We may 'process' your personal data for a number of different purposes. Each time we use your data we must have a legal basis to do so. The particular justification will depend on the purpose for which the data is processed and the nature of our relationship with you e.g whether you are receiving care as an NHS patient or under a contract which you have with us. When the data that we process is classed as “special category of personal data”, we must have a specific additional legal justification in order to use it as proposed.
In most instances, we will rely on the following legal justifications, or 'grounds':
- Taking steps at your request so that you can enter into a contract with us to receive healthcare services from us and the clinicians we engage to deliver our services.
- For the purposes of providing clients with healthcare, whether pursuant to a contract between the client and us, or under arrangements between us and the NHS in the performance of their public task. We will rely on this for activities such as supporting the delivery of your healthcare, supporting your Healios clinician or other healthcare professional in their professional obligations.
- We have, or a third party has, a legitimate Interest in processing the personal data and those interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Note that where the client is not the data subject we may rely on the client’s legitimate interest in receiving healthcare. For example, we may process some information about a client’s next of kin as the client has a legitimate interest in the next of kin being contactable and the processing will not adversely affect the next of kin.
- We will rely on this for activities such as quality assurance, maintaining our business records, developing and improving our products and services and monitoring outcomes.
- It is necessary to comply with a legal or regulatory obligation.
- We, or clinicians who have provided our services, need to use such personal data to establish, exercise or defend legal rights.
- You have provided your consent to our use of your personal data.
Generally we do not rely on consent as a legal basis for processing your personal data in connection with the healthcare services we provide to you or others. This does not affect the role which informed consent plays in the context of our client’s decisions about their care and treatment.
Note that we may process your personal data on more than one lawful ground depending on the specific purpose, or purposes, for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out below.
Purpose 1: Where we are providing services to you under a contract with you, to set you up as a client on our IT systems
As is common with most business, we may have to carry out necessary checks in order for you to become a client. These include suitability checks for our services, which we cannot perform without using your personal data.
Legal ground:
- Taking the necessary steps so that you can enter into a contract with us for the delivery of healthcare.
Additional legal ground for special categories of personal data:
- The use is necessary for reasons of substantial public interest under UK law.
Purpose 2: To provide you with healthcare and related services
Legal grounds:
- Providing you with healthcare and related services whether on the basis of a contract with you.
- Providing you with healthcare and related services under arrangements with the NHS as part of its public task.
- Our client’s legitimate interests in obtaining our services.
Additional legal grounds for special categories of personal data:
- We need to use the data in order to provide healthcare services to you
- The use is necessary to protect your vital interests where you are physically or legally incapable of giving consent
Purpose 3: For account settlement purposes
In respect of private clients, we will use your personal data in order to maintain account and billing information which is accurate and up-to-date.
Legal grounds:
- Providing you with healthcare and related services under arrangements with the NHS as part of its public task.
- Fulfilling our contract with you for the delivery of healthcare.
- Our having a legitimate interest in using your personal data.
Additional legal grounds for special categories of personal data:
- We need to use the data in order to provide healthcare services to you.
- The use is necessary in order for us to establish, exercise or defend our legal rights.
- We need to use the personal data for reasons of substantial public interest such as fraud prevention.
Purpose 4: For research purposes
We undertake our own research to develop our knowledge of the conditions which affect our services users in the hope of developing improved tools for assessment and care. We may undertake research with carefully selected third parties such as academic researchers. Any such research partnerships would be subject to information sharing agreements which respect the confidentiality of patient data and implement appropriate safeguards. External research partners would be required to demonstrate to Healios that they have complied with any applicable research ethics approval process prior to the sharing of any personal data.
Where research outcomes are shared publicly that will done in a manner which does not identify any current or former clients.
We will share your personal data only to the extent that it is necessary to do so in assisting research and as permitted by law. Some research projects and/or registries have received statutory approval such that consent may not be required in order to use your personal data. In those circumstances, your personal data will be shared on the basis that:
Legal grounds:
- We have a legitimate interest in conducting and contributing to medical research in the public interest subject to appropriate safeguards to protect your privacy.
Additional legal grounds for special categories of personal data:
- The processing is necessary in the public interest for statistical and scientific research purposes
In the event that consent is required then either the research organisations will obtain this from you themselves or we will take consent from you.
Purpose 5: Communicating with you and resolving any queries or complaints that you might have.
From time to time, patients may raise queries, or even complaints, with us. It is important that we resolve such matters fully and properly, and so we will need to use your personal data in order to do so.
Legal grounds:
- Fulfilling our contract with you for the delivery of healthcare.
- Fulfilling our obligations in delivering services to you under arrangements commissioned by the NHS.
- Our having a legitimate interest in addressing your queries or complaints for the purpose of maintaining the standard of service which we provide.
Additional legal grounds for special categories of personal data:
- The use is necessary for the provision of healthcare or treatment pursuant to a contract with a health professional
- The use is necessary in order for us to establish, exercise or defend our legal rights
- The use is necessary for reasons of substantial public interest under UK law.
Purpose 6: Communicating with any other individual that our client asks us to update about their care and updating other healthcare professionals about our client’s care.
Other healthcare professionals or organisations involved in caring for you may need to know about the services which we provide to you, including assessments, diagnosis or treatment, in order for them to provide you with safe and effective care, and so we may need to share your personal information with them. Further details on the third parties who may need access to your data is set outlined in the Third Parties section below.
Legal grounds:
- Our providing you with healthcare and other related services either under a contract with you or in the performance of a task in the public interest under arrangements with the NHS or third parties.
- We, and the clinicians providing our services and your client’s have a legitimate interest in ensuring that other healthcare professionals who are routinely involved in our client’s care have a full picture of their treatment.
Additional legal ground for special categories of personal data:
- We, and the clinicians providing our services, need to use the data in order to provide those healthcare services.
- The use is necessary for reasons of substantial public interest under UK law.
- The use is necessary in order for us to establish, exercise or defend our legal rights.
Purpose 7: Complying with our legal or regulatory obligations, and defending or exercising our legal rights
As a provider of healthcare, we and the clinicians delivering services on our behalf are subject to a wide range of legal and regulatory responsibilities which are not listed in full here. We make and retain detailed records of the assessments which we undertake and the care which we provide, including the information on which assessment and treatment decisions were based. We may be required by law or by regulators to provide personal data. In addition, the clinicians providing our services may have to exercise their judgment in determining whether the disclosure of confidential information should be made in accordance with their professional codes of conduct. From time to time, we or our clinicians may be the subject of legal actions, regulatory proceedings or complaints. In order to fully investigate and respond to those actions, it may be necessary to access your personal data (although only to the extent that it is necessary and relevant to the subject-matter). We may be required to disclose your personal data in response to a court order.
Legal grounds:
- The use is necessary in order for us to comply with our legal obligations
- The use is necessary for the Legitimate Interest of clinicians in responding to their regulator or in dealing with legal proceedings or otherwise complying with their professional obligations.
Additional legal ground for special categories of personal data:
- We need to use the data in order for others to provide informed healthcare services to you
- The use is necessary for reasons of the provision of health or social care or treatment or the management of health or social care systems
- The use is necessary for establishing, exercising or defending legal claims
- The use is necessary for reasons of substantial public interest under UK law
Purpose 8: Quality assurance, quality improvement, training and security including conducting peer reviews of consultations conducted by clinicians delivering Healios services
We may use your personal data, including information about your health, to identify where improvements can be made to the services which we provide and to support the professional development of the healthcare professionals we engage to deliver our services. We may also use your personal data in the context of developing, implementing and testing our IT security and in investigating any suspected security incidents.
Legal grounds:
- Our legitimate interest in maintaining and improving the quality of our services and the legitimate interest of the public in accessing high quality healthcare.
Additional legal ground for special categories of personal data:
- We need to use the data in order to manage the healthcare services we deliver, including carrying out surveys in order to identify and carry out any necessary improvements
Purpose 9: Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (eg tax or legal advice)
Legal grounds:
- Our legitimate interest in running our business
Additional legal ground for special categories of personal data:
- The use is necessary for establishing, exercising or defending legal claims.
Purpose 10: Provide information in relation to new services offered by Healios as an existing client or potential new client, or to invite clients to participate in service development activities
We may use your personal data to send marketing updates to you about new services, company news and announcements, or service development activities such as clinical studies.
Legal grounds:
- Our legitimate interest in running our business
Additional legal ground for special category of personal data:
- Processing is necessary for research in the public interest.
Change of purpose
Except as noted below, we will only use your personal data for the purposes for which we collected it, or have previously notified to you, except where further processing is compatible with those purposes. If you wish to get an explanation as to how the processing for the new purpose is compatible with the previous purpose(s), please contact us.
Except as noted below, if we propose to use your personal data for a purpose which is not compatible with those previously notified, we will notify you and we will explain the legal basis which allows us to do so.
Please note that, as exceptions to the two previous paragraphs, we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.