Lawful basis for processing
Why we need to process your personal information |
Lawful Basis |
|
1 Our ground to process your personal information |
2 Additional ground to Additional lawful basis for Special category data e.g. health records |
|
Contacting you following an enquiry from you through our website, by email, by phone line or social media |
Necessary steps for us to enter into a contract with you |
|
Establishing a patient record |
Necessary steps for us to enter into a contract with you Legitimate interests and appropriate business need to use your information which does not overly prejudice your rights |
|
To provide you with healthcare and related services |
Fulfilling our contract with you for To protect your vital interest of the vital interests of another person where you or they are not capable of giving consent Necessary for task carried out in the public interests |
|
To ensure that your account and billing is fully accurate and up-to-date
|
Fulfilling our contract with you for the provision of health care and/or treatment Legitimate interests and appropriate business need to use your information which does not overly prejudice your rights |
|
Maintaining improved quality of service, training including conducting post treatment surveys, but excluding marketing
|
Legitimate interests and appropriate business need to use your information which does not overly prejudice your rights |
|
Maintaining accounting and financial records, internal and external audit requirements |
Legitimate interests and appropriate business need to use your information which does not overly prejudice your rights For compliance with legal obligations
|
|
Disclose information to regulatory bodies (see exception with PHIN below) |
To comply with a legal or regulatory obligation |
|
Disclose information to regulatory bodies or information organisations, including the Private Health Care Information Network” (PHIN). |
To comply with a legal or regulatory obligation |
|
To answer any complaint or legal claim from you |
Legitimate interests and appropriate business need to use your information which does not overly prejudice your rights For compliance with legal obligations To establish, exercise or defend our legal rights |
|
Communicating with third party, share updates about your care (e.g. insurance companies) and updating other healthcare professionals about your care (e.g. NHS)
|
Fulfilling our contract with you for the provision of health care and/or treatment Legitimate interests and appropriate business need to use your information which does not overly prejudice your rights |
|
Use of closed-circuit television (CCTV) for security purposes
|
Legitimate interests and appropriate business need to use your information which does not overly prejudice your rights |
|
We may provide your personal information to our third party survey provider |
Legitimate interests and appropriate business need to use your information which does not overly prejudice your rights |
|
Provide marketing information to you |
Your explicit consent |
|
Please note that failure to provide us with your personal information (including your sensitive information) may mean that we are unable to set you up as a patient, provide you with the required treatment or facilitate the provision of your healthcare.
Legal references
In most circumstances, HCA will rely on Article 6 (1) (b) and Article 9 (2) (h) of the General Data Protection Regulations (GDPR) for the processing of your personal data. The GDPR has been incorporated into UK law as part of the Data Protection Act 2018. In addition HCA may rely one or more of the following basis including when sharing personal data.
- Legal obligation: the processing is necessary for compliance with a legal obligation Article 6 (1)(c)*
- Vital interests: the processing is necessary to protect someone’s life. Article 6 (1) (d)
- Public interest: the processing is necessary to perform a task in the public interest. Article 6 (e)
- Legitimate interests: the processing is necessary for an organisation’s legitimate interests or the legitimate interests of a third party. Article 6 (1) (f)
When processing special category data HCA may rely on;
- Employment, social security and social protection Article 9 (2)(b)
- Vital interests of the Data Subject Article 9 (2) (c)
- Substantial public interest Article 9 (2) (g)
- Provision of health or social care Article 9 (2) (h)
- Public interest in the area of public health such as protecting against serious cross border threats to health Article 9 (2) (i)
- Consent Article 9 (2)(a)
* This includes the Notice by Secretary of State under Reg 3(4) of Health Service Control of Patient Information Regulations issued 1st April 2020 allowing healthcare providers to share personal data and any other such notice that may be issued to support efforts against COVID-19.
Last Updated: January 2022