Prime Health is in compliance with the national data opt-out policy
This policy applies to patients, carers, visitors, staff members, students, recruitment candidates, clinicians/consultants, contractors/agency staff, suppliers and visitors to Prime Health website and sets out your rights under the General Data Protection Regulations (also known as GDPR) which came into effect on 25th May 2018. We will only process your personal data under Article 6 (1) and Article 9 (2) of the GDPR.
Who we are
Prime Health refers to a group of clinics operated by Prime Health Diagnostics Ltd and Medical Imaging Partnership Ltd under common ownership. Prime Health clinics (also referred to collectively as “Prime Health”, “we”, “us”, “our” in this policy) is an independent healthcare provider offering high-quality primary care, outpatient, and radiology services to both private and NHS patients. Our goal is to give both patients and referrers fast access to expert-led services.
To ensure that we process your personal information fairly and lawfully we are required to inform you about:
- Why we need to collect your data
- What personal data we will collect
- How it will be used
- Who it will be shared with
- What rights you have in relation to the personal data we collect from you.
Within this policy, we describe instances where Prime Health is the “Data Controller” (the organisation which decides what information we collect and how it is used), and where we direct or commission the processing of data to help deliver better healthcare, or to assist the management of healthcare services.
There may be situations where Prime Health processes personal data on the instructions of another organisation or individual (i.e. when Prime Health is acting as a “data processor”), but in those circumstances, our use of data would be governed by that organisation or individual.
At Prime Health we recognise the importance of protecting personal and confidential information in all that we do, all we direct or commission, and ensure that we meet our legal duties.
Why do we need to collect your data?
Within the United Kingdom information collection and use is governed by the GDPR legislation detailed above. We only collect and use your personal information according to the legal bases defined in the GDPR and for the lawful purposes of administering the business of Prime Health. The legal bases are as follows:
- Consent: where you have given your specific consent to the processing of your personal data. You may at any time change your mind and withdraw consent, but this may mean we can no longer continue to provide services to you.
- Performance of a contract: where the processing of your data is necessary for the fulfillment of a contract, for example, e-referrals for NHS patients are subject to a contract.
- Compliance with a legal obligation: processing of your data is necessary by law and Prime Health is required to comply.
- In the vital interest: we may process your personal data in order to protect your vital interests, for example in providing emergency treatment or care should it be required.
- Public interest: we may process personal data in order to complete a task carried out in the public interest.
- Legitimate interest: we may process your personal data where we have a legitimate “business” interest in processing that information.
The table below shows the purposes and the associated legal basis under which we process your personal data:
|Reason for processing||Legal basis for processing|
|Accounting and auditing||
|Advertising and public relations||
|Conducting analysis and research activities||
|Consultancy and advisory services||
|Directing Prime Health activities||
|Education and training for staff members||
|Employment and staff administration||
|Healthcare administration and services||
|Invitation to meetings and other events||
|Medical records management||
|Management of donations and fundraising activities||
|Third-party delivery of services||
Should your relationship with Prime Health change then the legal basis under which we hold your data may also change.
What types of personal data do we collect/handle?
We process personal information to enable us to support the provision of healthcare services to patients, maintain our own accounts, promote our services, and to support and manage our employees. We also process personal information about healthcare professionals that deliver services within Prime Health.
The types of personal information we use:
|Type of personal information||Individual group some or all the information may apply to|
|Personal identity – title, name, marital status, date of birth, National Insurance number, NHS number||
|Contact details – addresses, landline telephone & mobile numbers, email address||
|Family details – next of kin names, addresses and telephone numbers, relationships to next of kin||
|Financial details – such as bank sort code/account number, payment card number||
|Employment details – such as salary, annual leave, pension, benefits, discipline and grievance, payroll, tax information, performance data, occupational health data, and security clearance data||
|Education and training such as training records, qualification verification, employment history, and CVs||
|Details held in the patient’s record, where we hold or manage the patient’s record, such as NHS number, GP details||
|Lifestyle and social circumstances such as questions about smoking, drinking, and general lifestyle||
|Responses to surveys where individuals have responded to surveys||
|Directorship/membership of other organisations or similar information in order to determine any conflicts of interest||
|Fit and proper persons declarations||
|Special categories of information which may include:
How will we use information about you?
Your information is used to ensure the delivery and improvement of our services. Prime Health is the data controller for our electronic information systems. Please note that if you see an independent healthcare practicitioner or consultants at our centres, they may act as the data controller for the consultation records.
Our systems hold personal details of all patients that have been referred via:
- The NHS e-Referral system (for NHS patients)
- Secure email (such as NHS.net account used by General Practitioners or encrypted email if the patient was referred privately)
- By secure fax (Safe haven)
- MIP referral (Prime Health’s own referral portal)
The information held on these systems is used primarily for the purpose of administering healthcare services; it may however be used for other non-health-related purposes and shared with statutory bodies/organisations to enable them to fulfil their statutory obligations. We may also use the information within our systems for statistical analysis to see how the organisation is performing with respect to business targets and objectives and quality of care.
We may keep your information in a written form or on a computer. Whenever possible all information that identifies you will be removed.
5.1 For our patients, your data may be used to:
- Manage our relationship with you
- Register all patients onto our information systems
- Register new referrals for existing patients on our systems, update demographic details and health records with new referral details
- Record telephone calls made to the appointments department in relation to appointment enquiries
- Allow the preparation of health records
- Investigate complaints, legal claims or incidents
- Make sure services are planned to meet patients’ needs in the future
- Check and report on how effective Prime Health and the services it provides has been
- Process anonymised statistical information on organisation performance
- Address customer service enquiries made via the website
5.2 For our staff, students, recruitment candidates, contractors/ agency staff, clinicians/consultants, and suppliers, your personal data may be used to:
- Manage our relationship with you
- Fulfil our duty of care towards staff and communicate with you in the event of a major incident (e.g. in the event of a fire)
- Verify employment history, qualifications, and experience
- Validate ‘right to work’
- Assess suitability for employment during the selection process
- Undertake personal development of employees
- Deliver payroll for employees
- Fulfil our duties in respect of national insurance and tax accounting
- Manage disciplinary and grievances
- Undertake due diligence and risk assessment of supply chain
Sharing Your Information
The information will only be shared with other individuals or organisations where there is a statutory or contractual obligation to do so, or with the agreement of the Prime Health Caldicott Guardian and Data Protection Officer. A Caldicott Guardian and Data Protection Officer are responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing.
6.1 How we may be required to disclose your personal information
There are a number of reasons that we may need to disclose your personal data (to the extent necessary) in order to comply with regulation, legislation, or legal requirements. For example, this could be due to:
- Our obligation to comply with current UK legislation
- Our duty to comply with a court order
- A contractual commitment to report statutory information
- Your consent to the disclosure of your data having been provided
- Where we are required to do so by law
- The sharing of your data will ultimately benefit you as the data subject
- Our obligation to comply with our regulators
In fulfilling our obligation to provide services (healthcare and other services) we may share your data with the following:
- National Health Service (NHS) organisations
- Referral Services
- General Practitioners (your Doctor)
- Imaging Exchange Portal (a web-based portal used to allow sharing of scan images between healthcare trusts/organisations)
- Specialist consultants (medical and non-medical)
- Public Health England (PHE)
- Contracted third parties providing services or devices, medical and non-medical
- Healthcare insurance providers
- Occupational Health services (staff)
- Companies House
- Health & Safety Executive (HSE)
- Communication Service (Text alert)
- Payroll Service
6.2 Sharing of Special Category Data
As part of our commitment to upholding the highest governance standards, your data may also be provided to external service providers and regulatory bodies (unless you object) for the purpose of clinical audit of practice and audit of record management
6.3 Sharing of data with other medical professionals
We have a number of Medical professionals working with us. Some are our employees, and some are independent consultants or allied healthcare professionals (AHP’s) working in private practice at our sites under our Practicing Privileges Policy. We share clinical information about you with those medical professionals as we consider necessary for your treatment and care.
In the case of independent consultants and AHP’s, the consultant or AHP is the data controller of your personal data, either alone or jointly with us and will be required to maintain their own records in accordance with Data Protection Laws and applicable clinical confidentiality guidelines and retention periods. If an independent consultant or AHP is acting as a Data Controller, we require that they are registered with the Information Commissioner’s Office as a Data Controller.
We try to ensure that there is a single patient record for all patients completing a pathway within any of our facilities, detailed to include a complete and accurate record of the care and treatment provided for each of our patients. However, we recognise that by the nature of our work, much of your pathway will be undertaken at other facilities (eg if you have an operation), and so in certain circumstances, a consultant or AHP may also create and maintain their own records of the full pathway.
Sharing your Information outside of the European Economic Area (EEA)
We may from time to time be required to share your information with other service providers who are outside the UK and the EU. The sharing of your information with these providers is necessary in order to provide the necessary medical device or service. The transfer of personal data internationally will be conducted with the appropriate legal mechanisms in place.
How long will we keep your data for?
We will keep your personal information in accordance with NHS Digital guidance ‘Records Management Code of Practice for Health and Social Care 2016’ and for only as long as is lawfully necessary to conduct our business with you, and/or in accordance with our legal obligations for data retention.
GDPR gives a number of rights over your data, subject to certain criteria being met. These are:
- Right of access to your personal information and supplementary information (for example your medical record). Once we have received your request, we will respond within 30 days. This information will be sent to you free of charge.
- Right to rectify/amend your personal information if it is incorrectly recorded. You have the right to question any information we hold about you that you think is wrong, out of date, or incomplete. If you do, we will take reasonable steps to check its accuracy and correct it.
- Right to object and Right to be forgotten. You have the right to object to our use of your personal information, or to ask us to delete, remove or stop using your personal information if it is no longer needed for the purpose it was collected or otherwise processed. This is known as the ‘right to erasure’ or ‘right to be forgotten’.
- Right to restrict the use of your personal information if:
- It is not accurate;
- It has been used unlawfully but you do not want us to delete it;
- It is not relevant anymore, but you want us to keep it for use in legal claims; or
- You have already asked us to stop using your personal information, but you are waiting for us to assess your request and confirm whether we are permitted to continue using the personal information under data protection law.
- Right to obtain your personal information in a portable format
You have the right to get copies of your personal information from us in a format that can be easily re-used. You can also ask us to pass on your personal information to other organisations.
You have the right to complain to the Information Commissioner’s Office (ICO) which can be found at https://ico.org.uk/. It has enforcement powers and can investigate compliance with data protection law.
Freedom of information
Prime Health is not a public authority and is not governed by the Freedom of Information Act.
Changes to this policy