Privacy Information for Data Subjects
Contents
| Privacy notices for specific individuals | Privacy information common to all individuals |
|---|---|
|
7. Birmingham Prostate Clinic patients 8. Consultants with practising privileges 9. Clinical external individuals, visiting doctors and clinical students |
1. About this privacy information
This Privacy Information explains how we collect Personal Data and why we need to process it. Processing can mean any activity to do with that data, for example: collecting, storing, editing, sharing and deleting.
The UK General Data Protection Regulations (GDPR) and Data Protection Act 2018 (DPA) have strict principles which govern our use of data and everyone working at or for GenesisCare is subject to the Common Law Duty of Confidentiality.
The Personal Data we process about you will only be used for the purposes outlined under an identified lawful basis. This Privacy Information provides the detail of the information we collect, why it is needed, the lawful basis for processing it and who it will be shared with.
We provide information about the individual rights that may be available to you, how you can make a complaint, as well as general details about data protection and confidentiality which you may find of interest.
If you require further information about your Personal Data please see the Contacts section for details of the GenesisCare Data Protection Officer and the Information Commissioner’s Office.
Our Privacy Information is updated regularly to reflect any processing changes and/or relevant laws change. This is documented in the final section.
2. Who we are
GenesisCare’s specialist cancer Centres are dedicated to the treatment of all types of adult cancer to include diagnosis, theranostics, radiotherapy and chemotherapy.
GenesisCare UK is a trading name of Genesis Cancer Care UK Limited (“GenesisCare”).
For the purposes of this privacy notice reference to GenesisCare includes its subsidiaries.
The registered office for GenesisCare and its subsidiaries is Wilson House, Waterberry Drive, Waterlooville, Hampshire, PO7 7XX. Other registration detail is as follows:
| Company name | Company registration number | Information Comissioner's Office registration number |
|---|---|---|
| GenesisCare UK | 05796994 | Z9493925 |
| Birmingham Prostate Clinic (BPC) | 05509497 | ZA441424 |
Responsibility
GenesisCare takes responsibility for the protection of the Personal Data it processes. We have implemented a data protection framework which includes a robust structure and key roles to include a Senior Information Risk Owner (SIRO), a Caldicott Guardian, who advises on specific issues relating to the use of Confidential Patient Information, and a Data Protection Officer who is tasked with monitoring compliance with current Data Protection Legislation.
The GenesisCare group
We may share Personal Data within the global GenesisCare group of companies. Where we collaborate with our colleagues in other countries there will be an inter-group data protection agreement in place which, where necessary, will include an approved UK legal mechanism for transferring Personal Data securely.
3. Contact details
If you have any queries or would like to exercise your rights or establish whether any rights apply to you, please contact the Data Protection Officer, at DPO@genesiscare.co.uk or write to GenesisCare, 69 Alma Rd, Windsor SL4 3HD, marking your communication “Private and Confidential – FAO GenesisCare Data Protection Officer” or telephone 07841 207263.
The Information Commissioner's Office
If you think we have not complied with our legal obligations in relation to your Personal Data, or if you are unhappy with the way that we have dealt with a request from you to exercise any of your rights, you can complain to the Information Commissioner’s Office; this will not affect any other legal rights or remedies that you have.
Whilst you are not obliged to do so, in the interests of dealing with your concerns expediently, we would request that you make us aware of any issue prior to notifying the Information Commissioner’s Office and giving us the opportunity to respond. Please contact the Data Protection officer above. The Information Commissioner’s Office would also expect this step to have been taken prior to any referral to them and may simply refer any complaint back to us where we have not had the opportunity to respond.
You can contact the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, at casework@ico.org.uk, or at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or telephone 0303 123 1113 (local rate call). Website: ico.org.uk
4. Enquirers
This Privacy Notice applies to all enquirers.
If you have an enquiry you can contact us by:
- Calling the GenesisCare Customer Service Team
- Calling a GenesisCare Centre
- Sending us a question through our enquiry form or chat box on our website: https://www.genesiscare.com/uk/make-an-enquiry
- Corresponding with us through social media, including where you reference GenesisCare in a public social media post
We anticipate contact from various enquirers such as patients, prospective patients, medical professionals and secretaries, candidates, insurers, people from businesses wishing to forge a relationship with GenesisCare and we also receive calls from diagnostic pathway organisations on behalf of patients.
We will answer the enquiry, redirect it or we may ask you to confirm your enquiry by email us so that we can pass it on to the relevant team.
We will collect data directly from you, or your nominated spokesperson if you have someone acting on your behalf.
Calling the GenesisCare Customer Service Team
| The data we will handle | Why it is needed | The lawful basis for processing it | Who it will be shared with |
|---|---|---|---|
| Nature of your enquiry, your name, telephone number, email address and, if relevant, your address | – To establish information in relation to how best to respond to your enquiry | – 6(1)(f) Legitimate Interest in being able to respond appropriately to incoming calls and enquiries | – Customer Service Team – Relevant GenesisCare personnel who can support your enquiry |
| If the enquiry is medical: Which service is required, date of birth, contact details, whether an existing patient, medical insurance or self-pay details, contact preferences. Depending on the circumstances, additional relevant personal and medical detail (special category data). | – To establish information in relation to assessment and/or treatment and whether the Customer Service Team can arrange the booking or whether it should be signposted to a GenesisCare Centre or relevant Medical Secretary for further action | – 6(1)(f) Legitimate Interest in being able to respond to your medical enquiry. – 9(2)(h) Provision of Health and Social Care – In addition we rely on the DPA2018 processing condition at Schedule 1 condition 1 | – Customer Service Team – Relevant GenesisCare personnel who can support your enquiry – Partner hospital or relevant Consultant’s Medical Secretary |
| Appointment information which may include triage questions in relation to GenesisCare’s Centres providing One Stop Breast and Mammogram services, and/or details to help us obtain your scan (special category data). | – To discuss appointment times and provide you with the details of the arrangements we have made for you | – 6(1)(f) Legitimate Interest in being able to respond to your medical enquiry. – 9(2)(h) Provision of Health and Social Care – In addition we rely on the DPA2018 processing condition at Schedule 1 condition 1 | – Customer Service Team – Relevant GenesisCare personnel who can support your enquiry |
Calling in response to a specific awareness initiative
If you call in response to a specific awareness initiative, for example a lung or breast campaign, you will be routed to our Customer Service Team during manned hours.
The data we handle will be as above and your details will be added to our system so that your enquiry can be handled by the relevant medical secretary or administrative staff.
Out of hours
If your call is routed to the Customer Service Team out of our working hours you can leave a message on our voicemail service and a member of the Team will call you back the following working day. Voicemails will be retained for 30 days, then deleted.
When you receive a call back you will be asked, depending on the circumstances, for the information described in the ‘Calling the Customer Service Team’ section, above.
Website Request Form
| The data we will handle | Why it is needed | The lawful basis for processing it | Who it will be shared with |
|---|---|---|---|
| Your name, telephone number, email address, your preferred Centre location, the time to call back and the type of enquiry, a request to confirm that you have read the GenesisCare Privacy Notice. There is also the opportunity to add free text about the nature of the enquiry. | – To progress the enquiry | – 6(1)(f) Legitimate Interest in being able to respond to the enquiry and to understand location and contact preferences. – If you provide medical information: 9(2)(h) Provision of Health and Social Care – In addition we rely on the DPA2018 processing condition at Schedule 1 condition 1 | – Customer Service Team – Relevant Centre or Team staff – Relevant GenesisCare personnel who can support your enquiry |
When you receive a call back you will be asked, depending on the circumstances, for the information described in the ‘Calling the Customer Service Team’ section, above.
Website Chatbox
| The data we will handle | Why it is needed | The lawful basis for processing it | Who it will be shared with |
|---|---|---|---|
You will be asked your name and the nature of your enquiry. Further details may be requested so that your enquiry can be progressed, e.g. your telephone number, email address and, if relevant, your address You may also wish to provide health-related details if relevant. | – To establish information in relation to how best to respond to your enquiry – To establish your nearest GenesisCare Centre | – 6(1)(f) Legitimate Interest in being able to respond to your enquiry. – If you provide medical information: 9(2)(h) Provision of Health and Social Care – In addition we rely on the DPA2018 processing condition at Schedule 1 condition 1 | – Customer Service Team – Relevant GenesisCare personnel who can support your enquiry |
If you request a call back you will be asked, depending on the circumstances, for the information described in the ‘Calling the Customer Service Team’ section, above.
Social Media e.g. Facebook Messenger / Linked-In / Twitter / Instagram
If you have corresponded with us through social media, or where you reference GenesisCare in a public social media post, the Customer Service Team will respond accordingly, dependent on the circumstances.
GenesisCare does not use automated decision making in relation to healthcare, nor other processes that would have legal or similarly significant effects, but we may use automated profiling of your Personal Data to evaluate certain personal things about, for example, your personal preferences, interests and location, to provide more tailored marketing. This could include targeted ads through social media platforms such as Facebook, Twitter, Instagram and LinkedIn. Please refer to our cookie information on our website for further information.
Call recording
| The data we will handle | Why it is needed | The lawful basis for processing it | Who it will be shared with |
|---|---|---|---|
We record all inbound and outbound calls and will collect your telephone number and a recording and written transcript of the conversation which will include any healthcare data discussed | – For training, monitoring and improvement purposes | – 6(1)(f) Legitimate Interest in monitoring quality and compliance of our call answering – If you provide medical information: 9(2)(h) Provision of Health and Social Care – In addition we rely on the DPA2018 processing condition at Schedule 1 condition 1 | – Customer Service Team – In circumstances where there is an issue the recording may be shared with the relevant Centre and/or management staff |
Customer Service Team reporting and analysis
| The data we will handle | Why it is needed | The lawful basis for processing it | Who it will be shared with |
|---|---|---|---|
Service delivery reporting to include name, DOB, contact details, call or email, existing or new patient, self-pay or private insurance, which Centre or Medical Secretary the enquiry was passed to, date | –To ensure your enquiry was dealt with by the relevant Centre or Medical Secretary | –6(1)(f) Legitimate Interest in being able to provide a service that will benefit the enquirer | – Customer Service Team |
Customer Service Team data retention
The Customer Service Team will retain your details in a secure system for a maximum period of six months after which your details will be anonymised if required for analysis reporting.
Recorded calls and written transcripts are held for 3 months after which they are securely deleted.
Incoming emails are passed on to the relevant GenesisCare person or team and are not retained by the Customer Service Team.
Where we are unable to assist or where the enquiry is not taken further, anonymised information is held on our enquiry logs for statistical analysis only.
If you become a patient please read the Privacy Notice For Patients.
5. Visitors
This Privacy Notice applies to all visitors to GenesisCare locations and/or our website.
We will collect data directly from you, or your nominated spokesperson if you have someone acting on your behalf, or through the technology which applies to this processing.
| The data we will handle | Why it is needed | The lawful basis for processing it | Who it will be shared with |
|---|---|---|---|
Arrival on site registration, typically name, date, time of arrival and departure, telephone number, vehicle registration, as relevant to the location | – To monitor access to our facilities – To provide facilities such as vehicle parking provision – To manage headcount, e.g. for Health and Safety purposes | – 6(1)(c) Legal Obligation o Health and Safety at Work Act 1974 – 6(1)(f) Legitimate Interest in being able to establish who is on our premises | – Location reception staff – Centre Leader |
Device address if you use our Wi-Fi | – To provide you with an IP address whilst on site and to log traffic information in the form of sites visited, duration and date sent/received for resource purposes | – 6(1)(f) Legitimate Interest in being able to provide wi-fi to visitors to our locations | – IT Service Team (may be a contracted third party organisation) |
Information about how you logged on and off our website(s), including your IP address, information about your visit, your browsing history, your device information and how you use our website – please see our cookie policy | – To keep our website safe, secure and up to date – To understand your website journey, including what pages you have viewed and for how long | – 6(1)(f) Legitimate Interest in being able to provide and maintain a meaningful website | – IT Service Team (may be a contracted third party organisation) and other related service providers, such as contracted website hosting and support companies |
CCTV
We use CCTV externally and internally to support the safety of our organisation, staff, patients and visitors and to ensure the security of property and premises and for preventing and investigating crime purposes. It may also be used to support incident and complaint investigations and litigation against GenesisCare. Areas monitored by CCTV are sign-posted.
At some of our Centres the external CCTV is owned and managed by someone else, such as the landlord, who is the controller. CCTV footage may be shared with GenesisCare where it is necessary for one of the purposes mentioned above. We can supply you with details of the relevant controller(s) of the CCTV.
We also use CCTV in our radiotherapy treatment areas so that the radiographers can watch you carefully and can speak to you through an intercom. The cameras in these areas are not recorded – it is simply a live feed to our radiographers.
| The data we will handle | Why it is needed | The lawful basis for processing it | Who it will be shared with |
|---|---|---|---|
CCTV at a GenesisCare location | – To protect individuals – To keep premises and property secure - To review and/or investigate incidents | Where GenesisCare is responsible for the CCTV: 6(1)(f) Legitimate Interest in protecting our organisation, staff, patients and the public by using CCTV on our premises where legally permitted to do so | – Relevant staff at the location, e.g. Centre Leader, clinical staff – If relevant: – GenesisCare Teams e.g. P&C, Legal, IG – The Police – Professional or statutory regulatory bodies – Other individuals involved in any incident – Insurers – Other providers (where appropriate) – Legal advisors |
Audio and Visual Recording on Personal Devices
Please be aware that patients/carers and/or visitors are not permitted to make audio or photo/video recordings in our waiting rooms or other public areas, as this would breach the right to privacy of other patients and visitors who may be in the area at that time.
You may take photos of GenesisCare staff providing they have given consent.
If you wish to record or video your consultation you must first speak to your doctor or clinician. Due to the potential for interference with electronic medical equipment, there may be restrictions on the use of mobile phones and personal recording devices in some treatment areas. Our staff will be able to advise you.
6. GenesisCare patients
This Privacy Notice applies to patients who are receiving or who have received healthcare services from GenesisCare.
Please refer to the links in the Contents section for details of other scenarios which may apply to you, such as when you make an enquiry or visit one of our Centres.
Collecting your information
GenesisCare will collect information directly from you to support your direct care and treatment when you use our services. It will be stored electronically (or temporarily in paper form) and will include:
- Details about you such as name, address, date of birth, phone, email, and the emergency and nominated contacts you have provided
- Contacts we have had with you, such as appointments or treatment, which may be online or in person
- Notes, letters and reports on your health
- Details of treatment and care, images and test results
- Details of medicines, side effects and allergies
- If relevant, data from people who care for you and know you well, such as health professionals and relatives
- If you choose to tell us, your ethnicity details which we would share with the Private Health Information Network (PHIN).
We may also collect information from you when you:
- Correspond with us
- Take part in a survey
- Take part in our marketing activities.
We will collect information about you from other healthcare providers so that we can give you the best possible care. Information can include:
- Your NHS Number and/or GP detail from the Personal Demographic Service (PDS); we are allowed to gather this information to avoid duplicate records and for accuracy of data set submissions
- Records from other healthcare providers who have previously provided treatment to you, (this can include both private organisations and the NHS)
- Records from your Consultant (including those provided through their medical secretaries)
- Information from other service providers who work with us in relation to diagnostics, care and treatment provided to you
- Samples and tests provided by pathology providers
We may collect information about you from third parties when:
- You are referred to us for health-related services
- We liaise with current or former other health service and support providers
- We liaise with your emergency and/or nominated contact
- We communicate with your medical insurance policy provider
- We instruct debt collection agencies
- We communicate with government agencies such as social and welfare organisations where it is legally required for the safety of the individual concerned, for example, safeguarding
- You instruct a representative, such as a legal advisor or attorney
- You appear on CCTV, and we are a recipient of the footage (please also refer to the privacy notice for visitors)
Using your information
When you come to us for care and treatment, we will collect information from you in order to provide health related services and to fulfil our contract with you for the provision of the services.
Please note that failure to provide your information further to a contractual requirement with us or a Consultant may mean that we are unable to register you as a patient or facilitate the provision of your healthcare on the GenesisCare’s systems.
The lawful basis for processing Personal Data is 6(1)(f) necessary for the purposes of legitimate interests, specifically, supporting the provision of your healthcare and management of healthcare services or 6(1)(b) necessary for the performance of a contract and 9(2)(h) provision of healthcare or treatment or the management of healthcare systems and services.
We will contact you using the information you have provided on the registration form. If you have any specific communication preferences please let us know.
It is important that you tell us immediately if your contact details have changed. Please note that we cannot be held responsible should you change your mobile number or email address and not advise us. Equally we cannot be held responsible for onwards use or transmission of a text message after you have received it.
We will let you know about patient events, such as coffee mornings, and other relevant healthcare related support and services.
We may use your contact details to ask you to complete a review about the care and treatment you received at GenesisCare.
Our lawful basis for processing this data is 6(1)(f) necessary for the purposes of legitimate interests, specifically, supporting the provision of your healthcare and management of healthcare services and 9(2)(h) provision of healthcare or treatment or the management of healthcare systems and services.
When you register for care or treatment, you may provide details of an emergency contact that we can contact in the event of an emergency.
You may also want, or need, to have someone as a nominated contact who you trust to help you manage your healthcare with GenesisCare. For example, someone who, with your permission, can book or confirm appointments or otherwise communicate with the GenesisCare treatment team on your behalf. This could be a family member, friend, or carer. If we receive contact from an individual identifying themselves as your nominated contact, and they have passed our verification checks, we will share information about you with them, within the parameters you have set in the Registration Form. You do not have to provide a nominated contact at all. In which case, we will always seek your consent before disclosing information about you with a family member, friend or carer who may contact us on your behalf.
Please ensure that your contacts are comfortable with you giving us their information and we recommend you show them this privacy notice. If you wish to change your emergency and nominated contact details, please notify us immediately so that we can update our records.
If you invite someone to your appointments, they will receive the same information about you that you receive during the appointment.
If you have a representative, for example someone holding lasting power of attorney, we will share information with this representative where appropriate to do so.
Be aware that we will not share information with someone representing you unless we are authorised to do as, as explained above. This may mean we need to confirm with you first before we release information about you to someone other than the individuals you have nominated.
The lawful basis for processing this data is 6(1)(f) necessary for the purposes of legitimate interests, specifically, supporting the provision of your healthcare and management of healthcare services, 6(1)(d) vital interests and 9(2)(h) provision of healthcare or treatment or the management of healthcare systems and services.
We will share your information with other healthcare professionals or organisations so they can provide you with safe and effective care. This would include where you transfer for continuing treatment or care through the NHS or an alternative private organisation.
GenesisCare has a legal obligation under the Health & Social Care Act 2015 to use your NHS number where reasonably available, and this unique identifier will be used for all data sharing associated with facilitating the care of NHS patients.
The lawful basis for processing this data is 6(1)(c) compliance with a legal obligation, 6(1)(d) vital interests, 6(1)(f) necessary for the purposes of legitimate interests, specifically, supporting the provision of your healthcare and management of healthcare services, and 9(2)(h) provision of healthcare or treatment or the management of healthcare systems and services.
You may be offered a telehealth remote consultation by your doctor. If we provide this service we will capture your name, telephone number, IP address and information relating to your health. Notes will be captured within your health record. We do not record consultations.
The lawful basis for processing this data is 6(1)(b) necessary for the performance of a contract, article 6(1)(c) legal obligation, specifically meeting record keeping requirements under the Health and Social Care Act, 6(1)(f) necessary for the purposes of legitimate interests, specifically, supporting the provision of your healthcare and management of healthcare services and 9(2)(h) provision of healthcare or treatment or the management of healthcare systems and services.
When you register with us, we will record whether you are self-funding or are covering the cost of your treatment through your private medical insurers. Where relevant, we will record details of your private medical insurance including your insurer and policy number. Please refer to the GenesisCare Terms and Conditions for further information.
If you are self–funding or need to cover costs in the event of a shortfall of funds from insurers, you will need to make payment via our authorised payment card service providers who will hold your card holder data. You will receive a copy of the receipt and our finance department will store the merchant copy securely for one year on our servers for financial audit purposes after which our copy will be deleted.
We collect this information to enable us to provide you with health related services and treatment and to fulfil our contract with you for the provision of such care. We use your Personal Data to ensure our accounting and invoicing activities are accurate and up to date.
The lawful basis for processing Personal Data is 6(1)(b) necessary for the performance of a contract, 6(1)(f) necessary for the purposes of legitimate interests, specifically, supporting the provision of your healthcare and management of healthcare services and 9(2)(h) provision of healthcare or treatment or the management of healthcare systems and services.
GenesisCare supports student and visiting doctor placements and, unless you object, details of your diagnosis and treatment may be shared for clinical training and teaching purposes within the GenesisCare direct care team. Recipients will be under a duty of confidentiality in addition to that imposed by the data protection legislation.
For education and training purposes beyond the direct care team, we will use anonymised data. If it is not possible to use anonymised data, e.g. the training scenario requires identifiable information, we will seek your consent under the Common Law Duty of Confidentiality.
Our lawful basis for processing this data is 6(1)(f) necessary for the purposes of legitimate interests, specifically, supporting the provision of your healthcare and management of healthcare services and 9(2)(h) provision of healthcare or treatment or the management of healthcare systems and services.
Technological innovations have a direct positive impact on improving healthcare services and patient outcomes and, within the framework of data protection law, GenesisCare supports concepts, technologies, processes and services that have the potential to benefit our patients.
Prior to using patient data for improvement and development purposes, it is anonymised.
Those undertaking the anonymisation operate under strict confidentiality terms; they ensure that data minimisation techniques are applied, that patients are no longer identifiable in any way, and that reidentification cannot occur.
We ask you at registration if you are willing to share your data as outlined above for the purposes of product improvement and testing and if you change your mind at any time please let us know.
The lawful basis for processing this data is 6(1)(f) legitimate interest in anonymising personal data in the interests of making improvements to systems and services and 9(2)(h) provision of healthcare or treatment or the management of healthcare systems and services and article 9(2)(j) the processing is necessary for research purposes.
We use Personal Data including photography (still and moving), audio or written transcript recordings in our marketing materials related to the promotion of our organisation and services, as an educational resource, within presentations or within journalistic articles or material. These materials will be published online and within printed media, used in promotional videos at events, used in advertising and broadcast and used for educational purposes. Depending on the circumstances, this may include special categories of data such as information relating to your health, e.g. for patient testimonials.
Where we are processing special categories of data for promotional, marketing, journalistic and education purposes you will be provided with a comprehensive Privacy Notice so that you can make an informed decision.
The lawful basis for processing this data is 6(1)(a) consent and 9(2)(a) explicit consent.
You have the right to withdraw your consent to further processing of your image. This is explained fully when you are asked if you wish to participate.
We are accountable for ensuring safe clinical and operational practices are implemented and maintained. We undertake regular audits of compliance to ensure the delivery of standards of treatment, for quality assurance, to ensure services can meet our statutory and regulatory obligations and patient needs in the future and to assess adherence to policy and procedure. Wherever possible we use anonymised information.
We may share anonymised and aggregated data with organisations such as the National Institute for Clinical Excellence for auditing purposes. You will not be identifiable unless anonymised or aggregated patient data would not otherwise be sufficient and the use of Personal Data has a valid lawful basis. These individuals will be under a duty of confidentiality in addition to that imposed by the data protection legislation.
Our lawful basis for processing this data is 6(1)(c) legal obligation (e.g. meeting our regulatory obligations as a CQC registered provider), 6(1)(f) necessary for the purposes of legitimate interests, specifically, supporting the provision of your healthcare and management of healthcare services and 9(2)(h) provision of healthcare or treatment or the management of healthcare systems and services or 9(2)(i) for reasons of public interest in the area of public health.
Sharing your information
We may let you know about patient events, such as coffee mornings, and offer you ancillary services connected to GenesisCare, which may include our exercise clinic, as well as counsellors and therapists. If you take up this support, we will share information with the relevant healthcare professionals and workers.
If you require a taxi we will provide the driver with your name and address.
GenesisCare’s medical Consultants are independent practitioners who practice their specialties in accordance with the terms of our Practicing Privileges policy and who have personal responsibility for the care they deliver.
Consultants are responsible for maintaining records about your health and any treatment or care you have received and may keep their own records as well as recording the details on the GenesisCare patient record system. Consultants who individually maintain your record are responsible for providing you with a separate privacy notice. Where the patient record system is used, GenesisCare and your Consultant are joint controllers of your data (together we determine the means and purpose of processing your information for your care and treatment) and this privacy notice applies. Both parties abide by the Joint Patient Data Sharing and Management Policy which we can provide to you upon request.
Note that where Consultants hold separate records about you we may refer you to them if you have exercised your information rights under Data Protection Laws.
GenesisCare offers medical secretary services to Consultants in some circumstances. Where we do, the secretary is employed by GenesisCare and handles your data in accordance with our policies and procedures. In these circumstances a data processing agreement will be in place between the Consultant and GenesisCare and this privacy notice applies.
Your Consultant may also work with other healthcare providers, and you may also be receiving services from. You should refer to the privacy notice of these providers for details on how they process your Personal Data.
This is a team of medical Consultants who will discuss a treatment plan for you via the GenesisCare eMDT platform (developed and supported by our processor, Context Health). You will be referred to Consultants in your specialist reference group who will have access to your medical data, to include the diagnostic images held on the radiology system and your health record. Consultants working together in the eMDT will discuss your case to achieve the best possible outcome. The outcome will be shared with the referring Consultant.
All eMDT Consultants sign a strict privacy agreement as a condition of participating and are bound by confidentiality rules. Your data will be held on the eMDT platform for one year and a day and thereafter deleted. You will also be added to our electronic medical record where it is held in line with national best practice on records retention. Data processed for the purposes of the eMDT, along with outcome information, is jointly controlled by GenesisCare and the clinical collaborating participants and a joint controller arrangement is in place between the parties.
We may share data with healthcare providers and charities to jointly support your healthcare and treatment. This will be subject to a joint controller arrangement. Such a joint controller arrangement will set out our respective responsibilities to you with respect to:
- Our compliance with the data protection law generally
- Our responsibilities for dealing with your rights as data subjects
- Our respective duties for provision of information to you
Where joint controller relationships exist, for example with your consultant and where you wish to be referred to additional, supporting healthcare services including Penny Brohn, both parties must comply with data protection standards and both are responsible for addressing your rights and freedoms.
If you want to find out more about the joint controller arrangements GenesisCare has in place for handling your information please contact our DPO.
Where the cost of your treatment and care is covered by insurance, we share your information with your insurer or the administrator of the applicable scheme of insurance. Both GenesisCare and your insurer are controllers of this Personal Data. This means that each of us individually may determine the means and the purpose of any processing of the information we hold.
Generally, we share information to allow each other to exercise our rights or comply with our obligations under the healthcare services arrangement we have in place, and in the case of the insurer, to manage claims and administer the schemes for insured members.
Specifically, your information may be used in the following shared activities:
- The provision of clinical quality information
- The pre-authorisation of treatment on your behalf
- Invoicing for services provided
- The notification of any serious incidents
- Assisting and cooperating in the investigation of any member complaints
- Allowing your insurer to inspect and audit our facilities
Your insurer is only allowed to process your data for insurance purposes, i.e. managing the policy and any claims. Where your insurer wishes to see the information we hold about you for any other purpose, you will need to provide your consent to your insurer for your insurer to receive this information.
You may exercise your rights against either GenesisCare or your insurer where we are both controllers of the same information for the same processing purpose.
Where we independently hold further information, or process information for purposes in addition to the shared purposes stated above, you should direct any communication concerning your rights to the applicable holder/processor of your information.
The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population. We will report the relevant information to local health protection team or Public Health England.
We make notifications to Public Health England and other statutory bodies in compliance with our legal obligations and where necessary to protect the vital interests of individuals.
This processing is necessary for reasons of public interest in the area of public health such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare on the basis of UK law.
National Cancer Registration and Analysis Service
If you have been diagnosed with cancer, GenesisCare will provide information about you and your cancer to the National Cancer Registration and Analysis Service (NCRAS) which promotes research, monitoring and improvement of cancer care. If you wish to request that your details are not included on the Register or have your information removed you should contact the National Disease Registration Service directly by email to ndrsoptout@nhs.net. Further information has been provided to you in the Public Health England leaflet ‘Cancer Registration – what it is, the benefits of being on the register and your options’.
Private Healthcare Information Network
We are bound in law to send identifiable data to the Private Healthcare Information Network (PHIN) about the private patients we treat with radiotherapy. PHIN collects and publishes information about the activity and performance of healthcare providers and doctors providing private care and has its own privacy notice. Whilst the information we are obliged to provide includes some of your Personal Data, PHIN cannot identify you from it for although your NHS number is included, PHIN does not have access to any patient systems. Any information that is published by PHIN will always be in an anonymised statistical form.
We are required to provide PHIN with information related to your treatment, including your:
- National Health Service (NHS) number, or in the case of patients from outside the UK, a suitable equivalent identifier e.g. passport number
- Your age
- Your gender
- Your ethnicity or race
- Your diagnosis (what you are receiving treatment for)
- Other data about your state of health
- The procedure you have undergone
- The date you came into hospital, and the date you left
- Your postcode.
Under the Acute Data Alignment Programme (ADAPt) you can choose whether or not to allow PHIN to share your NHS number with NHS England. We will ask you at registration if you wish to opt-out of this sharing and if you change your mind at any time please let us know.
Further information about how PHIN uses information is available at www.phin.org.uk. We will be happy to print a copy for you if you prefer.
National Radiotherapy Dataset
We are required to send a radiotherapy dataset to the NHS Trust where treatment is funded by the NHS; the Trust will then forward this data on to NHS England.
The purpose of this collection is to support consistent data and inform the planning, provision and commissioning of radiotherapy services.
Other national data collection
We may collect and share data without your consent provided that the particular audit registry or data collection has received statutory approval, or where the information will be provided in a purely anonymous form, otherwise your consent will be needed. Where your consent is required, the registry organisation may have consent processes of their own, otherwise we will seek consent from you.
We may also share your Personal Data with the third parties listed below for the purposes identified within this privacy notice.
- A doctor, nurse, carer, pharmacist, and pathology and radiology staff involved in the analysis and reporting of diagnostic tests including genetic tests, or other healthcare professional involved in your care
- Other members of support staff involved in the delivery of your care, such as receptionists and medical secretaries
- Other private sector healthcare providers where you request us to do so
- Your GP
- Voluntary organisations providing on-going support
- Ancillary service providers we use to support our business. These providers are trusted partners that work with us and are authorised to use your Personal Data only as necessary to provide these services to us or to you. We require these third parties to comply with data protection law and we ensure appropriate controls are in place. We enter into written contracts with all our providers. These will include providers of:
- Clinical, administrative and management systems
- Clinical equipment and treatment system
- Clinical services e.g. pathology providers, diagnostic provide
- Taxi providers where transport assistance for treatment is provided for insured patients
- Government bodies and local authority departments
- Our regulators, such as the Care Quality Commission
- The police and other third parties where reasonably necessary for the prevention or detection of crime
- Our insurers
- Debt collection agencies
- Third parties to the extent required by regulation, law or court orders, supervisory authorities e.g. during the course of enquiries or investigations and statutory requests for information
- Payment card providers
- IT support services including trouble shooting, maintenance, data hosting, IT systems including communication tools
- Auditors, lawyers and tax advisors
- Bank and auditors for financial reconciliation purposes.
We may communicate with these third parties in a variety of ways including, but not limited to, email, post and telephone.
National data opt-out programme
The national data opt-out puts into effect the opt-out model proposed by the National Data Guardian and enables patients receiving NHS funded care to choose how their confidential patient information is used for purposes beyond individual care such as research and planning, with some exceptions.
Where the national data opt-out applies GenesisCare will comply with the programme.
Further information, including the scope of the national data opt-out programme, can be found at https://digital.nhs.uk/services/national-data-opt-out-programme.
7. Birmingham Prostate Clinic patients
Birmingham Prostate Clinic (BPC) is a wholly owned subsidiary of Genesis Cancer Care UK Limited (GenesisCare). It is a supplier of professional medical administrative services which support individual Consultants to provide high quality patient care.
This Privacy Notice applies to those who are in contact with the BPC administrative staff.
We will usually collect data directly from you, or from a relevant third party, such as your Consultant or other healthcare provider.
BPC, in the Consultant-support role, has the data protection role of processor and the administrative staff will manage communications, arrange appointments, maintain medical records, etc.
The controllers of your healthcare data will generally be those providing treatment, i.e. your Consultant and the healthcare provider you are referred to. These controllers will be able to supply you with their Privacy Notice.
BPC will be a joint processor of Consultants’ data with its parent company, GenesisCare, in relation to complaints relating to the administration services provided by BPC – please refer to the section Complaints.
8. Consultants with practising privileges
This Privacy Notice applies to all Consultants who have considered being granted, or who have been granted, practising privileges with GenesisCare and it provides the detail of the information we collect, why it is needed, the lawful basis for processing it and who it will be shared with during the course of the professional relationship between us and after this relationship has ended.
We will usually collect data directly from you, or from relevant sources as described below.
| The data we will handle | Why it is needed | The lawful basis for processing it | Who it will be shared with |
|---|---|---|---|
If you are a candidate for Practising Privileges: Name, contact details, event invitation, attendance details, events management details e.g. dietary and accessibility requirements, requests to ‘opt-out’ to invitations, your request to join GenesisCare | With your agreement: – To support marketing, engagement activities, events/conferences, education, collaboration – To ensure we follow your instructions if you ask us not to call or contact you again in relation to marketing activities | – 6(1)(f) Legitimate Interest in discussing your participation in GenesisCare business opportunities – 6(1)(f) Legitimate Interest in ensuring we do not send you further information | – Service and Market Development Team – Marketing Team (administration purposes) – Quality Team (PP administration) |
If you apply for Practising Privileges: Name, address, personal e-mail address, telephone number(s), date of birth, work history and experience (e.g. CV), your preferred name, nationality (and if relevant, role, salary expectation, gender, ethnicity), qualifications, professional membership, statutory and voluntary registration details, training and development, Certificates of Continued Professional Development (and, if relevant ICO number, GMC number); admin spreadsheet holding follow-up actions, medical advisory committee notes | – For communications and relations with you and to send related information, e.g. during the onboarding process – To support the decision about your application – To ensure you have and continue to have the appropriate skills, knowledge, qualifications and/or professional registrations required for your role, including those that are required by law – To progress and enter into and administer a contract with you – To keep accurate records – For equal opportunities monitoring | – 6(1)(c) Legal Obligation o Employment Rights Act 1996 – 6(1)(f) Legitimate Interest in assessing an applicant's suitability for the role at GenesisCare – 6(1)(f) Legitimate Interest in maintaining accurate records | – People & Culture Team – Quality Team – Hiring Manager/s or Marketing Development Manager and/or Centre Leader For validation purposes – Educational, training and academic bodies – UK Visas and Immigration – Relevant regulatory bodies |
The following assurances will be initiated by GenesisCare: – identity check – right to work check – disclosure barring service (DBS) certificate where a condition of employment (details will depend on the level of the check according to role) (note that GenesisCare as a regulated activity provider also has ongoing referral obligations to the DBS in certain instances – application for references from a third party GenesisCare will receive a report and retain the information provided. – DBS supporting detail provided by you | – To make safer recruitment decisions – To make security, protection and safeguarding of our staff, doctors, patients and visitors – Risk management – Due diligence | – 6(1)(c) Legal Obligation o Health and Social Care Act 2008 (‘fit and proper’ regulations) o Police Act 1997 o Safeguarding Vulnerable Groups and Adults 2006 (Prescribed Information) Regulations 2008 | – People & Culture Team – Quality Team – Hiring Manager/s and/or Centre Leader – Third party contracted screening service – DBS |
If your application for Practising Privileges is successful: documentation to include application for work information (as outlined above) and additionally: practice scope and suitability, insurer and/or professional indemnity details, private work rejection information, medical secretary and/or other support staff details, next of kin, letter of agreement (signed) and related documentation to support the arrangements; payment details, e.g. bank details, billing alerts | – To provide a formal, legally binding agreement for Practising Privileges – For the health and safety of patients and staff – To keep records about relevant arrangements – For collaboration between GenesisCare colleagues and individuals you have engaged independently – To pay you | – 6(1)(b) Contract – 6(1)(c) Legal Obligation o Health and Safety at Work Act 1974 – 6(1)(f) Legitimate Interest in maintaining records and supporting good employment practice | – Service and Market Development Team – Quality Team – Centre Leader – People & Culture Team and/or Finance depending on arrangements |
Your marketing preferences | – To provide you with materials and information you have requested and to manage your account whilst at GenesisCare | – 6(1)(f) Legitimate Interest in maintaining records about marketing preferences | – Your account manager in the Service and Market Development Team |
Work contact details, typically name, job title, work email, work address, work telephone number | – So that others know who you are and can contact you, e.g. GenesisCare workers, healthcare professionals, suppliers, patients and any other party we share information with for our business purposes | – 6(1)(b) Contract – 6(1)(f) Legitimate Interest in providing methods of communication and manage our resources to include staff headcount and office allocation | – Your colleagues (internal directory) – Patients where relevant – Externally facing webpages and publications |
Details of equipment and facilities provided to you, e.g. IT access, IT applications which will include security software and associated data collection, mailbox and emails held in the mailbox, building access and car parking provision | – To provide you with appropriate tools, facilities, access and support so that you can carry out your role effectively – To protect the GenesisCare network, see Data collection in Intune - Microsoft Intune | Microsoft Learn | – 6(1)(f) Legitimate Interest in providing you with the tools you require to complete work tasks and to protect access and data | – Your Manager and/or Centre Leader – Relevant IT and facilities staff (may be a contracted third party organisation) |
User authentication data such as your usernames and email address | – To allow you to access GenesisCare network, corporate email system and company directories, and various systems – To monitor use and adherence to policy and procedures | – 6(1)(b) Contract – 6(1)(f) Legitimate Interest in managing infrastructure, business continuity, cyber-risk, etc. and making improvements | – Your colleagues – IT Service Team (may be a contracted third party organisation) |
Revalidation detail signed by NHS Trust or Clinical Supervisor | – To comply with legal obligations – For the health and safety of patients and staff – For record keeping and collaboration between GenesisCare colleagues and individuals you have engaged independently | – 6(1)(c) Legal Obligation o Medical Act 1983 o General Medical Council (Licence to Practise and Revalidation) Regulations 2012 – 6(1)(f) Legitimate Interest in ensuring that you are keeping skills and knowledge up to date and are fit to practice | – Quality Team – Chief Medical Officer – Centre Leader |
Policy and procedures: confirmation that you have read and understood the requirements, e.g. health and safety | – To confirm you have read and understood our policies and procedures – For audit purposes | – 6(1)(b) Contract – 6(1)(f) Legitimate Interest in maintaining records | – Your Manager and/or Centre Leader – Quality Team |
Patient medical record referencing you, e.g. name, email address, professional opinion, details of treatment given (if relevant) | – To comply with the requirement for medical record keeping by treating physicians and healthcare professionals – To participate in the Private Healthcare Information Network (PHIN) programme enabling patients to compare privately funded healthcare (both hospitals and consultants). | – 6(1)(b) Contract – 6(1)(c) Legal Obligation o Health and Social Care Act 2008 – 6(1)(f) Legitimate Interest in supporting programmes which aim to monitor and improve patient treatment and outcomes | – Other relevant healthcare professionals – Quality Team – Business Intelligence Team – Care Quality Commission, PHIN and other relevant statutory bodies – May include contracted third parties for maintenance purposes |
Research related information: details likely to include name and work contact details, details of treatment given CVs etc for clinical trials feasibility studies | – For clinical medical studies and trials | – 6(1)(f) Legitimate Interest in supporting programmes which aim to monitor and improve patient treatment and outcomes – 6 (1) (a) Consent | – Research and Development Team – Sponsors – Trial partners – Research centres – Other healthcare professionals |
Subject access request or other individual right made by a data subject or their representatives where you are identified as a relevant healthcare professional | – To comply with a data subject rights requests in circumstances where it is reasonable in all the circumstances to disclose your information – To maintain records of the Right of Access | – 6(1)(c) Legal Obligation o UK GDPR and Data Protection Act 2018 | – Centre Leader – IG Team – Data Protection Officer – Data subject – Data subject’s representative, if applicable |
Subject access request or other individual right made by you or your representative to GenesisCare | – To comply with your data subject rights request – To maintain records of the Right of Access | – 6(1)(c) Legal Obligation o UK GDPR and Data Protection Act 2018 | – People & Culture Team – Your Manager and/or Centre Leader (to provide the information required) – IG Team – Data Protection Officer – Your representative, if applicable |
Termination of role (the ending of your relationship with GenesisCare) | – To terminate the arrangements and manage any post contract requirements | – 6(1)(b) Contract – 6(1)(c) Legal Obligation o Safeguarding Vulnerable Groups and Adults 2006 (Prescribed Information) Regulations 2008 | – Centre Leader – Quality – Chief Med Officer – Service and Market Development Team – People & Culture Team – IT Service Team (may be a contracted third party organisation) – Marketing (to remove any website detail) – Where relevant, the DBS (where certain conditions are met The legal duty to refer to DBS - GOV.UK) |
Disciplinary procedure details
Grievance procedure details
Tribunal details | – To ensure a full, fair and thorough process is followed for each case – To conduct investigations and keep a record of discussions and any formal action taken – To encourage improvement on an individual’s standard of behaviour – To respond to legal claims, e.g. accident at work | – 6(1)(b) Contract – 6(1)(c) Legal Obligation o Safeguarding Vulnerable Groups and Adults 2006 (Prescribed Information) Regulations 2008 o The legal duty to refer to DBS - GOV.UK – 9(2)(b) Employment – In addition we rely on the DPA2018 processing condition at Schedule 1 part 1 paragraph 1 – 9(2)(f) Legal claims and judicial acts | – People & Culture Team – Quality Team – Manager and/or Centre Leader – Any third parties representing you If relevant: – Representation for either party – Police, regulatory bodies, DBS, social services etc. – Medical Advisory Committee |
9. Clinical external individuals, visiting doctors and clinical students
This Privacy Notice applies to Clinical External Individuals, Visiting Doctors and Clinical Students who have a working relationship with GenesisCare and it provides the detail of the information we collect, why it is needed, the lawful basis for processing it and who it will be shared with during the course of the professional relationship between us.
We will collect data directly from you, or from relevant sources as described below.
Clinical External Individuals, e.g. Surgeons, GP Practice Managers
| The data we will handle | Why it is needed | The lawful basis for processing it | Who it will be shared with |
|---|---|---|---|
Name, contact details, event invitation, attendance details, events management details e.g. dietary and accessibility requirements If relevant: your medical secretary’s name and work contact details | With your agreement: – To support marketing, engagement activities, events/conferences, education, collaboration | – 6(1)(f) Legitimate Interest in sending you information about events which are similar to services you have enquired about or received, or where you are a healthcare worker, with a common, professional interest in our services and we are not using your Personal Data in ways that you would not expect | – Marketing Team |
Requests to ‘opt-out’ to invitations | – To ensure we follow your instructions if you ask us not to call or contact you again in relation to marketing activities | – 6(1)(f) Legitimate Interest in ensuring we do not send you further information | – Marketing Team (administration purposes) |
Visiting doctors and clinical students
Request form for attendance; name, address, university or hospital, placement information, email contact, approval detail, personal emergency contact, university emergency contact, signed confidentiality agreement, DBS Certificate for longer term students | – To progress an application for a placement – To maintain accurate records | – 6(1)(f) Legitimate Interest in supporting medical students and doctors in training – 6(1)(c) Legal Obligation o Health and Social Care Act 2008 (‘fit and proper’ regulations) o Police Act 1997 – In addition we rely on the DPA2018 processing condition at Schedule 1 part 1 paragraph 1 | – Manager and/or Centre Leader – People & Culture Team – GenesisCare student/visitor placement approver |
Equipment and other facilities provided to you, such as a laptop, telephone or other device, IT access, mailbox and emails held in the mailbox, building access and car parking provision | – To provide you with appropriate tools, facilities, access and support so that you can carry out your role effectively | – 6(1)(f) Legitimate Interest in providing you with the tools you require to complete work tasks | – Your Manager and/or Centre Leader – Relevant facilities staff (may be a contracted third party organisation) |
User authentication data such as your usernames and email address | – To allow you to access GenesisCare network, corporate email system and company directories, and various systems – To monitor use and adherence to policy and procedures | – 6(1)(b) Contract – 6(1)(f) Legitimate Interest in managing infrastructure, business continuity, cyber-risk, etc. and making improvements | – Your colleagues – IT Service Team (may be a contracted third party organisation) |
10. eMDT collaboration
This Privacy Notice applies to Health Care Professionals who are given access to the eMDT platform and the MDT meetings.
We will collect data directly from you.
| The data we will handle | Why it is needed | The lawful basis for processing it | Who it will be shared with |
|---|---|---|---|
Your details, e.g. name, telephone number and email address Terms of Reference, MDT operational policy, joint-controller policy, confidentiality agreement and relevant training information, standard operating procedure (online) Professional opinions on treatment | – So that we can invite you to provide your expertise, either individually or in collaboration with other consultants, in the treatment of patients – To document the formal arrangements between GenesisCare and the eMDT participants – To support clinical record keeping | – 6(1)(b) Contract – 6(1)(c) Legal Obligation o Health and Social Care Act 2008 – 6(1)(f) Legitimate Interest in retaining your details where you have participated in patient discussion | – Other relevant healthcare professionals – eMDT Administrators – Care Quality Commission and other statutory bodies as required – May include contracted third parties for maintenance purposes |
11. Webinar participants
This Privacy Notice applies to those who register for and/or attend one of our webinars or virtual events.
We will collect data directly from you, or your nominated spokesperson if you have someone acting on your behalf, or through the technology which applies to this processing.
If you attend you may need to sign-up to the specific software through which the webinar or virtual event is provided (such as Zoom or Microsoft Teams), and for your use of their service, they will be the data controller. To find information about how they process your Personal Data, please see their privacy information (e.g. for Zoom at https://zoom.us/privacy or Microsoft Teams at https://privacy.microsoft.com/en-us/privacystatement).
| The data we will handle | Why it is needed | The lawful basis for processing it | Who it will be shared with |
|---|---|---|---|
Name, contact details such as email address, event invitation, attendance details, certification details, e.g. CPD | With your agreement: – To inform you about upcoming webinars that may be of interest to you – To support awareness, education and promotion of services and treatments available at GenesisCare and our partner – To circulate the link to the recording once the webinar has concluded | – 6(1)(f) Legitimate Interest in sending you information about available webinars and/or virtual events which are similar to services you have enquired about or received, or where you have a common, professional interest in our services and we are not using your Personal Data in ways that you would not expect | – Facilitator of the event – Marketing Team |
Requests to ‘opt-out’ to invitations | – To ensure we follow your instructions if you ask us not to call or contact you again in relation to marketing activities | – 6(1)(f) Legitimate Interest in ensuring we do not send you further information | – Marketing Team (administration purposes) |
Recording of the webinar: if you present, pose a question or observation your image and audio will be captured in the recording and may be published on our website and social media channels | – To provide access to a wider audience
Please tell the Facilitator ahead of the Webinar if you do not wish to be recorded. | – 6(1)(a) You have given consent to the processing of your Personal Data by expressing an interest in attending a webinar | – Facilitator of the event – Marketing Team If relevant: – Third party service providers under contract |
Feedback requests, questionnaires and/or surveys after the webinar or virtual event | – To establish how useful and/or well the webinar or virtual event fulfilled its objectives | – 6(1)(f) Legitimate Interest in developing and improving our presentations | – Facilitator of the event – Marketing Team – Relevant clinical teams |
12. Research project or clinical trial participants
GenesisCare participates in research and development to support the generation of new knowledge in medicine, measure effectiveness of interventions, to support the development of technological and medical innovations and to improve healthcare services and patient outcomes.
This privacy notice applies to anyone participating in research or clinical trials at or with GenesisCare this may mean we will collect Personal Data about:
- GenesisCare patients who participate in our research and trials
- Doctors, nurses and other staff involved in the recruitment, diagnosis, and treatment of participants taking part in our research and trials
- In-house specialist staff such as legal or information governance and staff from other organisations involved in the projects, which may include panels and oversight committees
- External individuals such as self-employed contractors and investigators
If you are a patient you will have a choice about taking part in a research project or clinical trial and your treatment and care will not be affected if you do not wish to consent.
We obtain your Personal Data directly from you, or, if you are a patient, through the parties involved in the research or trial.
Research projects
Research is usually sponsored by companies developing new medicines or medical devices, by NHS organisations, universities or medical research charities. Healthcare research requires Health Research Authority approval and strict rules apply. The research sponsor will usually be the controller of your data and GenesisCare will act as a processor.
It is up to the sponsor to decide what information will be collected for the study and how it will be used and you will be provided with a privacy notice explaining this along with details of the lawful basis for collecting the data, who will have access to your data, and if your data is planned to be shared with other people for other health or care research projects.
Your Personal Data will normally be accessed by people working on the project. They will use your data to answer the questions of the research project, and to check that the project is being run properly.
Patient medical (special category) data will be pseudonymised.
Your fully anonymised information will be used to produce answers to the research questions and these will be presented at conferences and published in medical journals so that we can explain to the medical community what our research results have shown.
Where projects have received statutory approval consent may not be required to use your Personal Data. Controllers are required to comply with the National Data Opt-Out where appropriate.
In all circumstances we share data under a legally binding contract and researchers are bound by data protection legislation and confidentiality clauses.
Clinical trials
Clinical trials typically explore new treatments or procedures. The research data collected can help to find out if your current treatment can be improved.
When you join a clinical trial, the research team needs to know certain things about your medical history. This may include blood test results, scan results, details about the cancer and information about any treatment you have had. This information helps establish whether you are suitable to take part in the trial and supports analysis of results.
The trial team will tell your GP that you are taking part in the trial. They will include information about the treatments you are having and the possible side effects and this will also be recorded in your GenesisCare medical notes.
Where GenesisCare is the controller of the data
| The data we will handle | Why it is needed | The lawful basis for processing it | Who it will be shared with |
|---|---|---|---|
If you are a patient: Name, contact details, your consent, information about you in relation to the project or trial including medical detail, details of treatment given | With your consent: – For clinical medical projects and trials | – 6(1)(c) Legal Obligation o Medicines for Human Use (Clinical Trials) Regulations 2004 o UK GDPR and Data Protection Act 2018 – 6(1)(f) Legitimate Interest in improving patient treatment and outcomes – 9(2)(j) Scientific or Historical Research and archiving – 9(2)(h) Provision of Health and Social Care – In addition we rely on the DPA2018 processing condition at Schedule 1 Part 1 conditions 1, 2 and 4 and Part 4 condition 39 | – Research and Development Team – Sponsors – Trial partners – Regulators – Auditors – Research centres – Other healthcare professionals – GenesisCare treatment Team |
If you are a participant (not a patient): Name, surname, e-mail address, role of staff involved in the project; sponsor staff data and documents e.g. protocol, certification, letters, signed authorisations, reports, privacy notices | – To maintain accurate records | – 6(1)(c) Legal Obligation o Medicines for Human Use (Clinical Trials) Regulations 2004 – 6(1)(f) Legitimate Interest in recording the results of the research or trial | – Research and Development Team – Sponsors – Trial partners – Regulators – Auditors – GenesisCare Treatment Team |
13. Candidates
The recruitment process is managed by the Talent Acquisition team who form part of the People and Culture Department, our human resources in-house services and this Privacy Notice applies to all those who apply to work for or with GenesisCare.
We will collect data directly from you, or, if you use one, a recruitment agency acting on your behalf.
| The data we will handle | Why it is needed | The lawful basis for processing it | Who it will be shared with |
|---|---|---|---|
Supplied by a recruitment agency or by you: Name, address, personal e-mail address, telephone number(s), date of birth, work history and experience (e.g. CV), your preferred name, nationality (and if relevant, role, salary expectation, gender, ethnicity), qualifications, professional membership, statutory and voluntary registration details, training and development, Certificates of Continued Professional Development if relevant. | – For communications and relations with you during the onboarding process, which may include other vacancy opportunities – To support the decision about your application – To ensure you have and continue to have the appropriate skills, knowledge, qualifications and/or professional registrations required for your role, including those that are required by law – To progress and enter into and administer a contract with you – To keep accurate records – For equal opportunities monitoring | – 6(1)(c) Legal Obligation o Employment Rights Act 1996 – 6(1)(f) Legitimate Interest in discussing vacancy opportunities with you and assessing your suitability for the role – 6(1)(f) Legitimate Interest in retaining records provided to us to be held in accordance with our retention policy | – People & Culture Team – Quality Team – Hiring Manager/s or Marketing Development Manager and/or Centre Leader For validation purposes – Educational, training and academic bodies – UK Visas and Immigration – Relevant regulatory bodies |
The following assurances will be carried out by the GenesisCare third party onboarding services organisation – identity check – right to work check – disclosure barring service certificate where a condition of employment (details will depend on the level of the check according to role) – application for references from a third party GenesisCare will receive a report and retain the information provided. | – To make safer recruitment decisions – To make security, protection and safeguarding of our staff, doctors, patients and visitors – Risk management | – 6(1)(c) Legal Obligation o Health and Social Care Act 2008 (‘fit and proper’ regulations) o Police Act 1997 – In addition we rely on the DPA2018 processing condition at Schedule 1 part 1 paragraph 1 | – People & Culture Team – Quality Team – Hiring Manager/s and/or Centre Leader – Third party screening service |
The third party onboarding services will: – arrange a standard fitness to work pre-placement health assessment, to include an eye check, in line with the Equality Act, section 60 carried out by an occupational health service – check immunisation status for clinical staff GenesisCare will receive a report and retain the information provided. | – To assess your fitness for the role – To provide any reasonable adjustments – For equal opportunities monitoring | – 6(1)(a) Consent – 6(1)(c) Legal Obligation o Equality Act 2010 o Health and Safety at Work Act 1974 – 9(2)(a) Explicit Consent – 9(2)(h) Provision of Health and Social Care, including working capacity of employees – In addition we rely on the DPA2018 processing condition at Schedule 1 condition 1 | – People & Culture Team – Hiring Manager/s and/or Centre Leader – Your requirements may be shared with those providing support, which may include third party services |
Personality profiling details from a third party provider | – To review your personal attributes, values and life skills to maximise your job performance and contribution to the company | – 6(1)(f) Legitimate Interest in providing the opportunity for you to develop in the workplace | – People & Culture Team – The profiling provider will seek and hold your consent for the profiling and the release of the report to GenesisCare |
Interview documents, note, letters, correspondence between relevant internal staff and the Talent Acquisitions Team and you, notification as to whether your application has been successful or unsuccessful | – To keep records about the application – To communicate with you | – 6(1)(f) Legitimate Interest in maintaining records relating to the application | – People & Culture Team – Hiring Manager/s and/or Centre Leader |
If you are successful: Offer letter, contract for employment or other arrangements (please refer to the Privacy for Staff for further detail) | – To offer you employment | – 6(1)(f) Legitimate Interest in providing a formal, legally binding agreement | – People & Culture Team – Hiring Manager/s and/or Centre Leader |
Subject access request or other individual right made by you or your representative to GenesisCare | – To comply with your data subject rights request – To manage and keep records of the Right of Access | – 6(1)(c) Legal Obligation o UK GDPR and Data Protection Act 2018 | – People & Culture Team – Your Manager and/or Centre Leader (to provide the information required) – IG Team – Data Protection Officer – Your representative, if applicable |
14. Insurers
This privacy notice is for the insurers we liaise with in relation to the clinical services we offer patients.
We will collect information:
- Acquired in the framework of our cooperative relationship
- From publicly accessible sources (such as the internet)
- From third parties (legitimately obtained or transmitted to us).
| The data we will handle | Why it is needed | The lawful basis for processing it | Who it will be shared with |
|---|---|---|---|
Your personal or business name, address and contact details (e.g. postal and email address and phone number) | – To contact you – To commence, execute and terminate the cooperative relationship between us | – 6(1)(b) Contract – 6(1)(f) Legitimate Interest in being able to contact you and conduct business | – Relevant GenesisCare Managers – Relevant GenesisCare Teams (may include P&C and Finance) – Relevant regulatory bodies – Service providers with whom we have data processing relationships under contract |
15. Shareholders
This Privacy Notice applies to you if you are an individual and a current or former registered shareholder of GenesisCare.
We will collect data directly from you, or from other third parties engaged to carry out services on our behalf, for example details provided via a third party share registrar service website or share transfer services.
| The data we will handle | Why it is needed | The lawful basis for processing it | Who it will be shared with |
|---|---|---|---|
Your personal or business name, address and contact details (e.g. postal and email address and phone number), bank account details, details of shares held, shareholder reference number, voting instructions, corporate action elections, Date of death | – To contact you and make shareholder meeting materials available to you – To manage your shareholding and keep your record on the shareholder register up to date – To allow you to exercise your rights as a shareholder | – 6(1)(b) Contract – 6(1)(c) Legal Obligation o Companies Act 2006 – 6(1)(f) Legitimate Interest in being able to contact you, to conduct shareholding business and to comply with regulatory finance requirements | – Relevant GenesisCare Managers and Teams (may include P&C and Finance) – Regulatory bodies e.g. HMRC and DWP – Supervisory authorities e.g. the stock exchange – Limited data: insurers, auditors and bank – Service providers with whom we have relationships under contract including shareholder services |
16. Data sharing
We have provided specific data sharing details in the relevant section of this privacy information based upon the relationship we have with you.
The table below provides additional, more general information about data sharing which may take place.
| The data we will handle | Why it is needed | The lawful basis for processing it | Who it will be shared with |
|---|---|---|---|
Personal information to facilitate the prevention and detection of fraud or crime | – For law enforcement purposes | – 6(1)(c) Legal Obligation o UK GDPR and Data Protection Act 2018 | – The police – Other relevant third parties – Our insurers |
Audit, statistical, financial information | – To comply with our financial obligations – For management, monitoring, audit purposes – Due diligence | – 6(1)(c) Legal Obligation o UK GDPR and Data Protection Act 2018 o Statutory Auditors Regulations | – Our auditors – Professional or statutory regulatory bodies if relevant – Directors, shareholders – Relevant GenesisCare Managers |
Clinical audit detail | – As required by our regulatory bodies | – 6(1)(c) Legal Obligation o Health and Social Care Act 2008 o CQC regulations – 9(2)(h) Provision of Health and Social Care – In addition we rely on the DPA2018 processing condition at Schedule 1 condition 1 | – Professional or statutory regulatory bodies – Relevant GenesisCare Managers and clinical auditors |
Merger, acquisitions and divestiture or enforcing or defending our legal rights related details | – To preserve the legal and other interests of GenesisCare | – 6(1)(c) Legal Obligation o e.g. Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE) o e.g. Digital Markets, Competition and Consumers Act 2024 – 6(1)(f) Legitimate Interest in managing our legal and other interests | – People & Culture Team – Relevant GenesisCare Managers – Relevant third party organisations |
IT related information which may be personal to you | – To respond to trouble shooting requests, to apply fixes and to perform maintenance | – 6(1)(f) Legitimate Interest in supporting your connection to our IT framework | – IT Service Team (may be a contracted third party organisation) |
Sharing without your consent
Sometimes we may be required to share your information without your consent, for example:
- Where there is a serious risk of harm or abuse to you or other people
- Disclosure is necessary to safeguard an individual
- Disclosure is in the public interest
- Where there is a legal requirement, such as with HM Revenue and Customs.
17. Individual rights
Under data protection law you have a number of specific rights in relation to the Personal Data that we hold about you.
There are special rules about how these rights apply to health information as set out in legislation including the Data Protection Act as well as any secondary legislation which regulates the use of Personal Data.
Further detail can be found at the ICO site: Your data protection rights | ICO
Please note that we do not have to comply with any requests that are ‘manifestly unfounded or excessive’. This applies where you request more information than you need or where you make a large number of requests. Alternatively, we can charge for responding.
To make a request please contact the Data Protection Officer, at DPO@genesiscare.co.uk or write to GenesisCare, 69 Alma Rd, Windsor SL4 3HD, marking your communication “Private and Confidential – FAO GenesisCare Data Protection Officer” or telephone 07841 207263.
We will not usually charge for handling a request to exercise your rights. If we cannot comply with your request to exercise your rights we will usually tell you why. Unless there are grounds for extending the statutory deadline, we will respond within one month of receipt of a rights request.
The right to be informed
You have a legal right to ask an organisation: what, if any, personal information it holds about you, where it came from, why it is needed, the lawful basis for processing it and who it is shared with.
This Privacy Information provides you with this detail.
The right of access to your Personal Data
You have the right to see the information held about you and to be given copies of it. This includes both digital and paper records.
When you ask for information, please be as specific as possible as this will help us to give you the fastest possible reply. We will usually provide you with your Personal Data in writing unless you request otherwise. If you have made the request electronically (e.g. by email) the Personal Data will be provided to you electronically where possible.
There are some specific situations where you may not always receive all the information we process. These include:
- If the data includes third-party information, for example, if your request involves another person’s Personal Data and it would not be fair to that person to provide it to you
- If your request is manifestly unfounded or excessive (see ‘Additional notes’ section below)
- If sharing it would likely cause serious harm to you or another person
- If sharing it would make preventing crime or prosecuting criminals harder for the police.
If we withhold information from you for one of these reasons, we will explain why.
The right to rectification
Please let us know if information we hold about you is incorrect, incomplete or has changed. We aim to ensure that your information is accurate and up-to-date.
The right to restriction of processing
This right applies where we have processed the data unlawfully, where the accuracy is being disputed and/or if objections to legitimate interest grounds have been raised.
Where you have a right to suppress the processing of Personal Data we are permitted to store just enough information about you to ensure that the restriction is respected in future. An example of this is where you have requested that we remove you from our mailing list.
We retain the right to continue to process in relation to the establishment, exercise or defence of legal claims or for reasons of important public interest.
The right to erasure
This is also known as the right to be forgotten. Where either consent or legitimate interests is the lawful basis you have the right to request that we delete the Personal Data we hold about you. The broad principle underpinning this right is to enable you to request the deletion or removal of Personal Data where there is no compelling reason for its continued processing. If we have disclosed the Personal Data in question to third parties, we will inform them about the erasure of the Personal Data, unless it is impossible or involves disproportionate effort to do so. However there are exceptions to this right. For example, we can refuse to delete your Personal Data if we need to keep for tasks which are in the public interest, or for establishing, exercising or defending legal claims. If you make such a request and we comply with it, please be aware that we will retain a note of your name, the request made and the date we complied with it.
The right to data portability
Where you have provided the information to us, and where the processing is being carried out by automated means and based on your consent or pursuant to the performance of a contract with you, you have the right to obtain the information that GenesisCare processes about you and use it for your own purposes. This means you have the right to receive the Personal Data or where it is technically feasible, have the information transferred to an individual or organisation of your choice, and the information must be provided by us in an electronic format.
The right to object
You have the right to object to processing where the lawful basis is legitimate interests or a task in the public interest. This includes based on direct marketing (including profiling) and processing for purposes of scientific or historical research or statistical research purposes. The objection must be on grounds relating to your particular situation.
The right not to be subject to automated decisions
This relates to decisions that are made about you by computer alone and that have a legal or other significant effect on you. GenesisCare does not carry out automated decision-making in relation to patients. If our policy in this respect changes, we shall update this privacy notice.
Your right to withdraw consent
In some cases to comply with data protection legislation we need your consent in order to use your Personal Data. Where we rely on this, you have the right to withdraw your consent to our continuing and further use of your Personal Data. You can do this by getting in touch with the relevant contact at GenesisCare or our DPO.
18. Complaints Process
A data protection complaint is any expression of dissatisfaction about how we have handled your Personal Data.
Examples of such complaints might include concerns that Personal Data has not been handled securely, that information has not been obtained fairly, you have had difficulties in accessing your personal information, you have had difficulties in exercising a right under the UK GDPR and the Data Protection Act or that Personal Data has been retained for longer than was necessary.
If you have a complaint about the way we have handled your Personal Data it would be very helpful if you could provide us with as much detail as possible.
Please contact the Data Protection Officer, at DPO@genesiscare.co.uk or write to GenesisCare, 69 Alma Rd, Windsor SL4 3HD, marking your communication “Private and Confidential – FAO GenesisCare Data Protection Officer” or telephone 07841 207263.
The DPO will:
- Log your complaint and acknowledge receipt within five days of receipt
- Consider the initial scope of the request
- With the information governance team:
o Undertake any necessary investigations
o Review the information collated to ensure all appropriate information has been disclosed subject to any lawfully withheld/exempt information
- Respond directly to you within thirty days; where it is not possible to meet the calendar month deadline, you will be advised and an alternative timescale notified.
We will collect information about the complaint directly from you, or your nominated spokesperson if you have someone acting on your behalf. We may find it necessary to access your Personal Data in order to investigate and respond to the complaint (limited to the extent necessary and relevant to the subject-matter). We may also collect data from third parties where relevant.
| The data we will handle | Why it is needed | The lawful basis for processing it | Who it will be shared with |
|---|---|---|---|
Name and contact details | – To establish information in relation to how best to respond to your complaint | – 6(1)(f) Legitimate Interest in being able to respond appropriately to complaints and issues | – Centre Leader and/or Manager at your location – Data Protection Officer – Information Governance Team |
Information and correspondence relating to the complaint
If relevant to the complaint, other Personal Data and special category data | – To investigate and respond to the complaint – To keep a record of discussions, any formal action taken and to manage compliance and audit requirements | – 6(1)(f) Legitimate Interest in being able to manage the complaint and exercise or defend our legal rights – 6(1)(c) Legal obligation o UK GDPR and Data Protection Act 2018 – 9(2)(h) Provision of Health and Social Care – In addition we rely on the DPA2018 processing condition at Schedule 1 condition 1 – 9(2)(f) Defence of legal claims | – Legal Counsel – Data Protection Officer – Information Governance Team – P&C Lead If relevant: – The Police – Professional or statutory regulatory bodies – Independent adjudicator – Other individuals involved in the complaint – Insurers – Legal advisors |
19. Incidents and accidents
As part of the health and safety process we will process Personal Data where an incident or accident occurs. This includes a data breach.
We will collect data directly from you, or your nominated spokesperson if you have someone acting on your behalf. We may find it necessary to access your Personal Data in order to investigate and respond to the incident or accident (limited to the extent necessary and relevant to the subject-matter). We may also collect data from third parties where relevant.
| The data we will handle | Why it is needed | The lawful basis for processing it | Who it will be shared with |
|---|---|---|---|
Name and contact details | – To contact you to establish how best to respond to the incident or accident. | – 6(1)(c) Legal obligation o e.g. RIDDOR 2013, CQC regulations o UK GDPR and Data Protection Act 2018 – 6(1)(f) Legitimate Interest in being able to respond appropriately to complaints and issues | – Centre Leader and/or Manager at your location |
Details of the incident, accident, adverse event, or near miss, relevant supporting data and correspondence, reports
If relevant to the incident, other Personal Data and special category data | – To record the nature of the incident or accident – To document discussions, investigations and action taken – To manage audit and compliance requirements – To comply with legal and regulatory obligations – To record visits to sites for Health and Safety reasons | – 6(1)(b) Contract – 6(1)(c) Legal Obligation o Health and Social Care Act 2008 o Employment Rights Act 1996 o Health and Safety at Work Act 1974 – 6(1)(f) Legitimate Interest in providing a safe environment and assurance to our staff and the public – 9(2)(b) Employment – 9(2)(h) Provision of Health and Social Care – In addition we rely on the DPA2018 processing condition at Schedule 1 part 1 paragraph 1 | o Manager and/or Centre Leader o Relevant staff at the location o Relevant Teams e.g. P&C, Quality, IG – If relevant: o The Police o Professional or statutory regulatory bodies o Other involved individuals or witnesses o Health and Safety Executive o Insurers o Other service providers o Legal advisors |
Details of a data breach | – To comply with GenesisCare policy and legal and regulatory obligations | – 6(1)(c) Legal Obligation o UK GDPR and Data Protection Act 2018 – 6(1)(f) Legitimate Interest in monitoring data breaches so that improvements can be implemented | – Manager and/or Centre Leader – Relevant staff at the location – Relevant Teams e.g. P&C, Quality, IG If required: – Regulatory bodies, e.g. Information Commissioner’s Office |
20. Types of data
Classifying the types of data helps our organisation manage the information and apply appropriate safeguards and data access controls.
We will process each of the following types of data depending on the circumstances and where lawfully allowed to do so.
The following provides information about the types of data we will process by level of sensitivity; the least sensitive is explained first
Aggregate Data
- Anonymised data which has been grouped together to provide statistics.
Anonymised Data
- If data has been turned into a form which does not identify individuals, and where the risk of re-identification is extremely low, data protection legislation does not apply.
Pseudonymised Data
- This is where data has been masked so that it can no longer be attributed to a specific data subject without the use of additional information (‘the key’) which is kept separately and securely. This data type is processed as Personal Data.
Personal Data
- Information relating to an identifiable person who can be directly or indirectly identified for example by a name, an identification number, location data, date of birth, car registration number, Internet Protocol (IP) address etc.
Special Category Data
- This data has extra safeguards apply to its processing. It is data about an individual’s racial or ethnic origin; political opinion; religious or philosophical beliefs; trade union membership; sex life or sexual orientation; health, including genetic and biometric data where it is processed to uniquely identify an individual. It does not include criminal data which has its own safeguarding requirements.
21. UK GDPR and Data Protection Act
The purpose of the UK General Data Protection Regulations (GDPR) and Data Protection Act 2018 (DPA) is to give individuals more control over their Personal Data.
Everyone responsible for using Personal Data must follow strict rules called ‘data protection principles’. Information must be:
- Used fairly, lawfully and transparently
- Used for specified, explicit purposes
- Used in a way that is adequate, relevant and limited to only what is necessary
- Accurate and, where necessary, kept up to date
- Kept for no longer than is necessary
- Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
‘Special Category’ Personal Data (see the section above), requires stronger protection because it is sensitive information.
Accountability
The degree of accountability and responsibility required of an organisation which processes Personal Data is determined by the data protection roles and obligations defined in law. The following provides an overview.
Controllers
- Controllers are responsible for complying with the UK GDPR and must be able to demonstrate compliance with the data protection principles, as well as take appropriate technical and organisational measures to ensure data processing is carried out in line with the law.
- Controllers make decisions about processing activities. They exercise overall control of the Personal Data being processed and are ultimately in charge of and responsible for the processing.
Joint Controllers
- Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers.
- Joint controllers decide the purposes and means of processing together – they have the same or shared purposes. Controllers will not be joint controllers if they are processing the same data for different purposes.
Processors
- Processors have more limited compliance responsibilities.
- Processors may make its own day-to-day operational decisions but fundamentally they act on behalf of the relevant controller and therefore serve the controller’s interests rather than their own (unless required to do otherwise by law).
Responsibility for the data we process at GenesisCare
Depending on the circumstances GenesisCare may be the controller of your data (either solely or jointly with another organisation or individual), or a data processor and we aim to make the data protection designation clear in the privacy information we provide for each category of individual.
As an overview:
- If you are a patient at GenesisCare: In most circumstances GenesisCare will be a joint controller with your Consultant
- If you are a patient at Birmingham Prostate Clinic (BPC): Your Consultant will be the controller of your data and BPC/GenesisCare will be a processor
- In circumstances where your Consultant processes your Personal Data independently from GenesisCare or where you receive health services from another healthcare organisation: Your Consultant or those organisations will be the controller of your data and you should refer to their privacy notice
- In most other cases: GenesisCare is the controller of your data.
GDPR and lawful processing
Under GDPR GenesisCare must identify a valid lawful basis for processing Personal Data, and the lawful basis is dependent on the specific purpose and the context of the processing and where more than one basis applies, we document accordingly. This information has been provided in each section of the privacy notices.
The articles which lay down the principles of lawful processing under GDPR are as follows:
Personal Data
6(1)(a) | You have given clear consent for the processing of your Personal Data for a specific purpose |
6(1)(b) | Processing is necessary for the performance of a contract we have with you, or because specific steps are required before entering into a contract |
6(1)(c) | Processing is necessary for us to comply with a legal obligation |
6(1)(d) | Processing is necessary to protect someone’s life |
6(1)(e) | Processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law |
6(1)(f) | Processing is necessary for our legitimate interests or the legitimate interests of a third party and our interests are not overridden by your interests or fundamental rights and freedoms |
Special categories of Personal Data
9(2)(a) | You have given explicit consent to the processing of your Personal Data for one or more specified purposes |
9(2)(b) | Processing is necessary in the context of employment law, or laws relating to social security and social protection |
9(2)(c) | Processing is to protect the vital interests of an individual where consent is physically or legally incapable of being given |
9(2)(d) | Processing is carried out in the course of the legitimate activities of a charity or not-for-profit body |
9(2)(e) | Processing relates to Personal Data which you have made public |
9(2)(f) | Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity |
9(2)(g) | Processing is necessary for reasons of substantial public interest, proportionate to the aim pursued and protecting the rights of individuals |
9(2)(h) | Processing is required for the purpose of medical treatment undertaken by health professionals, including assessing the working capacity of employees and the management of health or social care systems and services |
9(2)(i) | Processing is necessary for reasons of public interest in the area of public health |
9(2)(j) | Processing is necessary for archiving purposes in the public interest, subject to appropriate safeguards |
When identifying the lawful basis under GDPR for Special Category Personal Data, GenesisCare is also mindful of the requirements of the DPA2018 processing condition at Schedule 1 part 1 paragraph 1 where we cite GDPR articles:
- 9(2)(b) Employment
- 9(2)(h) Provision of Health and Social Care, including working capacity of employees
- 9(2)(i) Interests of Public Health
- 9(2)(j) Scientific or Historical Research and archiving
22. Data security
GenesisCare will utilise a range of methods to process personal information. This may include communicating and sharing by email, post and telephone and by using electronic systems to store data. Sometimes we will store information on paper; this is usually for business continuity purposes, and is a temporary, safety measure.
In all cases we apply technical and organisational measures to ensure the personal information we handle is, and continues to remain, secure. We have implemented the following to support optimal and appropriate data protection:
- We have achieved Cyber Essentials Plus Certification
- We comply with the annual Data Security and Protection Toolkit
- A data protection impact assessment and risk analysis is carried out prior to any new or changed processing of data and a lawful basis for processing established
- We ensure robust information technology protocols are in place to include role-based access control wherever possible, encryption, authentication, remote access controls, etc.
- Physical access controls are implemented within our facilities
- Policies, procedures and guidance (e.g. relating to confidentiality, acceptable use, record management, etc.) are in place for those who work for or with us
- We conduct regular audits, to include compliance with our policies, procedures and guidance
- We ensure that staff complete our mandatory data protection training
- Anonymisation or pseudonymisation techniques are implemented wherever possible
- Legally binding agreements and contracts are in place between relevant parties
- We maintain registers of our information assets and records of processing activity
- Our Information Governance and Data Security Committee hold regular meetings and attendance includes the Data Protection Officer, Senior Information Risk Owner, Caldicott Guardian, Head of IT and Cyber Security Engineer Analyst, as well as department heads and centre leaders.
23. International transfers
Any transfer of Personal Data will be carried out securely and in line with data protection law.
GenesisCare is part of a global organisation and we (or third parties acting on our behalf) may store or process Personal Data within the GenesisCare group of companies for administrative and management purposes. This processing is based on our own or a third party’s legitimate business interests.
As a global organisation we may engage global suppliers for the provision of services to the GenesisCare Group of companies and such suppliers may also be located outside the UK.
Where we transfer your Personal Data to a third country or international organisation, we will ensure adequate safeguards and measures are in place to protect your Personal Data from unlawful use and ensure your fundamental rights are capable of being upheld. We would normally achieve this by:
- Only transferring Personal Data to countries deemed capable of providing an adequate level of protection; or
- Implementing a UK approved legal mechanism, such as Standard Contractual clauses with UK Addendum or the UK approved International Data Transfer Agreement; and
- Adopting technical, organisational and contractual measures, where required having undertaken a Data Transfer Impact Assessment to ensure that your rights in the country of transfer are essentially equivalent to your rights in the UK.
In certain situations, it may be possible to legitimise the transfer by relying on a derogation. For example, if:
- You have explicitly consented to the proposed transfer
- The transfer is necessary for the performance of a contract
24. Data retention
We keep your Personal Data for as long as reasonably necessary so that we comply with our legal and regulatory requirements and national best practice in line with the Records Management Code of Practice.
This means different data retention periods for the various categories and/or different processing purposes of Personal Data and when data has reached the end of its retention period we carry out an assessment to establish whether to retain further, to anonymise, or to destroy.
GenesisCare has a policy for secure destruction of data whether digital or paper, and this policy applies to any interim paper copies held for clinical safety and/or business continuity purposes.
The above applies no matter whether we are a controller, a joint controller or a processor of Personal Data.
25. Covid data
GenesisCare will always put measures in place to ensure the safety of all patients and those individuals who work for or with us.
During the pandemic GenesisCare complied with data protection obligations under the data protection legislation.
Personal Data was processed under the lawful basis 6(1)(f) legitimate interest, specifically, to control, and wherever possible, prevent the spread of infection.
Special category personal information was processed under the lawful basis 9(2)(h) provision of healthcare or treatment or the management of healthcare systems and services and in addition we relied on the DPA2018 processing condition at Schedule 1 part 1 paragraph 1.
We may also have been legally required to share Personal Data under the Notice issued by the Secretary of State under Regulation 3(4) of the Health Service Control of Patient Information Regulations issued on the 1st April 2020. The lawful basis for processing your Personal Data in these circumstances would have been 6(1)(c) compliance with a legal obligation and 9(2)(i) for reasons of public interest in the area of public health and in addition we relied on the DPA2018 processing condition at Schedule 1 part 1 paragraph 1.
If you were a patient at the time of Covid, details related to your health will be recorded on your medical record. No results information has been retained for other individuals.
26. Changes to this privacy information
The internal reference for this privacy information is IG-TEM-070
Version history:
| Version | Date created | Created by | Description of change |
|---|---|---|---|
1.0 | March 2025 | New document combining individual privacy notices. | IG Team |