• Your name
• Your image
• Date of birth, gender and marital status
• Your contact details, address, including email address and home and mobile telephone numbers and any communication preferences
• Your GP practice details
• Family details, lifestyle and social circumstances, where relevant to your care.
• Your chosen emergency and/or nominated contact’s name, address, contact information and any communication preferences. 
• Your funding arrangements - we will record whether you are self-funding or are covering the cost of your treatment through your private medical insurers. Where relevant, we will record details of your private medical insurance including your insurer and policy number. We will capture the cost of your treatment, the amount paid and the amount owed.

Special category data may include information about your current or previous health, your diagnoses and medications; images you had taken in the course of care or treatment; your sex life or sexual orientation, your religion, race or ethnicity and genetic information relating to you.

It may include details of health and care services provided previously by GenesisCare or by other health and care providers and include details of any medication you have been prescribed.

We may ask whether or not you have a disability for which the organisation needs to make reasonable adjustments.

We may ask for information about medical or health conditions of your family, your ethnicity and genetic data.

CCTV recording is in use at GenesisCare locations. Areas monitored by CCTV are sign-posted. The information processed can include visual images, personal appearances, movements and behaviour.

We will collect information received in response to any queries, concerns, compliments, incidents, legal requests, complaints and/or claims so that we can keep a record of discussions, investigations and any formal action taken and manage audit and compliance requirements.

We may collect information in relation to the quality of our services, for example, call recordings, surveys and feedback to ensure we provide an appropriate response and to support staff training. 

Information may be collected directly from you to support your direct care and treatment.  This information can be collected when:

• You use our services
• You correspond with us by letter, email, telephone or chatbox or via social media, including where you reference GenesisCare in a public social media post
• You take part in a survey
• You take part in our marketing activities.

To provide you with the best possible care, we collect personal data about you from other providers. These can include:

• Your NHS Number and/or GP detail from the Personal Demographic Service (PDS); we are allowed to gather this information to avoid duplicate records and for accuracy of data set submissions
• Records from other health and care providers who have previously provided treatment to you, (this can include both private organisations and the NHS)
  
• Records from your consultant (including those provided through their medical secretaries) 
• Information from other service providers who work with us in relation to diagnostics, care and treatment provided to you
• Samples and tests provided by pathology or laboratory organisations

We may collect information about you from third parties when:

• You are referred to us for health related services
• We liaise with current or former other health service and support providers
• We liaise with your emergency/nominated contact or family
• We communicate with your medical insurance policy provider
• We instruct debt collection agencies
• We communicate with government agencies such as social and welfare organisations where it is legally required for the safety of the individual concerned, for example, safeguarding
• You instruct a representative, such as a legal advisor or attorney
• You appear on CCTV, and we are a recipient of the footage

When you come to us for care and treatment, we will collect information from you in order to provide health related services and to fulfil our contract with you for the provision of the services.

Please note that failure to provide your information further to a contractual requirement with us or a consultant may mean that we are unable to register you as a patient or facilitate the provision of your health and care on the GenesisCare’s systems.

The lawful basis for processing personal data is 6(1)(f) necessary for the purposes of legitimate interests, specifically, supporting the provision of your health and care and management of health care services or 6(1)(b) necessary for the performance of a contract and  9(2)(h) provision of health care or treatment or the management of health care systems and services.

If you use our wi-fi we will collect information relating to your device address.  This is so that we can provide you with an IP address whilst on site and log traffic information for resource purposes.

The lawful basis for processing personal data is 6(1)(c) compliance with a legal obligation and 6(1)(f) necessary for the purposes of legitimate interests in being able to establish who is on our premises and to provide wi-fi facilities at our Centres.

 Please let us know.

We will let you know about patient events, such as coffee mornings, and other relevant health and care related support and services.

We will respond to messages and requests which you may have left with our out-of-hours telephony service or on an answering machine securely held in a specific Centre or other method of communication you have chosen to use.

We may use your personal data to provide a taxi service for you, at your request.

Our lawful basis for processing this data is 6(1)(f) necessary for the purposes of legitimate interests, specifically, supporting the provision of your health and care and management of health care services and 9(2)(h) provision of health care or treatment or the management of health care systems and services.

It is important that you tell us immediately if your contact details have changed. Please note that we cannot be held responsible should you change your mobile number or email address and not advise us.  Equally we cannot be held responsible for onwards use or transmission of a text message after you have received it.

When you register for care or treatment, you may provide details of emergency and nominated contacts with whom we can share information about the progress of your treatment and contact in the event of an emergency, unless you have advised us not to. It is important to notify us of any change to these emergency/nominated contact details so that we can ensure they are kept up-to-date and accurate. Please ensure that your contacts are comfortable with you giving us their information and we recommend you show them this privacy notice.

If you invite a relative, friend and/or carer to your appointments, they will receive the same information about you that you receive during the appointment.

If you have a representative, for example someone holding lasting power of attorney, we will share information with this representative where appropriate to do so.

We will share your information with other health and care professionals or organisations so they can provide you with safe and effective care. This would include where you transfer for continuing treatment or care through the NHS or an alternative private organisation.

GenesisCare  has a legal obligation under the Health & Social Care Act 2015 to use your NHS number where reasonably available, and this unique identifier will be used for all data sharing associated with facilitating the care of NHS patients.

The lawful basis for processing this data is 6(1)(f) necessary for the purposes of legitimate interests, specifically, supporting the provision of your health and care and management of health care services,  6(1)(c) compliance with a legal obligation and 9(2)(h) provision of health care or treatment or the management of health care systems and services.

You may be offered a telehealth remote consultation by your doctor. If we provide this service we may record your name, telephone number and IP address.

We do not record consultations.  Any notes taken during your consultation will be added to your health and care record which is held securely on our patient system.

The lawful basis for processing this data is 6(1)(f) necessary for the purposes of legitimate interests, specifically, supporting the provision of your health and care and management of health care services or 6(1)(b) necessary for the performance of a contract and 9(2)(h) provision of health care or treatment or the management of health care systems and services. 

When you register with us, we will record whether you are self-funding or are covering the cost of your treatment through your private medical insurers. Where relevant, we will record details of your private medical insurance including your insurer and policy number.

If you are self–funding or need to cover costs in the event of a shortfall of funds from insurers, you will need to make payment via our authorised payment card service providers who will hold your card holder data. You will receive a copy of the receipt and our finance department will store the merchant copy securely for one year on our servers for financial audit purposes after which our copy will be deleted.

We collect this information to enable us to provide you with health related services and treatment and to fulfil our contract with you for the provision of such care. We use your personal data to ensure our accounting and invoicing activities are accurate and up-to-date.

The lawful basis for processing personal data is 6(1)(f) necessary for the purposes of legitimate interests, specifically, supporting the provision of your health and care and management of health care services or 6(1)(b) necessary for the performance of a contract and 9(2)(h) provision of health care or treatment or the management of health care systems and services.

We are accountable for ensuring safe clinical and operational practices are implemented and maintained. We undertake regular audits of compliance to ensure the delivery of standards of treatment, for quality assurance, to ensure services can meet our statutory and regulatory obligations and patient needs in the future and to assess adherence to policy and procedure. Wherever possible we use anonymised information.

We may share anonymised and aggregated data with organisations such as the National Institute for Clinical Excellence for auditing purposes. You will not be identifiable unless anonymised or aggregated patient data would not otherwise be sufficient and the use of personal data has a valid lawful basis. These individuals will be under a duty of confidentiality in addition to that imposed by the data protection legislation. 

We may share anonymised and aggregated data with organisations such as the National Institute for Clinical Excellence for auditing purposes. You will not be identifiable unless anonymised or aggregated patient data would not otherwise be sufficient and the use of personal data has a valid lawful basis. These individuals will be under a duty of confidentiality in addition to that imposed by the data protection legislation.

Our lawful basis for processing this data is 6(1)(f) necessary for the purposes of legitimate interests, specifically, supporting the provision of your health and care and management of health care services or 6(1)(c) Legal Obligation (e.g. CQC requirements) and 9(2)(h) provision of health care or treatment or the management of health care systems and services or 9(2)(i) for reasons of public interest in the area of public health.

GenesisCare supports student and visiting doctor placements and, unless you object, details of your diagnosis and treatment may be shared for clinical training and teaching purposes within the GenesisCare direct care team.  Recipients will be under a duty of confidentiality in addition to that imposed by the data protection legislation.

For education and training purposes beyond the direct care team, we will use anonymised data.  If it is not possible to use anonymised data, e.g. the training scenario requires identifiable information, we will seek your consent under the Common Law Duty of Confidentiality.

Our lawful basis for processing this data is 6(1)(f) necessary for the purposes of legitimate interests, specifically, supporting the provision of your health and care and management of health care services and 9(2)(h) provision of health care or treatment or the management of health care systems and services.

GenesisCare participates in research and development to support the generation of new knowledge in medicine, measure effectiveness of interventions, to support the development of technological and medical innovations and to improve healthcare services and patient outcomes.

We may seek your consent to share data and your treatment and care will not be affected if you do not wish to consent.

We share data under a legally binding contract and researchers are bound by data protection legislation and confidentiality clauses. 

The lawful basis for processing this data is 6(1)(a) consent and 9(2)(a) explicit consent.

Some research projects and/or registries have received statutory approval and consent may not be required to use your personal data.  Where appropriate we will comply with the National Data Opt-Out.

Where GenesisCare acts as a controller in the context of these purposes, our lawful basis is 6(1)(f) legitimate interests, specifically the processing is necessary for research purposes and 9(2)(j) the processing is necessary archiving purposes in the public interest, scientific or historical research purposes or statistical purposes or 9(2)(h) provision of health care or treatment or the management of health care systems and services.

Note: Where GenesisCare acts as a processor in the context of research studies and clinical trials, you will receive a patient information sheet explaining how your personal data will be used by the controller. 

We participate in testing the quality and effectiveness of new systems and equipment we implement to improve the care and treatment we provide and patient outcomes.

Our approach is to use anonymised information but where this is not possible we would require identifiable information. This would typically include name and/or GC number, date of birth and scan image/s. An assessment will be carried out prior to sharing identifiable data with systems or equipment suppliers and safeguards will be put in place to protect your privacy, to include a legally binding contract with data protection legislation and confidentiality clauses.

We will ask you at registration if you are willing to share your data for the purposes of product testing and improvement and if you change your mind at any time please let us know.

The lawful basis for processing this data is 6(1)(f) legitimate interest in making improvements in our systems and services which have been appropriately assessed and where we have put safeguards in place to protect your privacy so that this use does prejudice your privacy rights and 9(2)(h) provision of health care or treatment or the management of health care systems and services.

We may use your information to communicate with you about the resolution of any queries, concerns or complaints you have made. It is important that we resolve such matters properly and fully to the satisfaction of all concerned, and we will need to use your personal data to do so.

The lawful basis for processing this data is 6(1)(f) legitimate interest, specifically managing queries, concerns, compliments and complaints relating to our services, article 6(1)(c) compliance with a legal obligation and article 9(2)(h) provision of health care or treatment or the management of health care systems and services

As a provider of health and care, we are subject to a wide range of legal and regulatory responsibilities. Where we are required by law or by regulators to provide personal data, the use is necessary for the provision of health and care or treatment and the management of health and care systems and we have a legal obligation to do so.

In the unlikely event that GenesisCare UK or its consultants are the subject of legal actions or complaints it is necessary to access your personal data in order to investigate and respond to those actions (limited to the extent necessary and relevant to the subject-matter) to enable us to establish, exercise or defend our legal rights.

The lawful basis for processing this data is 6(1)(f) legitimate interests, specifically the processing is necessary for us to establish, exercise or defend our legal rights or article 6(1)(c) compliance with a legal obligation and article 9(2)(h) provision of health care or treatment or the management of health care systems and services or 9(2)(f) defence of legal claims.

We have an appropriate business need to use your information where necessary for IT purposes, for example, responding to tickets, performing trouble shooting, applying fixes and performing maintenance. Our lawful basis for this purpose is 6(1)(f) legitimate interest and 9(2)(h) provision of health care or treatment or the management of health care systems and services.

If we were to sell or transfer a Centre or part of our business to another organisation, your patient records would also transfer to the new owner. Limited information may also be shared, where required, with legal and other professional advisors involved in that transaction. Your records would be transferred to minimise the disruption to current and past patients caused by the sale or transfer and to ensure that we and a new owner were able to comply with our legal obligations regarding the retention of patients’ and other clients’ medical records and to ensure continuity of care.

The lawful basis for processing this data is 6(1)(f) legitimate interests, specifically, supporting the provision of your health and care and management of health care services or 6(1)(b) necessary for the performance of a contract and 9(2)(h) provision of health care or treatment or the management of health care systems and services.

We use personal data including photography (still and moving), audio or written transcript recordings in our marketing materials related to the promotion of our organisation and services, as an educational resource, within presentations or within journalistic articles or material.  These materials will be published online and within printed media, used in promotional videos at events, used in advertising and broadcast and used for educational purposes. Depending on the circumstances, this may include special categories of data such as information relating to your health, e.g. for patient testimonials.

Where we are processing special categories of data for promotional, marketing, journalistic and education purposes you will be provided with a comprehensive Privacy Notice so that you can make an informed decision.

The lawful basis for processing this data is 6(1)(a) consent and 9(2)(a) explicit consent.

You have the right to withdraw your consent to further processing of your image.  This is explained fully when you are asked if you wish to participate.  If you have any queries, please contact the Data Protection Officer, details at the foot of this Privacy Notice.

We use CCTV externally and around our administrative areas to support the safety of our staff, patients and visitors and to ensure the security of property and premises and for preventing and investigating crime purposes only. It may also be used to support incident and complaint investigations and litigation against GenesisCare. Areas monitored by CCTV are sign-posted.

At some of our Centres the external CCTV is owned and managed by someone else, such as the landlord, who is the Controller. CCTV footage may be shared with GenesisCare where it is necessary for one of the above mentioned purposes. We can supply you with details of the relevant Controller(s) of the CCTV.

We also use CCTV in our radiotherapy treatment areas so that the radiographers can watch you carefully and can speak to you through an intercom.

The lawful basis for processing this data is 6(1)(f) legitimate interest, specifically, the purposes mentioned above and 9(2)(h) provision of health care or treatment or the management of health care systems and services or 9(2)(f) defence of legal claims.

GenesisCare will always put measures in place to ensure the safety of all patients and staff and will process your personal data in accordance with our data protection obligations under the data protection legislation.

Covid testing will take place where required as part of the general care of patients.

The lawful basis for processing your personal data is 6(1)(f) legitimate interest, specifically, to control, and wherever possible, prevent the spread of infection and 9(2)(h) provision of health care or treatment or the management of health care systems and services.

We may also be legally required to share personal data under the Notice issued by the Secretary of State under Regulation 3(4) of the Health Service Control of Patient Information Regulations issued on the 1st April 2020.  The lawful basis for processing your personal data in these circumstances is 6(1)(c) compliance with a legal obligation and 9(2)(i) for reasons of public interest in the area of public health.

We may share your personal data within the GenesisCare group of companies as described in the previous sections.  Where we collaborate with our colleagues in Australia and/or Spain, there will be an inter-group data protection agreement in place and, if appropriate, those staff will be required to complete and pass UK Information Governance training and comply with UK policies and procedures which align with UK legislation.

We may offer you ancillary services connected to GenesisCare, such as the GenesisCare Exercise Clinic, counsellors and therapists. If you take up this support, we will share information with the relevant health and care professionals and workers.

GenesisCare’s medical Consultants are independent practitioners who practice their specialties in accordance with the terms of our Practicing Privileges policy and who have personal responsibility for the care they deliver. Many Consultants are also employed by the NHS and may also work with other independent providers.

We undertake a thorough vetting process before we grant Practising Privileges to verify qualifications and fitness to practice, in addition to mandated annual appraisals.

Consultants are responsible for maintaining records about your health and any treatment or care you have received and may keep their own records as well as recording the details on the GenesisCare patient record system. Consultants who individually maintain your record are responsible for providing you with a separate privacy notice. Where the patient record system is used, GenesisCare and your Consultant are joint controllers of your data (together we determine the means and purpose of processing your information for your care and treatment) and this privacy notice applies. Both parties abide by the Joint Patient Data Sharing and Management Policy which we can provide to you upon request.

Note that where Consultants hold separate records about you we may refer you to them if you have exercised your information rights under Data Protection Laws.

GenesisCare offers medical secretary services to Consultants in some circumstances.  Where we do, the secretary is employed by GenesisCare and handles your data in accordance with our policies and procedures.  In these circumstances a data processing agreement will be in place between the Consultant and GenesisCare and this privacy notice applies.

Sometimes the Consultant will employ a medical secretary direct or receive secretarial services from another healthcare provider (private or NHS).  In these circumstances the relevant privacy notice will apply (from the Consultant or the particular hospital or healthcare centre).

If you want to find out more about the arrangements between GenesisCare and consultants for handling your information please contact our Data Protection Officer (DPO), details at the foot of this Privacy Notice.

This is a team of medical consultants who will discuss a treatment plan for you via the GenesisCare eMDT platform (developed and supported by our processor, Context Health).  You will be referred to consultants in your specialist reference group who will have access to your medical data, to the diagnostic images held on the radiology system and to your health record. Consultants working together in the eMDT will discuss your case to achieve the best possible outcome.

All eMDT consultants sign a strict privacy agreement as a condition of participating and are bound by data protection legislation. The data will be held on the platform for one year and a day and thereafter deleted unless you are a GenesisCare patient in which case your treatment data will be saved in our patient systems in accordance with standard lawful practice. Data processed in the eMDT function is jointly controlled by GenesisCare and the clinical participants and a legal arrangement is in place between the parties. Data processed in the audit function is controlled by GenesisCare. Data processed in relation to patient outcomes is controlled jointly by the collaborating Consultants.

We may share data with healthcare providers who have commissioned our services so that we can jointly support your health and care and treatment.

This means that we may collect, transfer, share and manage your data jointly in our systems for the purposes of health and care services and related administration under a formal joint controller arrangement. Such a joint controller arrangement will set out our respective responsibilities to you with respect to:

• Our compliance with the data protection law generally;
• Our responsibilities for dealing with your rights as data subjects; and
• Our respective duties for provision of information to you.

Where joint controller relationships exist both parties must comply with data protection standards and both are responsible for addressing your rights and freedoms.

If you want to find out more about the arrangements between GenesisCare UK and NHS Trusts for handling your information please contact our DPO.

We may also share relevant data with other healthcare providers who are involved in your care and treatment.

Where the cost of your treatment and care is covered by insurance, we share your information with your insurer or the administrator of the applicable scheme of insurance. Both GenesisCare and your insurer are controllers of this personal data. This means that each of us individually may determine the means and the purpose of any processing of the information we hold.

Generally, we share information to allow each other to exercise our rights or comply with our obligations under the health and care services arrangement we have in place, and in the case of the insurer, to manage claims and administer the schemes for insured members.

Specifically, your information may be used in the following shared activities:

• The provision of clinical quality information
• The pre-authorisation of treatment on your behalf
• Invoicing for services provided
• The notification of any serious incident
• Assisting and cooperating in the investigation of any member complaints
• Allowing your insurer to inspect and audit our facilities.

Your insurer is only allowed to process your data for insurance purposes, i.e. managing the policy and any claims.  Where your insurer wishes to see the information we hold about you for any other purpose, you will need to provide your consent to your insurer in order for your insurer to receive this information. 

You may exercise your rights against either GenesisCare or your insurer where we are both controllers of the same information for the same processing purpose.

Where we independently hold further information, or process information for purposes in addition to the shared purposes stated above, you should direct any communication concerning your rights to the applicable holder/processor of your information.

The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population. We will report the relevant information to local health protection team or Public Health England.

We make notifications to Public Health England and other statutory bodies in compliance with our legal obligations and where necessary to protect the vital interests of individuals.

This processing is necessary for reasons of public interest in the area of public health such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care on the basis of UK law.

National Cancer Registration and Analysis Service (NCRAS)

If you have been diagnosed with cancer, GenesisCare will provide information about you and your cancer to the National Cancer Registration Service (NCRS). The NCRS promotes research, monitoring and improvement of cancer care.  If you wish to request that your details are not included on the Register or have your information removed you should contact the NCRS directly by email to ndrsoptout@nhs.net. Further information has been provided to you in the Public Health England leaflet ‘Cancer Registration – what it is, the benefits of being on the register and your options’.

Private Healthcare Information Network (PHIN) / NHS

We are bound in law to send identifiable data to the Private Healthcare Information Network (PHIN) about the private patients we treat with radiotherapy.  PHIN collects and publishes information about the activity and performance of health and care providers and doctors providing private care. PHIN has its own privacy notice which can be accessed via its website. Whilst the information we are obliged to provide includes some of your personal data, PHIN cannot identify you from it for although your NHS number is included, PHIN does not have access to any patient systems. Any information that is published by PHIN will always be in an anonymised statistical form.

We are required to provide PHIN with information related to your treatment, including your:

• National Health Service (NHS) number, or in the case of patients from outside the UK, a suitable equivalent identifier e.g. passport number
• Your age
• Your gender
• Your ethnicity or race
• Your diagnosis (what you are receiving treatment for)
• Other data about your state of health
• The procedure you have undergone
• The date you came into hospital, and the date you left
• Your postcode.

Under the Acute Data Alignment Programme (ADAPt) you can choose whether or not to allow PHIN to share your NHS number with NHS England. We will ask you at registration if you wish to opt-out of this sharing and if you change your mind at any time please let us know.

Further information about how PHIN uses information is available at www.phin.org.uk. We will be happy to print a copy for you if you prefer.

National Radiotherapy Dataset

We are required to send a radiotherapy dataset to the NHS Trust where treatment is funded by the NHS; the Trust will then forward this data on to NHS England.

The purpose of this collection is to support consistent data and inform the planning, provision and commissioning of radiotherapy services.

Other national data collection

We may collect and share data without your consent provided that the particular audit registry or data collection has received statutory approval, or where the information will be provided in a purely anonymous form, otherwise your consent will be needed. Where your consent is required, the registry organisation may have consent processes of their own, otherwise we will seek consent from you.

We may also share your personal data with the third parties listed below for the purposes identified within this privacy notice:

• A doctor, nurse, carer, pharmacist, and pathology and radiology staff involved in the analysis and reporting of diagnostic tests or other healthcare professional involved in your care
• Other members of support staff involved in the delivery of your care, such as receptionists and medical secretaries
• Other private sector healthcare providers where you request us to do so
• Your GP
• Voluntary organisations providing on-going support
• Taxi providers where transport assistance for treatment is provided for insured patients
• Government bodies and local authority departments
• Our regulators, such as the Care Quality Commission
• The police and other third parties where reasonably necessary for the prevention or detection of crime
• Our insurers
• Debt collection agencies
• Third parties to the extent required by regulation, law or court orders, supervisory authorities e.g. during the course of enquiries or investigations and statutory requests for information
• GenesisCare Teams (may include Legal and IT) and third parties relevant to the circumstances
• CCTV recordings may be shared where necessary or required, with you, employees, insurers and agents, services providers, police forces, security organisations and persons making an enquiry
• Ancillary service providers we use to support our business. These providers are trusted partners that work with us and are authorised to use your personal data only as necessary to provide these services to us or to you. We require these third parties to comply with data protection law and we ensure appropriate controls are in place. We enter into written contracts with all our providers. These will include providers of:
  • Clinical, administrative and management systems
  • Clinical equipment and treatment systems
  • Clinical services e.g. pathology providers, diagnostic providers
  • Payment card providers
  • IT support services including trouble shooting and maintenance
  • Data hosting
  • Collaboration and communication tools
  • Auditors, lawyers and tax advisors
  • Bank and auditors for financial reconciliation purposes.

• Selected third parties in connection with any sale, transfer or disposal of our business.
• We may communicate with these third parties in a variety of ways including, but not limited to, email, post and telephone.

We have implemented appropriate technical and organisational security to protect your personal data. This includes:

• By providing those who work at GenesisCare with robust policies, procedures and guidelines
• Ensuring our staff complete regular training
• Ensuring personal data is only accessible to and shared with individuals that have a justifiable need to access it
• Implementing physical access controls within our facilities
• Applying technical controls such as encryption (which includes configurations to conform to the O365 NHS Digital Assessment)
• Legally binding agreements and contracts between relevant parties
• Holding up-to-date registers of our information assets.

Wherever possible we will anonymise or pseudonymise your information before we share it with others, or where we no longer require the information in identifiable form.

Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place.

Pseudonymisation is the processing of information in such a way that it can no longer be attributed to you without the use of additional information and where that additional information is kept separately. This allows for a much wider use of the information for statistical or other purposes.

We provide our staff with guidelines to ensure that any transfer of personal data will be carried out securely and in line with data protection law. 

If your permanent address is outside the UK, or your treatment is continuing outside the UK, we may send details of your treatment to specific individuals to promote your ongoing care.

GenesisCare is part of a global organisation and we (or third parties acting on our behalf) may store or process personal data within the GenesisCare group of companies for administrative and management purposes. This processing is based on our own or a third party’s legitimate business interests.

As a global organisation we may engage global suppliers for the provision of services to the GenesisCare Group of companies and such suppliers may also be located outside the UK.

Where we transfer your personal data to a third country or international organisation, we will ensure adequate safeguards and measures are in place to protect your personal data from unlawful use and ensure your fundamental rights are capable of being upheld. We would normally achieve this by:

• Only transferring personal data to countries deemed capable of providing an adequate level of protection; or
• Implementing a UK approved legal mechanism, such as Standard Contractual Clauses with UK Addendum or the UK approved International Data Transfer Agreement; and
• Adopting technical, organisational and contractual measures, where required having undertaken a Data Transfer Impact Assessment to ensure that your rights in the country of transfer are essentially equivalent to your rights in the UK.

In certain situations, it may be possible to legitimise the transfer by relying on a derogation. For example, if:

• You have explicitly consented to the proposed transfer; or
• The transfer is necessary for the performance of a contract.

In all cases any transfer of your personal data will be compliant with applicable data protection law. If you would like further information regarding the steps we take to safeguard your personal data when making international transfers, please contact the DPO using the details at the foot of this Privacy Notice.

GenesisCare carries out Data Protection Impact Assessments prior to new or changed processing of data relating to individuals in order to identify and minimise the data protection risks of data processing activities undertaken.