Privacy notice

What personal information do we collect and how?

We may collect and use some or all of the following personal information about you, depending on the circumstances:

• Identity data including name, data of birth, and gender and pronoun preferences.
• Contact data including your postal address, email address and telephone number; next of kin details (including any support networks) and emergency contact details; and GP details.
• Financial information and/or insurance policy details (if you are a private patient paying for our services)
• Patient data including information about your health (such as medical conditions, prescription medication (including standard growth monitoring for children), allergies, medical requirements and medical history), results of tests and investigations (including psychological evaluations) and recordings of clinician sessions and related calls.
• Safeguarding status data (whether or not you are subject to any protection orders regarding your health, wellbeing and human rights).
• Other sensitive data such as information revealing racial or ethnic origin.

We collect personal information in a number of ways. This may include personal information (including information about your health) received:

• directly from you or your authorised representative, for example, when you contact us about our services
• from people who know you well such as friends, family members and carers
• from other health and care organisations involved in your care, for example, referral details from your GP (if you are an NHS funded patient)
• from education organisations where appropriate, for example, a child’s school (for our children’s assessment services)

As you interact with our website and client/patient portal, we will also collect usage and technical data about your equipment and use of our website and portal. We collect this personal information by using cookies and other similar technologies. Further details on this can be found in the cookies section below.

Where appropriate, we will also collect and use marketing and communications data including your preferences in receiving marketing from us and your communication preferences. You can find out more about our use of data for marketing below, including how to opt out.

Who do we share personal information with?

We may share your personal information with the following types of organisations:

• your insurance provider (if you are a private patient using medical insurance cover);
• third party data processors, such as IT system suppliers and payment processors;
• academic institutions such as universities and third parties with whom we are supporting health-related research to better understand certain health conditions and related behaviours, to develop our services and to improve diagnosis, care and treatment outcomes for patients; and
• carefully selected Health focussed organisations to improve diagnosis treatment, digital tools and health outcomes.

In some circumstances we are legally obliged to share information, such as when a court or regulator orders us to do so or where a public inquiry requires the information. We will also share information if the public good outweighs your right to confidentiality, such as where a serious crime has been committed or to protect children or vulnerable adults.

Is information transferred outside the UK?

We will primarily process and store your personal data in the United Kingdom.

However, there may be circumstances where your personal information is processed or stored outside of the UK. This is because we sometimes work with service providers or partners who are based outside of the UK or have servers outside of the UK. If we transfer your personal information outside of the UK, we will always ensure that it is in line with applicable data protection lawful mechanisms and
protected by appropriate safeguards as required by UK data protection laws (such as the International Data Transfer Agreement issued by the Information Commissioner’s Office).

For further information on the circumstances in which we transfer data outside of the
UK and the appropriate safeguards we have in place to ensure its protection, please contact us by email at [email protected].

What is our purpose and lawful basis for using your personal information?

Purpose and lawful basis

We will only use your personal information when the law allows us to. This may include the following circumstances:

• where we have obtained your consent – this must be freely given, specific, informed and unambiguous;
• where it is necessary to perform a contract we have with you, for example, the contract for the provision of our services to you if you are a private patient;
• where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; and
• where we need to comply with a legal or regulatory obligation, for example where the NHS, public bodies or the courts use their powers to require the data.

For more sensitive data, such as your health information, we are required to have an additional lawful basis which is most likely to be one of the following:

• the processing is necessary for the purposes of medical diagnosis, the provision of healthcare or treatment and/or the management of our healthcare systems and services (Article 9(2)(h) of the UK GDPR)
• the processing is necessary for scientific research purposes or statistical purposes (Article 9(2)(j) of the UK GDPR)

The categories of personal information that we may process about you and our purposes for doing so are set out in the table below. The table also identifies our lawful basis for the processing and any condition for processing special categories of data, such as health information.

Common law duty of confidentiality

In addition to ensuring that we have an appropriate lawful basis for the processing of your personal information, we must also satisfy the common law duty of confidentiality.

In our use of health and care information, we satisfy the common law duty of confidentiality because:

• we have a legal obligation to collect, use and/or share the data (for example, if a court order requires us to disclose it); and/or
• for specific individual cases, we have assessed that the public interest to share the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime). This will always be considered on a case by case basis, with careful assessment of whether it is appropriate to share the particular information, balanced against the public interest in maintaining a confidential health service.

National data opt-out

The national data opt-out allows patients to choose if they do not want their confidential patient information to be used for purposes beyond their individual care and treatment, namely for research and planning purposes.

We apply the national data opt out to our use of confidential patient information for research and planning purposes.

The information collected about you when you use health and care services can be used and provided to other organisations for planning and research purposes (ie purposes beyond your individual care), for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This will only take place when there is a clear lawful basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential health and care information is only used like this when allowed by law.

Whenever possible data used for research and planning is anonymised, so that you cannot be identified and your confidential information is not accessed.

You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.

You can change your mind about your choice at any time. Even if you have registered a national data opt-out, you can agree to take part in our research projects by giving your explicit consent.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Using your information for research

We may use your personal information for health innovation research purposes where we have a lawful basis to do so. This is subject to our common law duty of confidentiality and the NHS national data opt in, as described above.

We may anonymise your personal information for use in research. This means it can no longer identify you and will cease to be personal information. For example, we may anonymise and aggregate personal data to:

• collect statistics on certain symptoms and conditions and share that medical data with organisations such as NHS England or NHS Scotland;
• publish research results in peer reviewed journals; and
• use research outcomes in our services.

Right To Choose

For information on the Right To Choose pathway click here.

What are your data protection rights?

Under data protection law, you have rights including:

Your right of access – You have the right to ask us for copies of your personal information (known as a subject access request).

Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances.

Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us using the contact details provided above if you wish to make a request.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Consent

In any circumstances where we have relied on consent as our lawful basis to process your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law. This will not affect the lawfulness of any processing carried out before you withdrew your consent.

Opting out of marketing

You may unsubscribe from our marketing communications by clicking on the “unsubscribe” link at the bottom of our emails or emailing the Data Protection Officer at [email protected].

Please note that clients/patients cannot opt-out of receiving emails related to their account or service with Healios. These are necessary for administrative and client service purposes.

How long do we store your personal information and how do we ensure it is secure?

Retention

Our data retention period, which is the length of time we hold your personal information, is informed by the Department of Health, NHS England and professional bodies such as the British Medical Association and The Health and Care Professions Council. Please refer to the table above for our specific retention periods or contact us if you require any further detail.

At the end of the relevant retention period, we will review the information and, unless we have a lawful basis for an extended or further retention period, we will destroy it in line with the recommendations of the above bodies.

Prior to destroying your information, we may choose to anonymise it so that we can retain the information for future use in a way that you can no longer be identified. We might keep and use this anonymised data to help improve and develop our services as well as helping with health research.

Data Security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

How do I complain?

If you have any concerns about our use of your personal information, you can make a complaint to us using the contact details provided above, for example, by emailing our DPO at [email protected].

Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO.

The ICO’s address is:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

What cookies do we use?

If you are a visitor to our website, Healios will also process personal information using cookies.
We use cookies on our website to enable us to run the website and to provide a more personalised service to you. This section describes how we use cookies and your options in regard to them.

What are cookies?

Cookies are a small piece of text which is downloaded on a device (such as a computer or mobile phone) when a user accesses a website. The cookies allow the website to understand the user’s preferences or past actions.

We use a number of these cookies as outlined below. We will always ask for your consent before placing these cookies on your device, except where the cookie is necessary in order for our website to function.

These are called ‘strictly necessary’ cookies.

All other cookies can be controlled via our cookie management system, which is available on our website pages.

We have outlined below the types of cookies we use, their purpose and how long the cookie is kept on your device.

Where you have consented to the use of cookies that are not strictly necessary cookies, you may withdraw this consent at any time by using our cookie management platform.

You may also contact us at [email protected] if you have any queries regarding our use of cookies.

Strictly Necessary Cookies

We have two cookies that we use which are necessary to run our site. The purpose of these cookies is outlined below:

Preferences Cookies

We operate the following cookies which allow you to set preferences regarding the use of our site:

Analytical Cookies

We use the following cookies to analyse visitors to our website:

Advertising

We use the following cookies for advertising: