Privacy policy

  1. Important information

Prime Health is in compliance with the national data opt-out policy

This policy applies to patients, carers, visitors, staff members, students, recruitment candidates, clinicians/consultants, contractors/agency staff, suppliers and visitors to Prime Health website and sets out your rights under the General Data Protection Regulations (also known as GDPR) which came into effect on 25th May 2018.  We will only process your personal data under Article 6 (1) and Article 9 (2) of the GDPR.

This privacy policy is a statement of how Prime Health collects, uses, retains, and discloses your personal information (information that identifies you and is about you), also known as data.

  1. Who we are

Prime Health refers to a group of clinics operated by Prime Health Diagnostics Ltd and Medical Imaging Partnership Ltd under common ownership. Prime Health clinics (also referred to collectively as “Prime Health”, “we”, “us”, “our” in this policy) is an independent healthcare provider offering high-quality primary care, outpatient, and radiology services to both private and NHS patients. Our goal is to give both patients and referrers fast access to expert-led services.

To ensure that we process your personal information fairly and lawfully we are required to inform you about:

  • Why we need to collect your data
  • What personal data we will collect
  • How it will be used
  • Who it will be shared with
  • What rights you have in relation to the personal data we collect from you.

Within this policy, we describe instances where Prime Health is the “Data Controller” (the organisation which decides what information we collect and how it is used), and where we direct or commission the processing of data to help deliver better healthcare, or to assist the management of healthcare services.

There may be situations where Prime Health processes personal data on the instructions of another organisation or individual (i.e. when Prime Health is acting as a “data processor”), but in those circumstances, our use of data would be governed by that organisation or individual.

At Prime Health we recognise the importance of protecting personal and confidential information in all that we do, all we direct or commission, and ensure that we meet our legal duties.

  1. Why do we need to collect your data?

Within the United Kingdom information collection and use is governed by the GDPR legislation detailed above. We only collect and use your personal information according to the legal bases defined in the GDPR and for the lawful purposes of administering the business of Prime Health. The legal bases are as follows:

  • Consent: where you have given your specific consent to the processing of your personal data. You may at any time change your mind and withdraw consent, but this may mean we can no longer continue to provide services to you.
  • Performance of a contract: where the processing of your data is necessary for the fulfillment of a contract, for example, e-referrals for NHS patients are subject to a contract.
  • Compliance with a legal obligation: processing of your data is necessary by law and Prime Health is required to comply.
  • In the vital interest: we may process your personal data in order to protect your vital interests, for example in providing emergency treatment or care should it be required.
  • Public interest: we may process personal data in order to complete a task carried out in the public interest.
  • Legitimate interest: we may process your personal data where we have a legitimate “business” interest in processing that information.

The table below shows the purposes and the associated legal basis under which we process your personal data:

Reason for processing  Legal basis for processing 
Accounting and auditing
  • Compliance with legal regulations that apply to us
  • Legitimate interest: improving services; preventing fraud
Advertising and public relations
  • Consent
  • Legitimate interest: keeping our records up to date; working out which of our products and services may interest you and telling you about them
Conducting analysis and research activities
  • Consent
  • Legitimate interest: to improve and develop our services and care
Consultancy and advisory services
  • Performance of a contract
Directing Prime Health activities
  • Legitimate interest: for Board members and members to effectively discharge their duties
Education and training for staff members
  • Legitimate interest: to ensure that staff have the correct competency to fulfil their role
Employment and staff administration
  • Performance of a contract
Healthcare administration and services
  • Performance of a contract
Invitation to meetings and other events
  • Consent
Medical records management
  • Compliance with legal regulations that apply to us and our contractual duties
Management of donations and fundraising activities
  • Consent
Third-party delivery of services
  • Performance of a contract

Should your relationship with Prime Health change then the legal basis under which we hold your data may also change.

  1. What types of personal data do we collect/handle?

We process personal information to enable us to support the provision of healthcare services to patients, maintain our own accounts, promote our services, and to support and manage our employees. We also process personal information about healthcare professionals that deliver services within Prime Health.

The types of personal information we use:

Type of personal information  Individual group some or all the information may apply to 
Personal identity – title, name, marital status, date of birth, National Insurance number, NHS number
  • Patients, carers, visitors, employees, non-executive directors, students, recruitment candidates, clinicians/consultants, suppliers, agency staff/contractors and visitors to the Prime Health website
Contact details – addresses, landline telephone & mobile numbers, email address
  • Patients, carers, visitors, employees, non-executive directors, students, recruitment candidates, clinicians/consultants, suppliers, agency staff/contractors and visitors to Prime Health website
Family details – next of kin names, addresses and telephone numbers, relationships to next of kin
  • Patients, employees, non-executive directors, students, clinicians/consultants, agency staff/contractors
Financial details – such as bank sort code/account number, payment card number
  • Employees, non-executive directors, suppliers, clinicians/consultants, agency staff/contractors
Employment details – such as salary, annual leave, pension, benefits, discipline and grievance, payroll, tax information, performance data, occupational health data, and security clearance data
  • Employees, clinicians/consultants, agency staff/contractors, students
Education and training such as training records, qualification verification, employment history, and CVs
  • Employees, non-executive directors, clinicians/consultants, students, recruitment candidates
Details held in the patient’s record, where we hold or manage the patient’s record, such as NHS number, GP details
  • Patients
Lifestyle and social circumstances such as questions about smoking, drinking, and general lifestyle
  • Patients
Responses to surveys where individuals have responded to surveys
  • Patients, employees, clinicians/consultants, students, agency staff/contractors
Directorship/membership of other organisations or similar information in order to determine any conflicts of interest
  • Employees (Executive Directors)
  • Non-executive Directors
Fit and proper persons declarations
  • Employees (Executive Directors)
  • Non-executive Directors
Special categories of information which may include:

  • Racial and ethnic origin
  • Religious or philosophical beliefs
  • Trade union membership
  • Data concerning health
  • Genetic data
  • Biometric data
  • Data concerning a person’s sexual orientation
  • Offences (including alleged offences), criminal proceedings, outcomes, and sentences
  • Employment tribunal applications
  • Complaints, accidents, and incident details
  • Health data (including morbidity and disability)
  • Patients, employees, non-executive directors, clinicians/consultants, students, agency staff/contractors



  1. How will we use information about you?

Your information is used to ensure the delivery and improvement of our services. Prime Health is the data controller for our electronic information systems. Please note that if you see an independent healthcare practicitioner or consultants at our centres, they may act as the data controller for the consultation records.

Our systems hold personal details of all patients that have been referred via:

  • The NHS e-Referral system (for NHS patients)
  • Secure email (such as account used by General Practitioners or encrypted email if the patient was referred privately)
  • By secure fax (Safe haven)
  • MIP referral (Prime Health’s own referral portal)

The information held on these systems is used primarily for the purpose of administering healthcare services; it may however be used for other non-health-related purposes and shared with statutory bodies/organisations to enable them to fulfil their statutory obligations. We may also use the information within our systems for statistical analysis to see how the organisation is performing with respect to business targets and objectives and quality of care.

We may keep your information in a written form or on a computer. Whenever possible all information that identifies you will be removed.

5.1 For our patients, your data may be used to:

  • Manage our relationship with you
  • Register all patients onto our information systems
  • Register new referrals for existing patients on our systems, update demographic details and health records with new referral details
  • Record telephone calls made to the appointments department in relation to appointment enquiries
  • Allow the preparation of health records
  • Investigate complaints, legal claims or incidents
  • Make sure services are planned to meet patients’ needs in the future
  • Check and report on how effective Prime Health and the services it provides has been
  • Process anonymised statistical information on organisation performance
  • Address customer service enquiries made via the website

5.2 For our staff, students, recruitment candidates, contractors/ agency staff, clinicians/consultants, and suppliers, your personal data may be used to:

  • Manage our relationship with you
  • Fulfil our duty of care towards staff and communicate with you in the event of a major incident (e.g. in the event of a fire)
  • Verify employment history, qualifications, and experience
  • Validate ‘right to work’
  • Assess suitability for employment during the selection process
  • Undertake personal development of employees
  • Deliver payroll for employees
  • Fulfil our duties in respect of national insurance and tax accounting
  • Manage disciplinary and grievances
  • Undertake due diligence and risk assessment of supply chain


  1. Sharing Your Information

The information will only be shared with other individuals or organisations where there is a statutory or contractual obligation to do so, or with the agreement of the Prime Health Caldicott Guardian and Data Protection Officer. A Caldicott Guardian and Data Protection Officer are responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing.

6.1 How we may be required to disclose your personal information

There are a number of reasons that we may need to disclose your personal data (to the extent necessary) in order to comply with regulation, legislation, or legal requirements. For example, this could be due to:

  • Our obligation to comply with current UK legislation
  • Our duty to comply with a court order
  • A contractual commitment to report statutory information
  • Your consent to the disclosure of your data having been provided
  • Where we are required to do so by law
  • The sharing of your data will ultimately benefit you as the data subject
  • Our obligation to comply with our regulators

In fulfilling our obligation to provide services (healthcare and other services) we may share your data with the following:

  • National Health Service (NHS) organisations
  • Referral Services
  • General Practitioners (your Doctor)
  • Imaging Exchange Portal (a web-based portal used to allow sharing of scan images between healthcare trusts/organisations)
  • Specialist consultants (medical and non-medical)
  • Public Health England (PHE)
  • Contracted third parties providing services or devices, medical and non-medical
  • Healthcare insurance providers
  • Occupational Health services (staff)
  • Companies House
  • Health & Safety Executive (HSE)
  • Communication Service (Text alert)
  • Payroll Service

6.2 Sharing of Special Category Data

Special category data (which included information relating to your health) will only be shared with third parties in accordance with our Privacy Policy. Your data (to the extent that is required) may be shared to third parties involved with your treatment or care, or in accordance with UK laws or guidelines of appropriate professional bodies. Where applicable, your data may be disclosed to any person or organisation (or their agents) who may be responsible for meeting your treatment expenses.

As part of our commitment to upholding the highest governance standards, your data  may also be provided to external service providers and regulatory bodies (unless you object) for the purpose of clinical audit of practice and audit of record management

6.3 Sharing of data with other medical professionals

We have a number of Medical professionals working with us. Some are our employees, and some are independent consultants or allied healthcare professionals (AHP’s) working in private practice at our sites under our Practicing Privileges Policy. We share clinical information about you with those medical professionals as we consider necessary for your treatment and care.

In the case of independent consultants and AHP’s, the consultant or AHP is the data controller of your personal data, either alone or jointly with us and will be required to maintain their own records in accordance with Data Protection Laws and applicable clinical confidentiality guidelines and retention periods. If an independent consultant or AHP is acting as a Data Controller, we require that they are registered with the Information Commissioner’s Office as a Data Controller.

We try to ensure that there is a single patient record for all patients completing a pathway within any of our facilities, detailed to include a complete and accurate record of the care and treatment provided for each of our patients. However, we recognise that by the nature of our work, much of your pathway will be undertaken at other facilities (eg if you have an operation), and so in certain circumstances, a consultant or AHP may also create and maintain their own records of the full pathway.

Where that is the case, we may refer you to that consultant to respond to and act on any requests from you to exercise your rights over your data under Data Protection Laws. Our Practicing Privileges agreement with independent consultants and AHP’s require them to cooperate with those requests. In all circumstances, those consultants and AHP’s will only process your personal data for the purposes set out in this Privacy Policy or as otherwise notified to you.

  1. Sharing your Information outside of the European Economic Area (EEA)

We may from time to time be required to share your information with other service providers who are outside the UK and the EU. The sharing of your information with these providers is necessary in order to provide the necessary medical device or service. The transfer of personal data internationally will be conducted with the appropriate legal mechanisms in place.

  1. How long will we keep your data for?

We will keep your personal information in accordance with NHS Digital guidance ‘Records Management Code of Practice for Health and Social Care 2016’ and for only as long as is lawfully necessary to conduct our business with you, and/or in accordance with our legal obligations for data retention.

  1. Your rights

GDPR gives a number of rights over your data, subject to certain criteria being met. These are:

  • Right of access to your personal information and supplementary information (for example your medical record). Once we have received your request, we will respond within 30 days. This information will be sent to you free of charge.
  • Right to rectify/amend your personal information if it is incorrectly recorded. You have the right to question any information we hold about you that you think is wrong, out of date, or incomplete. If you do, we will take reasonable steps to check its accuracy and correct it.
  • Right to object and Right to be forgotten. You have the right to object to our use of your personal information, or to ask us to delete, remove or stop using your personal information if it is no longer needed for the purpose it was collected or otherwise processed. This is known as the ‘right to erasure’ or ‘right to be forgotten’.
  • Right to restrict the use of your personal information if:
  • It is not accurate;
  • It has been used unlawfully but you do not want us to delete it;
  • It is not relevant anymore, but you want us to keep it for use in legal claims; or
  • You have already asked us to stop using your personal information, but you are waiting for us to assess your request and confirm whether we are permitted to continue using the personal information under data protection law.
  • Right to obtain your personal information in a portable format
    You have the right to get copies of your personal information from us in a format that can be easily re-used. You can also ask us to pass on your personal information to other organisations.

You have the right to complain to the Information Commissioner’s Office (ICO) which can be found at It has enforcement powers and can investigate compliance with data protection law.

  1. Freedom of information

Prime Health is not a public authority and is not governed by the Freedom of Information Act.

  1. Changes to this policy

We may revise this privacy policy from time to time. Any changes we may make to our privacy policy in the future will be posted on our website. The policy was last updated on 09 May 2022.

  1. Contact Us

To exercise your rights under GDPR please contact our Data Protection Officer by email to or by writing to Data Protection Officer, Prime Health, Unit 7, The Pavilions, Brighton Road, Pease Pottage, RH11 9BJ. Questions, comments, and requests regarding this privacy policy are also welcomed.