This privacy notice applies to anyone who interacts with One Heart Clinic about our services in any way (for example, by email, through our website, or by phone)
Data Protection Principles.
We will adhere to data protection law which states that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
- Relevant to the purposes we have told you about and limited only to those purposes
- Accurate and kept up to date
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
If you have any questions.
If you have any questions about how we handle your personal information, please contact us at [email protected]
How is your information collected.
We collect personal information about you through our registration process and throughout your care journey with us. This may be from you directly or from other healthcare providers involved in your care (such as your consultant, GP, and facilities where you have previously been a patient). We may also collect certain information from other companies such as insurance companies.
Any information you provide to us through online forms or by email etc, will be deemed that you consent for us to process such information in order for us to adequately respond with accurate information. Any information you provide on behalf of someone else will be deemed that you have their consent to do so.
What kind of information will we hold about you?
Personal date means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We will collect, store, and use the following categories of general personal information about you as you would expect:
- Basic details (full name, date of birth, next of kin, address etc.)
- Contact details (phone number, mobile number, email address etc.)
- Payment details (debit or credit card, billing address etc.)
- Full name, address, and payment details of the third party that is going to pay if not the patient
- Patient GP information
- Patient feedback
There are also special categories of more sensitive personal information for example:
- Personal health and medical records (reports, notes, results etc.)
- Historical medical images and reports and other diagnostic information (ecg, CT, pathology etc.)
- Historical appointment records
Why does One Heart Clinic collect personal data?
We will only use your personal information when the law allows us to. Most commonly in the following circumstances:
- Where we need to provide healthcare services to you.
- Where we need to comply with a legal obligation.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
We may also use your personal information in the following situations, which are likely to be rare:
- Where we need to protect your interests (or someone else’s interests).
- Where it is needed in the public interest
How do we keep your information safe?
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. One Heart Clinic is registered with Cyber Essentials and aim to comply with the standards set out in the National Data Guardian’s Data Security Standards.
How long is your personal data held?
We will not keep your personal data for longer than is necessary. Data retention is guided by the NHS Records Management Code of Practice and by the Department of Health.
How will we use your personal Information?
The situations in which we will process your personal information are listed below.
- To enable us to provide healthcare services
- To enable us to collect payment
- To fulfil our obligations as a healthcare provider
- To provide safe services
- To maintain complete medical records
- To bill for services
- To meet our regulatory obligations
- To conduct audits
- To improve our systems and services
- To support marketing activities
- To enable building security
- To enable us to comply with our legal obligations (for example, fraud prevention)
Sharing with 3rd Parties.
We may have to share your data with third parties where we have a lawful justification for doing so. Such a lawful justification may include that the sharing is necessary for the provision of healthcare services, that we have your consent to do so or that we have a legal or regulatory obligation to fulfil.
Third parties with whom we may share your data include any of the following:
Our third-party service providers (data “processors” who support our services and only process your personal information on our instructions and subject to specific contractual obligations) – for example:
Patient administration system – to process data about your appointments
Payment processing system – to process data about your payments for the services
Picture Archiving and Communication System (PACS) – to allow imaging/radiology reporting
Other third-party data “controllers” (who will have their own privacy notices that will apply to their use of your data), for example:
- Your consultant, GP, or referrer – to provide coordinated care
- Other healthcare providers – to deliver your care
- A private pharmacy concierge service – for delivery of pharmaceuticals to you
- Our patient payment solutions company – for provision of finance services (if you opt in)
- Regulatory bodies – to meet our regulatory requirements
- The payor of your care (e.g., insurance company, embassy, etc.) – Your payor will, if they have not already done so, be able to confirm the information they will be requesting from us to support the payment process. In addition, please note that we may need to refer details of any serious complaint to your insurance company as they have a legitimate interest in receiving this information to enable them to monitor the service we provide
- Our billing provider – to enable us to process your payments
- We may also provide your contact details to payment shortfall collections services/external debt collections agencies in order for them to assist us to settle any outstanding balances on your account
All third parties are under an obligation to treat your information confidentially, to have in place appropriate security measures and to treat your data in accordance with the law.
Transfers of data outside of the European Economic Area (EEA)
In the ordinary course of the provision of our services we do not expect to transfer any of your personal data outside the EEA. In the event that we need to transfer your personal information outside the EEA, we will only do so lawfully, and you can expect a similar degree of protection to your personal information as you would expect in the UK. We can provide more information about this if you would like us to in the event that any transfer of data is contemplated.
Under certain circumstances, by law you have the right to:
- Right of access: you have the right to make a request for details of your personal information and a copy of that personal information.
- Right to rectification: you have the right to have inaccurate information about you corrected or removed.
- Right to erasure ('right to be forgotten'): you have the right to have certain personal information about you deleted from our records.
- Right to restriction of processing: you have the right to ask us to use your personal information for restricted purposes only.
- Right to object: you have the right to object to us processing your personal information in cases where our processing is based on a task carried out in the public interest or where we have let you know it is necessary to process your information for our or a third party’s legitimate interest. You can object to us using your information for direct marketing and profiling purposes in relation to direct marketing.
- Right to data portability: you have the right to ask us to transfer the personal information you have given us to you or to someone else in a format that can be read by computer.
- Right to withdraw consent: you have the right to withdraw any permission you have given us to handle your personal information. If you withdraw your permission, this will not affect the lawfulness of how we used your personal information before you withdrew permission, and we will let you know if we will no longer be able to provide you with your chosen service.
If you want to review, verify, correct, or request erasure of your personal information, object to the processing of your personal data, request the restriction of processing or request that we transfer a copy of your personal information to another party, please contact us at [email protected]
Please note: Other than your right to object to us using your information for direct marketing, your rights are not absolute. This means they do not always apply in all cases, and we will let you know in our correspondence with you how we will be able to meet your request relating to your rights.
If you make a request, we will ask you to confirm your identity if we need to, and to provide information that helps us to understand your request better. We have 21 days to respond to requests relating to automated decisions. For all other requests we have one month from receiving your request to tell you what action we have taken.
If you have any questions, comments, complaints or suggestions relating to this notice, or any other concerns about the way in which we process information about you, please contact the Registered Manager via [email protected] You can also use this address to contact our Data Protection Officer.
You also have a right to make a complaint to your local privacy supervisory authority. Our main establishment is in the UK, where the local supervisory authority is the Information Commissioner’s Office (ICO):
- Information Commissioner's Office
- Wycliffe House
- Water Lane
- Cheshire, United Kingdom
- SK9 5AF
- One Heart Clinic is registered with the ICO