Consultants and GPs
This Privacy Notice sets out what personal information we may collect from you and how that information may be used
- In particular, this Privacy Notice:explains how we will manage your personal information, from the time we collect it and onwards;
- explains how we use your information and who we share it with;
- how we will comply with any relevant laws; and
- explains your rights in relation to your personal data, and how you can exercise them.
This Privacy Notice does not cover any links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. When you leave our websites, we encourage you to read the privacy policy of any website you visit.
This Privacy Notice is provided in a layered format so you can click through to the specific areas set out below. Alternatively you can download this policy here.
What personal information do we collect from you?
How do we use your personal information?
Who do we share your personal information with?
What marketing activities do we carry out?
How long do we keep your personal data?
About us
HCA Healthcare UK (HCA) is an independent provider of private healthcare, offering treatment to private patients and NHS patients. In order to provide healthcare services and receive payment for those services, HCA need to collect and process certain information about you ("personal data").
HCA is a 'data controller' for the information that it collects and processes about you, and you the 'data subject'. Our Data Protection Officer can be contacted at 2 Cavendish Square, London W1G 0PU or at DPO@hcahealthcare.co.uk.
HCA is committed to protecting and respecting your personal information. This Privacy Notice explains what personal information we may collect from you and how that information may be used. Please take your time to read this Privacy Notice carefully.
About Consultants and Doctors
Care for Patients of HCA may be provided by a healthcare professional who is a medical practitioner including consultants, doctors, nurses, and other clinical support professionals. In this Privacy Notice, we refer to all such individuals as "healthcare professionals". As a healthcare professional you may make decisions about what personal data you need to collect about patients and you may maintain your own set of medical records in relation to your care. You are an independent Data Controller of this personal data must also comply with the data protection legislation (including any necessary registrations) and relevant guidance when handling this personal data.
It is the responsibility of the healthcare professional to ensure that their use of patient personal data is lawful and to inform them as to exactly how it will be used and to provide patients with their own Privacy Notice setting this out.
Healthcare professionals who work with HCA are supported by a medical secretary who will use patient personal data only as instructed by the healthcare professional. In some circumstances, that medical secretary will be employed by HCA and they will handle your personal data in accordance with this Privacy Notice. It is the healthcare professional’s responsibility to inform patients if their medical secretary is employed by a third party and the manner in which they will use your personal data (including where they are based). HCA is not responsible for any use of patient personal data by third parties, e.g. medical secretaries who are not employed by HCA.
Also, healthcare professionals who work with HCA (including their medical secretaries) may process patient personal data at a non-HCA site (medical or non-medical).
HCA Healthcare companies and facilities in the UK include:
The Harley Street Clinic
The Lister Hospital
London Bridge Hospital
The Portland Hospital
The Princess Grace Hospital
The Wellington Hospital
The Harborne Hospital
University College Hospital Private Care, The Wilmslow Hospital and The Christie Private Care
We may share data between these companies and facilities where is it necessary to facilitate the provision of care to our patients.
What personal information do we collect from you and how do we use it?
We will use your personal data for the reasons set out below. The personal data we collect and use may include:
- your name, address and contact details, including email address and home and mobile telephone numbers. If you provide these details, we may use them to contact you unless you ask us not to. This could include emails, text or voicemail messages;
- date of birth and gender;
- information about your marital status, next of kin, dependants nominated and/or emergency contacts;
- equal opportunity monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief; and
Contractual and Financial
- the terms and conditions of your Agreement with us for the provision of healthcare and related services to our patients;
- your bank account and national insurance number);
Information relating to your provision of healthcare to our patients
- information about your nationality and entitlement to practice in the UK;
- information about medical or health conditions, and vaccinations including information about your COVID-19 vaccination status;
- whether or not you have a disability for which the organisation needs to make reasonable adjustments;
- Information about the systems and services you will use to provide care to our patients;
- Information received in response to any complaints or claims;
Other
- Information about how you use our website.
- The data we collect may also include visual images, personal appearance and behaviour e.g. where CCTV is used as part of our building security measures.
- If you are employed or may be employed by HCA UK we will also hold and process other information relating to your employment. You can also obtain a copy of the Staff Privacy Notice from the HCA HR team.)
How HCA collect this information
HCA UK may collect this information in a variety of ways. We will collect most of this information directly during the credentialing and contracting process but we may also obtain data from your passport or other identity documents such as your driving licence; from pre-admission forms, online web forms; from correspondence with you; through interviews and surveys, meetings or other assessments.
In some cases, the organisation may collect personal data about you from third parties, such as insurance providers, referral agencies, sponsors, credit, Disclosure and Barring Service (DBS) service and other checks permitted by law, professional bodies and public registries.
Where information is obtained from a third party not involved in your current or previous employment we will let you know.
We will tell you if providing some personal data is optional, including if we need to ask for your consent to process it. In all other cases, we need you to provide your personal data so we can work with you to provide care and treatment to our patients and for you and us to receive payment for these services.
How do we use your data?
We use your personal data to support the provision of healthcare to our patients in the following ways:
- As necessary to support any contractual agreements with you and to allow us and you to receive payment for any services provided by you and to you;
- To keep your records up to date;
- For compliance with the Health and Social Care Act and in considering how staff will be deployed.
We use your data for the following purposes, to maintain the high standards of service that we provide to our patients:
- For good governance, accounting, and managing and auditing our clinical and business operations both internally and by third parties;
- For surveys of patient experience and quality of care;
- To monitor emails, calls, other communications, and activities on HCA networks and systems;
- For market research, other surveys and analysis and developing statistics for improving clinical performance; and
We may process your data to ensure the security of our systems and to prevent crime and ensure compliance with all laws and regulations that are applicable to our services:
We may monitor and record telephone calls, emails, text messages, social media messages and other communications in relation to our dealings with you. We will do this to ensure an appropriate standard of care, for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of our communications networks and systems, to check for unlawful content, obscene or profane content, for quality control and staff training, and when we need to see a record of what has been said. We may also monitor activities on our network and systems where necessary for these reasons and this is for our legitimate interests or other legal obligations.
We use your data to ensure we can comply with our legal obligations:
- When you exercise your rights under data protection law and make requests;
- For compliance with legal and regulatory requirements and related disclosures;
- For establishment and defence of legal rights;
- For activities relating to the prevention, detection and investigation of crime;
- To verify your identity, make credit fraud prevention and anti-money laundering checks; and
- To investigate complaints, legal claims and data protection or clinical incidents.
Based on your consent we may also use your data:
- If you ask us to disclose your personal data to other people or organisations such as a company handling a claim on your behalf; or otherwise agree to disclosures;
- When we process any special categories of personal data about you at your request (e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning your health, sex life or sexual orientation).
You are free at any time to change your mind and withdraw this consent where we have specifically relied on your consent to share your data.
We may share your personal data with:
- Other Consultants/Doctors and other healthcare professionals who provide treatment to patients at our Facilities;
- The HCA group of companies and associated companies including entities in the United States;
- Sub-contractors and other persons who help us to provide healthcare products and services to patients;
- Companies and other persons including interpreters providing services to you;
- Our legal and other professional advisors, including our auditors;
- Fraud prevention agencies, credit reference agencies, and debt collection agencies;
- Government bodies and agencies in the UK and overseas (e.g. HMRC who may in turn share it with relevant overseas tax authorities and with regulators including the Information Commissioner's Office and Care Quality Commission (CQC) https://www.cqc.org.uk/about-us/our-policies/privacy-statement
- General Medical Council and other professional bodies;
- Courts, to comply with legal requirements, and for the administration of justice;
- In an emergency or to otherwise protect vital interests of yourself or others;
- Third parties who help us to protect the security or integrity of our business operations and patients;
- When we restructure or buy or sell our business or its assets or have a merger or re-organisation;
- Payment systems and providers; and
- Anyone else where we have your consent or as required by law.
Sharing of your personal data in order to receive payment for treatment of our patients from Insurers, sponsors or guarantors
We will contact the individual or company and provide them with the information necessary to support our invoices for payment and to ensure that we receive full payment for patient’s care. We may also contact them prior to a patient’s care to confirm that the treatment they are about to receive is covered by them and they are willing to pay for the patient’s care. We will also provide information necessary to support any audits carried out by insurers and sponsors.
What marketing activities do we carry out?
We may use your contact details to send you newsletters and other information on new HCA Facilities, services and treatments and training opportunities so you know where and how your patients may be treated. We will not sell your personal data to a third party without your written consent.
You are free at any time to ask us to stop sending this information. Please contact consent@hcahealthcare.co.uk.
International data transfers
Your personal data may be transferred outside the UK and the European Economic Area. While some countries have adequate protections for personal data under applicable laws, in other countries steps will be necessary to ensure appropriate safeguards apply to it. These include imposing contractual obligations of adequacy or requiring the recipient to subscribe or be certified with an 'international framework' of protection.
How long do we keep your data?
Information will be kept in accordance with the retention periods outlined in the Information Governance Alliance (IGA) Records Management Code of Practice for Health and Social Care (2016). Information may be held for longer periods where the following apply:
- Retention in case of queries. We will retain your personal data as long as necessary to deal with any queries you may have;
- Retention in case of claims. We will retain your personal data for as long as you might legally bring claims against us; and
- Retention in accordance with legal and regulatory requirements. We will retain your personal data after you have received healthcare services at our Facilities based on our legal and regulatory requirements and obligations.
COVID-19 Data Protection Statement
During these unprecedented times, HCA Healthcare’s main priority is the health and safety of our patients, colleagues and the wider community as well as supporting the NHS in responding to the COVID-19 pandemic. We are supporting the NHS in responding to the COVID-19 pandemic and this will remain our focus at this time.
As a result of these unique circumstances, HCA may need to share personal data with the NHS and other regulatory and government bodies (e.g. Care Quality Commission (CQC) for the purpose of supporting the response to the COVID-19 pandemic. This will be done in accordance with data protection laws and will include any amendments to legislation made by the Secretary of State. We will also consider any relevant guidance provided by the Information Commissioner’s Office.
Sharing of your Personal Data during the COVID-19 pandemic
During the COVID -19 pandemic your personal data may also be shared for the following purposes:
- Understanding COVID -19 trends and risks to public health and controlling and preventing the spread of COVID -19;
- Identifying and understanding information about colleagues, patients or potential patients with or at risk of COVID -19 including patient exposure to COVID -19;
- Management of colleagues and patients with or at risk of COVID -19 including: locating, contacting, screening, flagging and monitoring such colleagues and patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID -19;
- Understanding capacity and availability information about patient access to health services and adult social care services;
- Monitoring and managing the response to COVID -19 by health and social care bodies and the Government including providing information ( including workforce details) to the public about COVID -19;
- Delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID -19; and
- Research and planning in relation to COVID -19.
We will regularly review this privacy statement and its applicability throughout the COVID-19 outbreak. We may also notify you in other ways from time to time about the processing of your personal information.
Your rights under applicable data protection law
Your rights, under the data protection laws, are as follows (noting that these rights do not apply in all circumstances):
- The right to be informed about processing of your personal data;
- The right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed;
- The right to object to processing of your personal data;
- The right to restrict processing of your personal data;
- The right to have your personal data erased (the "right to be forgotten”);
- The right to request access to your personal data and information about how we process it;
- The right to move, copy or transfer your personal data ("data portability") ; and
- Rights in relation to automated decision-making including profiling
You may exercise these rights by contacting us on exercisingmydatarights@hcahealthcare.co.uk
You have the right to complain to the Information Commissioner's Office (ICO). It has enforcement powers and can investigate compliance with data protection law. Contact the ICO on www.ico.org.uk.
How to contact us
You can pick up a copy of this Privacy Notice from Reception at our Facilities or download a copy from our website https://www.hcahealthcare.co.uk/legal/privacy-policy.
Further information can be provided from our Data Protection Officer on DPO@hcahealthcare.co.uk
This Notice may be translated into other languages on request.
Last Updated: January 2022