A PDF version of below can be accessed here
When we refer to ‘we’, ‘us’ and ‘our’, we mean Harley Street Hospital Limited operating in the UK. We are registered in England and Wales under company number 11345153 at 19 Harley Street, W1G 9QJ.
We are committed to ensuring that your privacy is protected. We will continue to comply with the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) unless and until the GDPR is no longer directly applicable in the UK, together with any national implementing laws, regulations and secondary legislation as amended or updated from time to time in the UK, and any successor legislation to the GDPR and the DPA (together “Data Protection Legislation”).
When we refer to personal data in this policy, we mean information that can or has the potential to identify you as an individual. We may hold and use personal data about you as a customer, employee, a patient or in any other capacity.
Harley Street Hospital Ltd is the data controller for any personal data that we hold about you.
Data Protection officer
Data Protection Officer, Mr Mo Akmal can be contacted by email firstname.lastname@example.org if you have any questions.
This Notice describes what information we collect, how we collect, use and process your personal data, and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.
‘Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified from the data. This includes, but is not limited to name, date of birth, full postcode, address, next of kin and NHS Number etc
‘Special category / sensitive data’ includes information such as medical history including details of appointments and contact with you, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.
The personal/sensitive data we use may include:
– Your name, address and contact details, including email address and telephone numbers. If you provide these details, we may use them to contact you unless you ask us not to. This could include emails, text or voicemail messages;
– Date of birth, gender, occupation, your marital status, ethnic origin, religion next of kin, and/or emergency contacts;
– your national insurance number, nationality and entitlement to treatment in the UK;
– Information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments;
– Your previous and current medical health history/documents
– Information about medical or health conditions of your family;
– Your bank account if you are a ‘self-pay’ patient or the financial information of the company or individual who is responsible for the payment of invoices/bills relating to your care (e.g. insurer, sponsor or Guarantor);
– We may take a swipe of your debit or credit card. We will let you know if we intend to take a payment from this card before we do so;
– If you are employed by Harley Street Hospital, we will also hold and process other information relating to your employment.
– If you are a Consultant/ Doctor/Therapist or other healthcare provider you are not employed by the Harley Street Hospital, we will also hold and process other information relating to the services you carry out.
– This data may also include visual images and personal appearance, finger prints and face recognition e.g. where CCTV and biometric data is used as part of our building security measures.
Harley Street Hospital may collect this information in a variety of ways;
– Through Registration and Admission forms; obtained from your passport or other identity documents such as your driving licence; from pre-admission forms, online web forms completed by you; from correspondence with you; through the Admission and Registration process or through consultations, interviews or other assessments.
– you from third parties, such as insurer providers, referral agencies, checks permitted by law.
– CCTV cameras
– Biometric data with your consent for any staff/practitioner where you are expected to work in Operating Theatres at the Harley Street Hospital
Providing your personal data
– We will tell you if providing some personal data is optional, including if we ask for your consent to process it. In all other cases, we need you to provide your personal data so we can provide care and treatment to you and receive payment for these services.
Monitoring of communications
– Subject to applicable laws, we may monitor and record telephone calls, emails, text messages, social media messages and other communications in relation to our dealings with you. We will do this to ensure an appropriate standard of care, for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of our communications networks and systems, to check for unlawful content, obscene or profane content, for quality control and staff training, and when we need to see a record of what has been said. We may also monitor activities on our network and systems where necessary for these reasons and this is for our legitimate interests or other legal obligations.
Legal basis for processing your personal data:
– We will process your personal data under Article 6 (1); Article 9 (2)h of the General Data Protection Regulations.
– Legal obligation: the processing is necessary for compliance with a legal obligation Article 6 (1)(c)
– Vital interests: the processing is necessary to protect someone’s life. Article 6 (1) (d)
– Public interest: the processing is necessary to perform a task in the public interest. Article 6 (e)
– Legitimate interests: the processing is necessary for an organisation’s legitimate interests or the legitimate interests of a third party Article 6 (1) (f)
When processing special category data for the purposes of;
– Vital interests of the Data Subject Article 9 (2) (c)
– Substantial public interest Article 9 (2) (g)
– Provision of health or social care Article 9 (2) (h)
– Public interest in the area of public health such as protecting against serious cross border threats to health Article 9 (2) (i)
– The Notice by Secretary of State under Reg 3(4) of Health Service Control of Patient Information Regulations issued 1st April 2020 allowing healthcare providers to share personal data and any other such notice that may be issued to support efforts against COVID-19.
We use your personal data to support the provision of your healthcare in the following ways:
– To support the provision of your healthcare;
– To decide how best to provide treatment to you;
– As necessary to support the healthcare contract with you and to allow us to receive full payment for those services;
– To take steps at your request during the course of your treatment;
– To keep your records up to date;
Sharing of your personal data:
Your information will only be shared if it is appropriate for the provision of your care or required to satisfy our statutory function and legal obligations. Subject to applicable data protection laws we may share your personal data with:
– Consultants/Doctors and other healthcare professionals who provide treatment to you at the Harley Street Hospital;
– Other healthcare providers including your General Practitioner (GP) where we believe this will enhance the quality of your care. Let us know if you do not wish us to share information with your GP;
– Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
– Delivery services (for example if we were to arrange for delivery of any medicines/tests to you).
– Payment providers
– Our legal and other professional advisors, including auditors;
– Fraud prevention agencies, credit reference agencies, and debt collection agencies;
– Commissioner’s Office and Care Quality Commission (CQC);
– General Medical Council and other professional bodies;
– Courts, to comply with legal requirements, and for the administration of justice;
– In an emergency or to otherwise protect your vital interests;
– For good governance, accounting, and managing and auditing our clinical and business operations both internally and by third parties;
– To monitor emails, calls, other communications, and activities
– Anonymous, pseudonymous or aggregated data may be used by us, or disclosed to others, for research or statistical purposes.
– The CMA’s Order is issued under the Enterprise Act 2002 and specifies 11 performance measures for PHIN to publish, by procedure, at both hospital and consultant level. These performance measures are also listed on PHIN’s website at media.phin.org.uk/about/our-mandate/. Section 167(2) of the Enterprise Act provides that, “Any person to whom such an undertaking or order relates shall have a duty to comply with it”. This information will not be in a form where individuals can be identified.
– Anyone else where we have your consent or as required by law
You are free at any time to change your mind and withdraw your consent. We will advise you whether we can continue to provide full healthcare services to you. In some circumstances we may still be legally required to disclose your data.
Maintaining the confidentiality of records:
We are committed to protecting your privacy and will only use information that has been collected lawfully. Every member of staff has a legal obligation to keep information about you confidential.
We maintain our duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.
How long do we keep your data?
– Information will be kept in accordance with the retention periods outlined in the Information Governance Alliance (IGA) Records Management Code of Practice for Health and Social Care (2016). Information may be held for longer periods where the following apply:
– Retention in case of queries/ claims.
– Retention in accordance with legal and regulatory requirements.
– Your rights under applicable data protection law
Your rights are as follows (please note that these rights do not apply in all circumstances):
– Right of access: the right to make a written request for details of your personal information and a copy of that personal information
– Right to rectification: the right to have inaccurate information about you corrected or removed
– Right to erasure (‘right to be forgotten’): the right to have certain personal information about you erased
– Right to restriction of processing: your personal information is only used for restricted purposes
– Right to object: the right to object to processing of your personal information in cases where our processing is based on the performance of a task carried out in the public interest or we have let you know the processing is necessary for our or a third party’s legitimate interests.
– Right to data portability: the right to ask for the personal information you have made available to us to be transferred to you or a third party in machine-readable formats
– Right to withdraw consent: the right to withdraw any consent you have previously given us to handle your personal information. If you withdraw your consent, this will not affect the lawfulness of Alliance’s use of your personal information prior to the withdrawal of your consent and we will let you know if we will no longer be able to provide you your chosen product or service
– Right in relation to automated decisions: you have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you, unless it is necessary for entering into a contract with you, it is authorised by law or you have given your explicit consent. We will let you know when such decisions are made, the lawful grounds we rely on and the rights you have.
The Data Protection Act 1998 and General Data Protection Regulations allows you to find out what information is held about you including information held within your medical records, either in electronic or physical format. This is known as the “right of subject access”. If you would like to have access to all or part of your records, you can make a request in writing to the organisation that you believe holds your information. You should however be aware that some details within your health records may be exempt from disclosure, however this will in the interests of your wellbeing or to protect the identity of a third party. If you would like access to your record please submit your request in writing to the Data Controller: email@example.com
Transfers of Personal Data outside the European Economic Area (“EEA”)
The transmission of information via the internet cannot be guaranteed as completely secure. However, we ensure that any information transferred to our websites is via a Cloudflare certified SSL secure connection. Once we have received your information, we will use strict procedures and security features for prevention of unauthorised access.
We transfer personal information to you via Microsoft Outlook 365 Exchange email. Email is not a completely secure method of information transmission; please let us know if you would like to opt out so that we can find alternative ways of communication.
Website Privacy Notice
What information does Harley Street Hospital Limited hold?
Harley Street Hospital Limited may collect the following information from you when you visit the website:
Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and
Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from the website (including date and time), products you viewed or searched for, page response times, website errors, length of visits to certain pages, page interaction information, methods used to browse away from the page and any phone number used to call our helpline.
Use Made of the Information
Harley Street Hospital Limited may use the information we receive and/or collect about you to:
− Fulfil our obligations under any contract we have entered into with you or with a Patient you represent, and to provide you or the relevant Patient with information or services you or the Patient has requested Send you newsletters and marketing information if you have consented to us doing so
− Notify you of products and services we feel may interest you, or permit third parties to do so if you have provided the appropriate consent
− Monitor website usage and provide statistics to third parties for the purposes of improving and developing the website and the services we provide via the website
− Harley Street Hospital Limited processes personal information for certain legitimate business purposes, which include some or all the following:
− Where the processing enables Harley Street Hospital Limited to enhance, modify, personalise or otherwise improve the website, its services or communications
− To identify and prevent fraud
− To enhance the security of Harley Street Hospital Limited’s network and information systems
− To better understand how people interact with Harley Street Hospital Limited’s websites
− To administer the website and carry out data analysis, troubleshooting and testing; and
− To determine the effectiveness of promotional campaigns and advertising
− If we obtain consent from you to do so, we may provide your personal details to third parties so that they can contact you directly in respect of services in which you may be interested.
− Where we are processing personal data we have obtained via the website on the basis of having obtained consent from you, you have the right to withdraw your consent to the processing of your personal data
− If you wish to have your information removed from our database or if you do not want us to contact you for marketing purposes, please let us know by emailing Data Controlling Officer and we will take steps to ensure that this information is deleted as soon as reasonably practicable.
− We will not share, sell or distribute any of the information you provide to us (other than as set out in this policy) without your prior consent, unless required to do so by law.
− We may carry out automated decision-making using the personal data you provide to us.
Third Party Sites
How Safe is your Information?
Where we have given you (or where you have chosen) a password which enables you to access certain parts of the website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Protecting your security and privacy is important to us and we make every effort to secure your information and maintain your confidentiality in accordance with the terms of the Data Protection Legislation. The website is protected by various levels of security technology, which are designed to protect your information from any unauthorised or unlawful access, processing, accidental loss, destruction and damage.
We will do our best to protect your personal data but the transmission of information via the Internet is not completely secure. Any such transmission is therefore at your own risk.
Disclosure of your Information
− We may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the Companies Act 2006. We may share your information with selected third parties including:
− Business partners, suppliers and sub-contractors for the performance of any contract we enter with them/you
− Third parties who may wish to contact you in respect of services or products they offer or sell which may be of interest to you, provided we receive your consent to such disclosure; and/or advertisers and advertising networks that require the data to select and serve relevant adverts to you and analytics and search engine providers that assist us in the improvement and optimisation of the website
− Please note we may need to disclose your personal information where we:
− Sell any or all our business or assets or we buy another business or assets in which case we may disclose your personal data to the prospective buyer or seller
− Are under a legal duty to comply with any legal obligation or to enforce or apply our terms and conditions; or
− Need to disclose it to protect our rights, property or the safety of our customers or others, including the exchange of information with other companies, organisations and/or governmental bodies for the purposes of fraud protection and credit risk reduction
− Where we Store your Personal Data
A cookie is a small file, typically of letters and numbers, downloaded on your computer or smart phone when you accesses certain websites. Cookies allow a website to recognise a user’s device.
The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
Some cookies help websites to remember choices you make (e.g. which language you prefer if you use the Google Translate feature). Analytical cookies are to help us measure the number of visitors to a website. The two types we use are ‘Session’ and ‘Persistent’ cookies. Some cookies are temporary and disappear when you close your web browser, others may remain on your computer for a set period of time.
What can I do to manage cookies on my devices?
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.
Website, Content management and responsibility
The Harley Street Hospital website https://theharleystreethospital.co.uk uses Cloudflare SSL security. Harley Street Hospital and the hosts of this website, accept no responsibility for, and exclude all liability in connection with browsing this website, use of information on this website and downloading any material from it, including, but not limited to, any liability for errors, inaccuracies, omissions or misleading or defamatory statements.
The use of and access to pages of the Harley Street Hospital website is subject to the foregoing disclaimer, and the terms and conditions set out. By using or accessing this website, you agree to be bound by these terms and conditions.
Although every reasonable effort is made to ensure that files are free of defects and viruses, there are no guarantees that they are free from defects or computer viruses. Harley Street Hospital shall not be liable for any loss or damage howsoever arising in connection with the content of the website. Harley Street Hospital does not guarantee that the website will be error-free, omission-free, uninterrupted or without delay.
Whilst Harley Street Hospital makes all reasonable attempts to exclude viruses from the website, we cannot guarantee that the website will be virus free and accept no liability in the unlikely event that the website is not virus free.
Users are recommended to take appropriate safeguards before downloading information from this website.
Your Rights in Respect of your Data
If any of the information you provide to us via the website changes, please let us know as soon as possible so that we can make the necessary changes to the information we hold for you on our database. If you wish to make any changes to your information, please contact us via the following webpage [insert webpage link].
If you wish to access or rectify the information we hold about you, or request that such information be transmitted directly to another data controller, please contact us via the following webpage https://theharleystreethospital.co.uk/about/contact/. We shall process your request to access your information within one month of receipt, or we’ll let you know within that timeframe if we need more information from you. We will process your request free of charge.
To request that your information is deleted or if you wish to restrict or object to the processing of your information, please contact us via the following webpage firstname.lastname@example.org
If you have any complaints about our use of your personal data, please contact our Data Controlling Officer. If you are not satisfied with the response, you also have the right to complain to the relevant supervisory authority which is the Information Commissioner’s Office. Contact details for the ICO can be found at https://ico.org.uk