Purpose of this privacy policy

This privacy policy aims to give you information on how Healios Limited collects and processes personal data in connection with healthcare services and any other services that you request from us or we provide to you or others.

It is important that you read this privacy policy together with any other privacy policy or fair processing notice, and other communications we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements the other notices and is not intended to override them.

Controller

Healios Limited (referred to as Healios, "we", "us" or "our" in this privacy policy) is a limited company with registration number 08459279. Healios is data controller of the personal data to which this privacy policy relates.

We have appointed a data protection lead (“DPL”) whose role includes overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise [your legal rights], please contact our DPO using the details set out below.

Contact details

Our contact details are:

Our full name: Healios Limited

DPL contact name: Richard Andrews

Email and postal address for contacting us and our DPL:

Email address: dpo@healios.org.uk

Postal address: Viceroy House, Unit 2, 2nd Floor, Mountbatten Business Centre, Millbrook Road East, Southampton, Hampshire, SO15 1HY

You have the right to make a complaint at any time to the Information Commissioner's Office (“ICO”), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

Changes to this privacy policy

This version was last updated on 24th May 2018 and historic versions can be obtained by contacting us.

The need for you to inform us of changes to personal data about you or others

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us by contacting us. Please using the contact details in the previous section.

Similarly, it is important that the personal data we hold about others is accurate and current. Please keep us informed if others’ personal data that you have given us changes during your relationship with us.

Personal data means any information about a living individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you and in any given case the kind of personal data we collect, use, store and transfer will be influenced by the nature of the services that you request from us or we provide to you or others. Whilst the personal data which we collect and process relates principally to our clients it will include personal data which relates to others including family members, carers and other healthcare professionals. We have grouped together kinds of personal data as follows:

Personal Identifiers including name, date of birth, address, NHS number

Biographical Information including information about significant life events and relationships and interactions with others, financial circumstances and interactions with public authorities including the criminal justice system.

Health Information including details of your medical history, past assessments, diagnoses and treatments, the opinions of others about your health and well-being, including opinions expressed by family, carers and health and social care professionals.

Financial Information including information necessary for invoicing, payment and accounting purposes.

Technical Data including log-in details, IP addresses, etc. details of the use of our IT services such as usage of the client portal.

Special Categories of Personal Data which may include information about your health (as noted above) and information revealing your race and/or ethnicity, your religious or philosophical beliefs or political opinions and information concerning your sexual life or sexual orientation.

Sources of Personal Data

We may collect personal data from a number of different sources including, but not limited to:

Organisations or professionals involved in the client’s care, including:

• Their GPs

• Other hospitals, both NHS and private

• Mental health providers

• Commissioners of healthcare services

• Clinicians contracted by us to deliver our services

• The information which we collect in relation to our clients may include information about a variety of third parties including the client’s relatives, friends or carers.

Directly from our client

Data may be collected directly from you when:

• You enter into a contract with us for the provision of healthcare services

• You use those services, including during clinical sessions

• You submit information via our patient portal

• You complete enquiry forms on our website

• You submit a query to us

• You correspond with us by letter, email, telephone or social media

• You take part in our marketing activities

Directly from our client’s relatives, friends or carers

Data may be collected directly from client’s relatives, friends or carers when they:

• enter into a contract with us for the provision of healthcare services to a client

• participate in the healthcare services which we provide, including during clinical sessions

• submit information via our portal

• complete enquiry forms on our website

• submit a query to us

• correspond with us by letter, email, telephone or social media

• take part in our marketing activities

From other third parties

We may also collect data about clients from third parties when:

• We liaise with client’s insurance policy provider in relation to our private services

• We deal with NHS health service bodies about services you have received or are receiving from us which they have commissioned

• We liaise with Government agencies or public bodies, including HMRC, and social services

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you, or for your benefit, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into (for example, to provide you with healthcare services). In this case, we may have to cancel or not provide a service you have requested from us or we are providing under a contract with you (or for your benefit), but we will notify you if this is the case at the time.

We may 'process' your personal data for a number of different purposes. Each time we use your data we must have a legal basis to do so. The particular justification will depend on the purpose for which the data is processed and the nature of our relationship with you e.g whether you are receiving care as an NHS patient or under a contract which you have with us. When the data that we process is classed as “special category of personal data”, we must have a specific additional legal justification in order to use it as proposed.

In most instances, we will rely on the following legal justifications, or 'grounds':

• Taking steps at your request so that you can enter into a contract with us to receive healthcare services from us and the clinicians we engage to deliver our services.

• For the purposes of providing clients with healthcare, whether pursuant to a contract between the client and us, or under arrangements between us and the NHS in the performance of their public task. We will rely on this for activities such as supporting the delivery of your healthcare, supporting your Healios clinician or other healthcare professional in their professional obligations.

• We have, or a third party has, a legitimate Interest in processing the personal data and those interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Note that where the client is not the data subject we may rely on the client’s legitimate interest in receiving healthcare. For example, we may process some information about a client’s next of kin as the client has a legitimate interest in the next of kin being contactable and the processing will not adversely affect the next of kin.

• We will rely on this for activities such as quality assurance, maintaining our business records, developing and improving our products and services and monitoring outcomes.

• It is necessary to comply with a legal or regulatory obligation.

• We, or clinicians who have provided our services, need to use such personal data to establish, exercise or defend legal rights.

• You have provided your consent to our use of your personal data.

Generally we do not rely on consent as a legal basis for processing your personal data in connection with the healthcare services we provide to you or others. This does not affect the role which informed consent plays in the context of our client’s decisions about their care and treatment.

Note that we may process your personal data on more than one lawful ground depending on the specific purpose, or purposes, for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out below.

Purpose 1: Where we are providing services to you under a contract with you, to set you up as a client on our IT systems

As is common with most business, we may have to carry out necessary checks in order for you to become a client. These include suitability checks for our services, which we cannot perform without using your personal data.

Legal ground:

• Taking the necessary steps so that you can enter into a contract with us for the delivery of healthcare.

Additional legal ground for special categories of personal data:

• The use is necessary for reasons of substantial public interest under UK law.

Purpose 2: To provide you with healthcare and related services

Legal grounds:

• Providing you with healthcare and related services whether on the basis of a contract with you.

• Providing you with healthcare and related services under arrangements with the NHS as part of its public task.

• Our client’s legitimate interests in obtaining our services.

Additional legal grounds for special categories of personal data:

• We need to use the data in order to provide healthcare services to you

• The use is necessary to protect your vital interests where you are physically or legally incapable of giving consent

Purpose 3: For account settlement purposes

In respect of private clients, we will use your personal data in order to maintain account and billing information which is accurate and up-to-date.

Legal grounds:

• Providing you with healthcare and related services under arrangements with the NHS as part of its public task.

• Fulfilling our contract with you for the delivery of healthcare.

• Our having a legitimate interest in using your personal data.

Additional legal grounds for special categories of personal data:

• We need to use the data in order to provide healthcare services to you.

• The use is necessary in order for us to establish, exercise or defend our legal rights.

• We need to use the personal data for reasons of substantial public interest such as fraud prevention.

Purpose 4: For research purposes

We undertake our own research to develop our knowledge of the conditions which affect our services users in the hope of developing improved tools for assessment and care. We may undertake research with carefully selected third parties such as academic researchers. Any such research partnerships would be subject to information sharing agreements which respect the confidentiality of patient data and implement appropriate safeguards. External research partners would be required to demonstrate to Healios that they have complied with any applicable research ethics approval process prior to the sharing of any personal data.

Where research outcomes are shared publicly that will done in a manner which does not identify any current or former clients.

We will share your personal data only to the extent that it is necessary to do so in assisting research and as permitted by law. Some research projects and/or registries have received statutory approval such that consent may not be required in order to use your personal data. In those circumstances, your personal data will be shared on the basis that:

Legal grounds:

• We have a legitimate interest in conducting and contributing to medical research in the public interest subject to appropriate safeguards to protect your privacy.

Additional legal grounds for special categories of personal data:

• The processing is necessary in the public interest for statistical and scientific research purposes

In the event that consent is required then either the research organisations will obtain this from you themselves or we will take consent from you.

Purpose 5: Communicating with you and resolving any queries or complaints that you might have.

From time to time, patients may raise queries, or even complaints, with us. It is important that we resolve such matters fully and properly, and so we will need to use your personal data in order to do so.

Legal grounds:

• Fulfilling our contract with you for the delivery of healthcare.

• Fulfilling our obligations in delivering services to you under arrangements commissioned by the NHS.

• Our having a legitimate interest in addressing your queries or complaints for the purpose of maintaining the standard of service which we provide.

Additional legal grounds for special categories of personal data:

• The use is necessary for the provision of healthcare or treatment pursuant to a contract with a health professional

• The use is necessary in order for us to establish, exercise or defend our legal rights

• The use is necessary for reasons of substantial public interest under UK law.

Purpose 6: Communicating with any other individual that our client asks us to update about their care and updating other healthcare professionals about our client’s care.

Other healthcare professionals or organisations involved in caring for you may need to know about the services which we provide to you, including assessments, diagnosis or treatment, in order for them to provide you with safe and effective care, and so we may need to share your personal information with them. Further details on the third parties who may need access to your data is set outlined in the Third Parties section below.

Legal grounds:

• Our providing you with healthcare and other related services either under a contract with you or in the performance of a task in the public interest under arrangements with the NHS or third parties.

• We, and the clinicians providing our services and your client’s have a legitimate interest in ensuring that other healthcare professionals who are routinely involved in our client’s care have a full picture of their treatment.

Additional legal ground for special categories of personal data:

• We, and the clinicians providing our services, need to use the data in order to provide those healthcare services.

• The use is necessary for reasons of substantial public interest under UK law.

• The use is necessary in order for us to establish, exercise or defend our legal rights.

Purpose 7: Complying with our legal or regulatory obligations, and defending or exercising our legal rights

As a provider of healthcare, we and the clinicians delivering services on our behalf are subject to a wide range of legal and regulatory responsibilities which are not listed in full here. We make and retain detailed records of the assessments which we undertake and the care which we provide, including the information on which assessment and treatment decisions were based. We may be required by law or by regulators to provide personal data. In addition, the clinicians providing our services may have to exercise their judgment in determining whether the disclosure of confidential information should be made in accordance with their professional codes of conduct. From time to time, we or our clinicians may be the subject of legal actions, regulatory proceedings or complaints. In order to fully investigate and respond to those actions, it may be necessary to access your personal data (although only to the extent that it is necessary and relevant to the subject-matter). We may be required to disclose your personal data in response to a court order.

Legal grounds:

• The use is necessary in order for us to comply with our legal obligations

• The use is necessary for the Legitimate Interest of clinicians in responding to their regulator or in dealing with legal proceedings or otherwise complying with their professional obligations.

Additional legal ground for special categories of personal data:

• We need to use the data in order for others to provide informed healthcare services to you

• The use is necessary for reasons of the provision of health or social care or treatment or the management of health or social care systems

• The use is necessary for establishing, exercising or defending legal claims

• The use is necessary for reasons of substantial public interest under UK law

Purpose 8: Quality assurance, quality improvement, training and security including conducting peer reviews of consultations conducted by clinicians delivering Healios services

We may use your personal data, including information about your health, to identify where improvements can be made to the services which we provide and to support the professional development of the healthcare professionals we engage to deliver our services. We may also use your personal data in the context of developing, implementing and testing our IT security and in investigating any suspected security incidents.

Legal grounds:

• Our legitimate interest in maintaining and improving the quality of our services and the legitimate interest of the public in accessing high quality healthcare.

Additional legal ground for special categories of personal data:

• We need to use the data in order to manage the healthcare services we deliver, including carrying out surveys in order to identify and carry out any necessary improvements

Purpose 9: Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (eg tax or legal advice)

Legal grounds:

• Our legitimate interest in running our business

Additional legal ground for special categories of personal data:

• The use is necessary for establishing, exercising or defending legal claims.

Purpose 10: Provide information in relation to new services offered by Healios or to invite clients to participate in service development activities

Legal grounds:

• Our legitimate interest in running our business

Additional legal ground for special category of personal data:

• Processing is necessary for research in the public interest.

Change of purpose

Except as noted below, we will only use your personal data for the purposes for which we collected it, or have previously notified to you, except where further processing is compatible with those purposes. If you wish to get an explanation as to how the processing for the new purpose is compatible with the previous purpose(s), please contact us.

Except as noted below, if we propose to use your personal data for a purpose which is not compatible with those previously notified, we will notify you and we will explain the legal basis which allows us to do so.

Please note that, as exceptions to the two previous paragraphs, we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

We may share your personal data with the parties set out below for the purposes set out above.

From time to time, we may share your personal data with third parties.

Disclosures to third parties:

We may disclose personal data to the third parties listed below for the purposes described in this Privacy Notice where that disclosure is required or permitted by law. This might include:

• Professionals involved in caring for our client’s including your Healios clinicians, GPs, NHS and private sector providers.

• Other members of our support staff involved in the delivery of care, like our Customer Engagement Managers

• Anyone that you ask us to communicate with or provide as an emergency contact, for example a client’s next of kin or carer

• NHS organisations, including NHS Resolution, NHS England, Department of Health

• Third parties who assist in the administration of healthcare to our clients, such as insurance companies

• National and other professional research/audit programmes and registries as part of requirements for delivering services on behalf of the NHS

• Government bodies and public authorities

• Our insurers

• Our third party advisers including actuaries, lawyers

We may communicate with these third parties in a variety of ways including, but not limited to, email, post, fax and telephone.

In most cases we do not transfer personal data outside of the EEA. On occasion personal data may be transferred outside of the EEA for example at the request of the data subject. On such occasions we will consider the necessity of any transfer and the adequacy or protections for the personal data in the country to which the data is transferred.

How long will you use my personal data for?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it and/or processed it for, including for the purposes of satisfying any legal, accounting, regulatory or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal and regulatory requirements, including requirements on clinicians who deliver Healios services.

A service user’s care record will be retained in accordance with the guidance on retention periods issued by the Information Governance Alliance, as amended from time to time as reflected in Healios’ Retention Policy which will be updated from time to time and which you can request from us by contacting us.

In some circumstances you can ask us to delete your data: see Request erasure below for further information.

In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Under certain circumstances, you have rights under data protection laws in relation to your personal data. Please click on the links below to find out more about these rights:

• Request access to your personal data.

• Request correction of your personal data.

• Request erasure of your personal data.

• Object to processing of your personal data.

• Request restriction of processing your personal data.

• Request transfer of your personal data.

• Right to withdraw consent.

If you wish to exercise any of the rights set out above, please contact us.

No fee usually required

Except as described below, you will not have to pay a fee to access your personal data (or to exercise any of the other rights).

As exceptions to the previous sentence, if your request is clearly unfounded, repetitive or excessive:

1. we may charge a reasonable fee; or

2. alternatively, we may refuse to comply with your request in those circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and verify your right to access the requested personal data (or to exercise any of your other rights). This is a security measure to reduce the risk of disclosure of personal data to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

LAWFUL BASIS

Legitimate Interest means the interest in conducting and managing our business or a third party’s interest. For example, a client’s interest in receiving our services. We make sure we consider and balance any potential impact on you (both positive and negative) and the data subject’s rights before we process personal data for Legitimate Interests. We will not rely on the “Legitimate Interests” ground for processing personal data where our, or the third party’s, interests are overridden by the impact on the data subject, but we may still process it if we have your consent or are otherwise required or permitted to by law. You can obtain further information about how we assess the relevant Legitimate Interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to (which, amongst other legal obligations, includes any regulatory obligation where there is a statutory basis underpinning the regulatory regime and which requires regulated controllers to comply).

THIRD PARTIES

External Third Parties

• Service providers acting as controllers, joint controllers or processors based in the UK, other European Economic Area (“EEA”) countries who provide IT (including, but not only, website) and system administration services and services in relation to emails, including the following:

  Amazon Web Services: host our servers

  Google: host our email system

  RingCentral: who provide our VoIP telephone service and record calls on our behalf

  Dropbox: host our file storage system

Those organisations publish their own privacy policies which are available on-line. The processing which they undertake on our behalf is subject to the requirements for compliance with the General Data Protection Regulation.

• The following, who may be based inside or outside the European Economic Area (“EEA”), acting as controllers, joint controllers or processors: clinicians contracted by Healios to deliver healthcare services to you, other professionals and service suppliers we use or who are involved in matters we are working on, banks and other financial or investment providers or advisers, and public authorities in the UK and elsewhere;

• HM Revenue & Customs, regulators and other authorities acting as controllers, joint controllers or processors, based inside or outside the European Economic Area (“EEA”) who require reporting of processing activities in certain circumstances or otherwise for the purposes of, or in connection with the healthcare services and other services we provide.

YOUR LEGAL RIGHTS

In certain circumstances you have the right to:

Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are processing it lawfully. This is not an absolute right and is subject to specific limitations in the GDPR.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you, or your agent or someone else acting on your behalf, provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we have processed your data unlawfully or where we are required to erase your personal data to comply with law. Note, however, that the right to erasure is not an absolute right and that we will not always be required to comply with your request for erasure because of specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing:

The right to object to other uses of your personal data

You have a range of rights in respect of your personal data, as set out in detail in the section entitled "Your rights". This includes the right to object to us using your personal data in a particular way (such as sharing that data with third parties), and we must stop using it in that way unless specific exceptions apply. This includes, for example, if it is necessary to defend a legal claim brought against us, or it is otherwise necessary for the purposes of your ongoing treatment.

a. you have the right to object to processing of your personal data where we are relying on

• our Legitimate Interests (or those of a third party); or

• the ground that the processing is necessary for the performance of a task carried out in the public interest

and there is something about your particular situation which makes you want to object to processing on this ground because you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that there are compelling legitimate grounds to process your personal data which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

a. where you contest the accuracy of your personal data, such suspension to be for a period enabling us to verify the accuracy of the personal data;

b. where our processing of your personal data is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

c. where we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or

d. you have objected to processing pursuant to the right described in the paragraph (a) of the description of your right to “Object to Processing” described above, pending the verification whether there are compelling legitimate grounds to process your personal data which override your rights and freedoms.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to personal data which you provided to us and that is processed by automated means which you, or your agent or someone else acting on your behalf, initially provided consent for us to use or that we used to perform a contract with you.

Withdraw consent at any time where we are relying on consent as the lawful ground to process your personal data under the GDPR. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you.