of Personal Data (to the Data Subjector a third party), and the right to withdraw Your consent to the processing at any time where consent is the lawful basis for processing.
Changes
Please note that the ways in which we collect, use and protect Personal Data will be reviewed periodically and may change from time to time. We will notify you by email should such changes occur.
Contact Us
If you have any questions about privacy issues, want Us to update Your marketing preferences, or amend information, please contact Us either by email at pa@thebreastclinic.co.uk or by post at Cromwell Hospital 164-178 Cromwell Road SW5 0TU.
Complaints
In the first instance, please contact Us using the details above. If this does not resolve your complaint to your satisfaction, you have the right to complain to the Information Commissioner about the way in which we collect and use Your personal Data. Email
https://www.ico.org.uk/concerns or telephone 0303 123 1113 or write to ICO, 100 College Road, Harrow, HA1 1BQ.
We are registered with the ICO reference number Z3154711
I Agree to the collection and processing of my data in accordance with the terms and conditions detailed above.